How I did choose my FIDO2 Tokens

Why did I start the research

• Unhappy with the current mobile authenticators
• Wanted to go passwordless / faster log-in
• Wanted to have Hardware protection without Mobile Device
• Wanted to use it on PC/Mobile/Tablet, possibly also for door access
• Capability to do FIDO2 through NFC and USB-C
• One solution to protect x509/PGP Keys, FIDO2
• Testing how many services have real passwordless or just U2F

Vendor choosing

At the current stage there are quite a few different FIDO2 Hardware Vendors out there, so choice wasn't as easy at first. Unfortunately, the more requirements you put in, the less possible vendors will remain.

Following topics are critical requirements for my vendor choosing:

• PGP Keys stored in Hardware - for "Commit Signing" and "E-Mail Security"
• x509 Certificates stored in Hardware - for "Document Signing"
• NFC - usage on mobiles to authenticate on app's or website's or with physical access control systems like #verkada #brivo and others
• USB-C - works on all operating systems and is now the de facto standard
• Authenticator L3 - which i had to drop as no products known to me where readily available to support my requirements

As a starting point I used FIDO Alliance Device list: LINK

Vendor who satisfied my requirements

For me it turned out to be Yubico with its Yubikey 5c NFC Series.

As an alternative I've found NitroKey with its NitroKey 3C NFC, which should be able to satisfy my requirements too. But I wasn't able to get one as the NitroKey 3C NFC's are still in pre-order and the vendor page states that not all functionalities are yet ready there.

Pricing vs functionality

For many people buying a 60€ Token is too expensive to have FIDO2. When they have a mobile at hand where it can be setup without that expense.

If you put security first and you want to go passwordless or u2f without the need for OTP, PGP or x509 support you can possibly go with #GoTrust or #TrustKey as they are available through Amazon for around 20€ or Yubico Security Keys for about 25€.

Forward looking / Next sessions

In my next session I want to speak about FIDO2 / Passwordless in MS365

#Yubico #GoTrust #TrustKey #NitroKey #Fido2 #passwordless