do you have a personal, hardware 2fa key? e.g. yubikey or similar

@jacqueline lol at option 4

@jacqueline does my brain count?

Cuz that I can effectively deny access to!

@gsuberland i'm tired of these people, graham.

@jacqueline yes and I index them: https://u2f.garden

@jacqueline mood

@kkarhan i think that comes under "i'm a pedant / other"

@indrora nice one dude, that's a really cool project!

@jacqueline Thanks!

I need to update the data with the YK5 and some 2FA cards the buttcoin community found.

i've got three, but i'm somewhat ashamed to admit that they're all just stolen from google

@jacqueline I'd rather consider it under "no", because usng a proper password manager and having unique, secure credentials should do it.

• I think it's more important to be able to commit Asset Denial and be able to prevent attackers from gaining credentials and heing able to lock them out as soon as someonebsuspects that to happen.

@kkarhan the other nice thing about the password manager approach is that it doesn't lose effectiveness when encountering the 90% of websites that don't support 2fa tokens.

@jacqueline yes, two!

one of them I use for FIDO2 authentication, the other one I use as a smart card / pseudo HSM for storing code signing keys for my iOS apps. I documented how to do it on my blog: https://ianspence.com/blog/2023-07/apple-yubikey/

@jacqueline i have three of them

one on a keychain, one in a PD Tech Pouch, one in a drawer because it's a micro and it can't seem to find a system to call its home 🦋

@jacqueline no but i want to

@crossingthethreshold it’s a new M.b feature @manton released recently.

@otaviocc @manton I missed this one.

@jacqueline i've got two but I can't remember what accounts are tied to the second one and i don't want to dispose of it. please send help

@crossingthethreshold I think you’ve got the answer by now, but let me know if not.

@otaviocc @manton Same for me. Odd.

@otaviocc @Mtt There is some bug with Mastodon replies where the wires get crossed somehow. I'll fix this thread.

@jacqueline also good password managers support #TOTP & #HOTP for #2FA and can even backup and restore these since they are deterministic PRNGs that require an attacker the initial code and initialization time & date within a quite narrow window.

Tho my personal favorite in terms of 2FA is demanding the person logging in to decrypt a PGP-encrypted message to retrieve a confirmation PIN

• But very, very few sites support that and sadly no password manager that I know of integrates PGP beyond allowing to store private and public keys...

The big advantage of all good password managers is that they allow trivial backups and restores so having an (encrypted!) backup offsite is super fast and easy to do.

• Also lets face it: Even the biggest "Galaxy Brainchair Chads" I know can't fit 100+ unique, 128-digit passwords in their memory... They have that preoccupied with more important skills...

@Mtt Yes thank you, but thanks for checking in.

@jacqueline YubiKeys @tychotithonus , who lives in Alaska with 10,000 security keys, is an outlier adn should not have been counted

@jacqueline gotta admit tho this is one of those polls that makes me worry "how anonymous are Mastodon polls, I mean really"

@jacqueline Two for each of us in the house.

@jacqueline not to be confused with "I'm a pendant", where you're someone else's small decorated yubikey on a necklace

@mcc @jacqueline we should standardize giving a security token to all new employees alongside the usual teesh and totebag. Token2 have a NFC only token in card format that cost 10 bucks

@jacqueline Yes, I have YubiKeys for KeePassXC and SoloKeys 2 for all other U2F/WebAuth/passkeys. I'm trying to figure out how to acquire Nitrokey 3 series devices, but it looks like I'll need to travel to Europe/Germany in the future if I want to avoid paying +50€ for shipping.