And as a result of how they market their keys, decisions Fido keys are presented with a cost of $20 - $60. Why $60, for a simple Fido key? Because for $60 you get not only Fido, but Flippo, Froggo, x.6s8o and more-o.

The result is that most people know the name Yubikey, but don't really know Fido, or what it is. On Amazon if you search for Fido you get mostly Yubikeys. There were other brands, but Yubico appears to have snuffed them. At one point there was an open source version that worked just as well as a name brand.

As for value? If you are a big corporate type this is the cat's meow. But otherwise? What other hardware is $60? A Raspberry Pi 4? I can get little cheap USB thingies from China at 6 for a dollar.

I am not pointing at Yubico as they have done well making profits from corporations. Rather the Fido Alliance. Looking at the Fido Alliance provides a first pass at answering the question "Who Benefits?"

https://fidoalliance.org/overview/leadership/

Perhaps it is fair to ask "What benefit" as well.

Corpocracy. You gotta love it.

    [remote "origin"]
            url = https://github.com/freeCodeCamp/devdocs.git
            pushurl = git@github.com:freeCodeCamp/devdocs.git

Would love to hear more from people getting this successfully set up at scale in corporate environments. I've seen big companies with lots of InfoSec talent not even attempt this.

It only supports sk-ecdsa-sha2-nistp256 key format, however that is widely supported currently.

My personal strategy is to use keys generated this way:

ssh-keygen -t ed25519-sk

Rules:

- A generated key never leave the machine it was generated on.

- ssh agent is never used

- ProxyJump in HOME/.ssh/config or -J to have convenient access to all my servers.

- DynamicForward and firefox with foxyproxy extension to access various things in the remote network from my local machine (IPMI, internal services, IoT, ...)

- On the web no passkey, only simple 2FA webauthn.

My understanding is that more features including "storage" means more attack surface so by avoiding it you're 1/ more secure 2/ it's cheaper.

White paper on passkey says their security is equal to the security of the OS (Microsoft Windows ...) so I avoid passkeys.

https://stephentanner.com/ssh-yubikey.html

Hopefully someone finds it useful.

The biggest issue I ran into was when folks wrote some tools that rely on ssh sock auth to automate connection to remote boxes. Not fun if you have to tap for every box.

Slightly different as I generate a PGP key on the computer and then load it to the Yubikey, which means I can have backup keys with the same secret keys.

I never really got "touch to use" working though, if anyone knows how to do it with GPG keys I'd really appreciate it!