Hacker News new | past | comments | ask | show | jobs | submit login

It is not a password replacement, you still need multiple factors of authentication. Yubikey satisfies the “something you have” factor, your password is still the “something you know”. Your password can be learned but should not be usable without something you have. Your token can be taken but should not be usable without the something you know. Fingerprints are not infalable, it’s more confidence of a match then exact match - Samsung was just in the news because someone figured out how to trick their sensors to read a false positive. Having a password also would keep that from being exploitable. Also keep in mind that current school of legal thought in the US is that biometrics don’t qualify for 5th amendment protections whereas passwords do - police can force you to put your finger on a reader, but they can’t force you to give a password without judicial review.



You missed my point entirely. So I repeat it here: most attacks are online attacks, remote in nature, so even a physical security key without fingerprint reader is still superior to passwords and would mitigate majority attacks. Webauthn [1] is not the same as 2FA. That's a different standard and it is meant to replace passwords. The fingerprint reader on this new yubikey is an additional measure against someone in close proximity of your physical key bring able to use it.

[1]: https://en.m.wikipedia.org/wiki/WebAuthn


You do not need 2 factors with this solution, which is the whole point. This isn’t a 2FA token anymore. 2FA was a mitigation against phishing and credential theft. This solves that problem with a single factor. It is a password replacement.


Unlike a password, a court (in the US) might be able to compel you to provide access to your accounts/encrypted disks via your YubiKey + fingerprint.


While the cases in which a court could compel you to provide your password are much narrower, note that they still do exist.

https://arstechnica.com/tech-policy/2017/03/man-jailed-indef...


If I were defending against legal duress, then I would design the system to require my MFA and there would be a prompt to a team in another region that has to "approve" my login real time. This method is not perfect, because that team has to be an entirely different company/organization to not be included in the same legal order and there are other legal issues with that setup. I am not a lawyer and would never pass the bar. Anyway, my MFA would decrypt part of the key and the other team would provide the remainder of the decryption of the key if they approve my access. Some old secure mainframes were setup in this fashion.


I'd still prefer mfa for important stuff, because two factors are better then one. Since the one thing we know about security is that we don't know or understand it that well, and time works against security engineering.


Fingerprints can be stolen. A fingerprint is an obfuscated username, it's not a replacement for a password.




Consider applying for YC's Summer 2025 batch! Applications are open till May 13

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: