HW Security Keys - 2023 - State of Tech? - eviltoast

Hello all!

I’m wondering what folks who are more involved with infosec and have their fingers on the pulse are thinking for best devices and practices at this time.

From my perspective, modern computing has made MFA a requirement for pretty much everything. I’m not a fan of app-based as it is too fragile and increases possible attack surface.

When it comes to HW keys, I see a few factors:

  • Physical manufacturing location/supply chain
  • Source code access
  • Third-party certification

The first one is fairly straightforward - do you have trust in the place of manufacturer and the components used? Or, is there some other philosophical reason (ex. labor conditions)?

The second and third are a bit less clear. It seems to me that the more open the source, the more auditable and verifiable, however, this seems to be inversely related to the chance that a device is certified by the FIDO Alliance. I’m not sure if this is due to it being a commercial working group or costs involved being more likely to be prohibitive for OSS/OSHW projects. Any other certifications recommended?

While I would rather the verifiability of open-source, it seems like Yubico’s offerings might be winning out in the other categories for the price. Any thoughts?