The excellent guide by drduh should be mentioned here: https://github.com/drduh/YubiKey-Guide — I've been using this approach for years to store my OpenPGP keys on Yubikeys and use them for SSH.

I don't generate my keys on devices. That lets me be flexible and keep backups, as well as use the same keys on multiple physical devices. Using a single yubikey is a bad idea, as you're bound to eventually lose it or break it. Hasn't happened to me yet in 5 years, but I expect it to happen.

I wish more sites supported hardware keys instead of only TOTP tokens, or (heaven forbid, but corporate idiocy is plentiful) SMS.

I feel like leaving the "backing up" section of this till last is burying an important part of realistic threat analysis here: i.e. the risk of losing access to data from losing, accidentally destroying, or a malfunction of your Yubikey is substantially higher then the risk of compromise.

If you set all this up, then it would be an expected outcome that the most likely thing you'll be doing is needing to recover from a disaster, not prevent a compromise.

I was gifted a Yubikey about a month ago, and I planned to use it as 2FA instead of having to open up Google Authenticator 10-20 times a day and copy 6-digit codes.

It took a little effort to set up, but now it's working as intended. And I didn't realize it, but every time I had to pull out my phone and enter one of those stupid 6-digit codes, I was grinding my teeth! It was just such an annoying little chore. My mouth feels so much more relaxed now that I just tap the little button on the Yubikey.

I also set up the long-press functionality to store a static password, and that has been the cherry on top.

I would consider PIV and SSH through PIV/OpenPGP legacy and undesired nowadays. If you're only interested in state of the art second factor instead of passwords for sensitive use cases, a simple FIDO2 security key w/o all the extra features on a yubikey 5 is enough.

You can solve most of those with only FIDO2 nowadays:

Webauthn with fido/u2f is supported on most websites and oidc providers.

SSH with FIDO and resident / non-resident keys is supported.

PAM -> as documented in the guide, although setting origin and type manually isn't necessary and you can save keys in ~/.config/Yubico so non-root users can manage their keys. I would recommend enabling PIN verification with pamu2fcfg --pin-verification.

LUKS hard disk encryption with FIDO2 for unlocking isn't covered but is possible, systemd-cryptenroll can set this up on modern linux distributions.

The author's idea that writing down your unlock codes and PINs on paper is an acceptable/reasonable backup system is, I think, a bit wishful, and quite impractical for most people.

I recommend getting 5 Yubikeys, generating unique PGP keys on all of them, then storing two offsite in different locations, such as your vacation home or safe deposit box or office. Three are for your keychain and one each for your desktop and laptop or two laptops.

Then, PGP encrypt your text file with all of these details to all five keys.

I have two Yubikeys (a primary and a backup) in each of two safe deposit boxes in different states (4 total), one on my keychain, and one nano in each of my 5 computers. I encrypt my long term data to 10 recipient keys.

Neat, but this too hard I think. Have used a key with websites and that is doable for a regular (or busy) person. The rest of this should be done by the OS, through a wizard, at install time and/or later. Maybe a control panel app.

Nits:

- Model: Ideal device is 5C.

- GPG: S key should not also be C. The point is the C key should be the root of S, E, and A so they can be expired, revoked, and rolled individually.

- NFC: Disable it or don't buy it. It's a wide attack surface. USB-C works with iPads and Android devices, iPhones <= 14 with an adapter, and iPhone >= 15.

- Backup & recovery: Contrary to YK doc, there are too many issues with multiple card-generated YK secrets and identifiers for practical use. Create an identical device (apart from card no) with a 2nd YK kept offsite in secure physical storage by loading secrets to both rather than generating them on-card. It's possible to do so securely on a trusted machine (say running Tails or Qubes OS on a physical new machine without internet).

- Reset PIN: It's foolish to not create one.

- FIDO2: Setup your own (deprecated but still works) private, firewalled behind NAT server from https://developers.yubico.com/u2fval/

- Linux and Mac workstations: Setup gpg-agent ssh-agent compatibility instead of the PIV method because it doesn't require their custom PKCS#11 module with an unproven security track record. And update the firmware with the Yubikey Manager app.

What would be the ideal suggestion for a Yubikey setup -- where I’m not hounded by authorities, don’t want to act out the James Bond lifestyle, and am just an ordinary person interested in extra security for him and his family?

I want to be able to have Yubikeys for (i) my primary desktop at home, (ii) my travel Laptop & other devices (iii) backup (at least two) if any of the primary ones fail. Rinse and repeat for each family member.

I was looking for a cheaper alternative than Yubikey etc - then I found token2.

Their FIDO U2F costs only 5 euro.

Now I can say to people I talked to that they no longer have any reason not to use security key.

https://www.token2.com/shop/product/token2-t2u2f-security-us...

So... I just save my 2FA stuff in keepass... Works fine and can be backed up and replicated for free vs needing several yubikeys.

I'm totally confused by the "backing up" section.

> The best back-up is the buddy system: make sure at least one other person has an equivalent set of credentials for every application for which you use your YubiKey.

Why is this the best option? How is it even a good idea at all? We're talking here about someone you deeply trust, I assume? I have a second Yubikey which is accepted everywhere my primary Yubikey is. Why is that the second-best option and not the best option? I must be missing something basic here. Can someone help me out?

Might also want to check out https://github.com/FiloSottile/yubikey-agent as a very simple way to setup a yubi-key as an ssh-agent.

What vendors for hardware keys would be recommended besides yubico? Isn't it a bit risky when there is mainly one (known) vendor for hardware keys? Or is this just the wrong impression that you get from HN?

Why is the adversary assumed to be female?