Feitian ePass K9 - Multi-Factor Authentication USB-A Security Key with NFC FIDO U2F FIDO2 - $12.99

TheCaffeinatedSloth wrote: ↑ That is why in this thread you see a lot of people mentioning to get 2! Most services that accept hardware MFA allow you to add multiple devices for this very reason. Unfortunately not all do, which can cause problems, namely AWS.

I wasn't really thinking of the device failing, more just something going wrong in general that prevents it from working, maybe the device or maybe not, in which case the backup doesn't save you. So say we use text messaging for 2FA as an example, your phone could die, or just screwup in such a way that you cannot get texts, how likely is that? Something could go wrong with the phone network that prevents that text message from arriving, how likely is that? And so on.

How reliable is this?

How comfortable are you relying on a Chinese corporation for privacy/security?

nnlnn2 wrote: ↑ a physical key for your device?
I think my password/fingerprint will do

My heitai collection needs to be encrypted!

sparkaction wrote: ↑ I would add: Know your threat profile. Don’t keep stuff in a safe place only to lose access to it. SMS is generally good enough for most. If you know a friend that had their SMS 2FA compromised then OK you are in a unique high risk group and may need enhanced security measures.

Agreed, know your threat profile and understand what personal assets are being protected by your SMS or Email address. In my opinion SMS is not sufficient to secure financial assets. For those interested CBC was able to use social engineering to take over a Rogers account. Here's an example from a fellow RFD'er who had their rogers account hijacked: https://forums.redflagdeals.com/got-my-sim-hijacked-last-night-rogers-2344557/

Is this compatible with 1password?

Sievert wrote: ↑ How comfortable are you relying on a Chinese corporation for privacy/security?

These devices have been scrutinized by many security companies / white hat hackers and this is the worst I could find:
https://arstechnica.com/information-technology/2021/01/hackers-can-clone-google-titan-2fa-keys-using-a-side-channel-in-nxp-chips/


"There are some steep hurdles to clear for an attack to be successful. A hacker would first have to steal a target’s account password and also gain covert possession of the physical key for as many as 10 hours. The cloning also requires up to $12,000 worth of equipment and custom software, plus an advanced background in electrical engineering and cryptography. That means the key cloning—were it ever to happen in the wild—would likely be done only by a nation-state pursuing its highest-value targets."

Good enough for me.

How reliable it the USB connection without the outer metal shell to hold contacts against the contacts on your device's USB port?

CheapNFrugal wrote: ↑ Agreed, know your threat profile and understand what personal assets are being protected by your SMS or Email address. In my opinion SMS is not sufficient to secure financial assets. For those interested CBC was able to use social engineering to take over a Rogers account. Here's an example from a fellow RFD'er who had their rogers account hijacked: https://forums.redflagdeals.com/got-my-sim-hijacked-last-night-rogers-2344557/

thanks for sharing. would a 2FA app (authenticator) on one's cellphone be better than SMS verification? i typically have both setup anyways

texasbruce wrote: ↑ Is this compatible with 1password?

i use the Google Titan key with 1Password and Feitan makes the Google Titan key. i would guess that this key is the same as the Titan.

embguy wrote: ↑ How reliable it the USB connection without the outer metal shell to hold contacts against the contacts on your device's USB port?

it's fine. the key is only inserted to authenticate and then you can remove it.

brclho wrote: ↑ thanks for sharing. would a 2FA app (authenticator) on one's cellphone be better than SMS verification? i typically have both setup anyways

if you have both set up, then you are vulnerable to the SMS attack. the authenticator is safer unless the attacker gets hold of your device with the authenticator, e.g. your phone.

If you buy multiples of these for redundancy/backup do they link in some way or do you register them all as separate devices on an account? Do services support that kind of thing?

nnlnn2 wrote: ↑ a physical key for your device?
I think my password/fingerprint will do

LoL you either know or you don't.

If you don't understand the use case for this, you're taking some big risks with your data.

Authenticator Apps alone are not enough.

Can attest.....Yubikey + Bitwarden = solid

Been using it for last 2-3 years.

Ordered a Yubikey 5 NFC on Amazon a few days ago. Had a $7 clipped coupon that brought the price to $50 + tax. Gonna buy two of these Feitan ePass K9 and see if it will work just as well for me.

Plan to use Bitwarden on premium plan, since it's only $10 a year.

This is more secure than SMS or voice message - SS7 + Sim takeover all too easy.
Authenticator (MS, Google, ...?) also good.
You do need two keys in case you lose one. You can add both to those accounts that take them - eg Google.
FIDO2 compatible with windows signon - https://docs.microsoft.com/en-us/azure/ ... urity-keys

Security: Best to have 2+ of: Something you know, Something you have, Something you are.

spammy wrote: ↑ So basically every place you enrol 2FA you do it twice, one on each key?

Yes.

redmondflagger wrote: ↑ If you buy multiples of these for redundancy/backup do they link in some way or do you register them all as separate devices on an account? Do services support that kind of thing?

in general, yes, you can register more than one key or type of second factor authentication and you can register a specific key on multiple accounts.
for example, my key can authenticate me to get into my account and it can authenticate my wife to get into her account as a backup. Her key can be used to get into her own account and can also be used for me to get into my account as a backup.

When it comes to security I don't mess around. Just spend the extra 30-40 bucks and get a yubikey. Binance supports em too.

nnlnn2 wrote: ↑ a physical key for your device?
I think my password/fingerprint will do

it's clear that you don't care and/or know much about cybersecurity
read through this thread, 98% of each poster is talking about the usefulness of these keys

brclho wrote: ↑ thanks for sharing. would a 2FA app (authenticator) on one's cellphone be better than SMS verification? i typically have both setup anyways

In my opinion yes, an authenticator app on your phone is better than using SMS in terms of security, but you have to be careful when upgrading your phone that you don't accidently lock yourself out when you get a new phone.

I would just buy a yubikey if you were already going to these lengths for security