7

Hello all!

I'm wondering what folks who are more involved with infosec and have their fingers on the pulse are thinking for best devices and practices at this time.

From my perspective, modern computing has made MFA a requirement for pretty much everything. I'm not a fan of app-based as it is too fragile and increases possible attack surface.

When it comes to HW keys, I see a few factors:

  • Physical manufacturing location/supply chain
  • Source code access
  • Third-party certification

The first one is fairly straightforward - do you have trust in the place of manufacturer and the components used? Or, is there some other philosophical reason (ex. labor conditions)?

The second and third are a bit less clear. It seems to me that the more open the source, the more auditable and verifiable, however, this seems to be inversely related to the chance that a device is certified by the FIDO Alliance. I'm not sure if this is due to it being a commercial working group or costs involved being more likely to be prohibitive for OSS/OSHW projects. Any other certifications recommended?

While I would rather the verifiability of open-source, it seems like Yubico's offerings might be winning out in the other categories for the price. Any thoughts?

you are viewing a single comment's thread
view the rest of the comments
[-] silent_water@hexbear.net 2 points 1 year ago

nitrokey -- they're open source and mostly support the new FIDO standards at this point.

this post was submitted on 18 Aug 2023
7 points (100.0% liked)

cybersecurity

3231 readers
1 users here now

An umbrella community for all things cybersecurity / infosec. News, research, questions, are all welcome!

Community Rules

Enjoy!

founded 1 year ago
MODERATORS