Wednesday, May 02, 2018

I Probably Should Have Done a Little More Research ...

... and spent just a few extra bucks.

Arriving tomorrow: A Thetis FIDO U2F Security Key.

Every time I am about to travel, I get more security-conscious. Going from a PIN to a full-blown passphrase on my phone and reducing the inactive time before it locks, for example. And updating my PGP keys. And setting up Boxcryptor.

I finally decided that part of all that is upping to two-factor authentication with respect to various sites I use (an added security layer in case my Chromebook gets lost, stolen, or held hostage by government ghouls) and that I would prefer authenticating with a dongle to receiving a code via phone (with the phone as backup in case I lose the dongle).

The Thetis only supports U2F authentication, not OTP. I did research U2F versus OTP and am convinced U2F is pretty good to go. What I hadn't really noticed, though, is that not nearly as many sites support U2F as OTP (here's a site that keeps track of which sites support two-factor dongle authentication and what types).

Neither of my preferred password managers (LastPass, which I use, and Password Tote, which I just took out for a test drive) supports U2F (they both support OTP, although LastPass only does so in its premium version, which I might have bought if it supported U2F). That's kind of a buzz-crusher.

Fortunately, Google and DropBox DO support U2F, and that's a good portion of what I want to keep behind a little more protection than e.g. my RSS reader or Disqus account. But for $5-10 more I could have had both U2F and OTP. Live and learn, I guess.

No comments: