Well, that's something you don't see every day - a still-panelized set of 16 security keys!
I'm told these were part of Google's Titan / Gnubby development process. (Artemis was a daughter of Leto, who was a Titan -- get it?)
I assume they don't have firmware on them yet, but it might be tricky to find out non-invasively.
Security key that's new to me: Thetis Nano-C!
https://thetis.io/products/thetis-nano-c-fido2-security-key-device-passkey-usb-c
Also news to me, I'm clearly behind: FIDO2 has levels:
https://fidoalliance.org/certification/authenticator-certification-levels/
This key is FIDO2 L1, and different applications may require different levels. Notably here, L1 is the minimum to get any certification at all, and you can't get L2 unless you have an actual secure hardware element. So with the device at this level, you get the independence of a separate physical object with a dramatically simpler software surface, but I suspect it might be easier to get secrets right off the key with physical possession.
(Note that this is an organic post, not sponsored in any way. Happened upon it in an eBay listing. I never do solicited or compensated endorsements)
GoDaddy makes you pick which security key you want to be prompted for by default, and only allows this key to be presented unless you follow the "try another way" workflow.
What is the purpose / threat model of this? It seems unnecessarily high friction to me, and as far as I know is not done by any other platform.
Since the last time I logged in fresh, Google has moved "2-step only" (non-passkey) security keys to be the first factor prompted for.
Only after a good key is presented is the user prompted for their password.
You are then prompted to create a passkey "instead", with a "Not now" option.
TIL Proton dropped their maximum supported security keys (some time after mid-August 2024) from 8 to 4 keys?! (Notice the tiny "8 out of 4" label, because I had registered the maximum 8 keys)
I suspect my current config will be stable until I need to explicitly delete a key, in which case I won't be able to add a replacement unless I delete five keys. 
@aleidk I replaced “mobile phone account“ with “mobile phone provider account” to be clearer about what I meant.
For banks (in the EU), AFAIK there is a strong reason why they never even mention FIDO2: for a transaction at least, the device where validation is performed must give basic info on the transaction: seller and amount.
Another point: the software support depends on site, browser (e.g., Firefox desktop != Firefox mobile), type of key, physical communication protocol (like USB vs. NFC). I made a lot of tests with various sites and my USB-A and USB-C keys, sometimes using NFC, other times USB. Some combinations don't work, or worked at some point and not later (or worked with Chrome but not Firefox, etc.). This can be quite stressful or even dangerous if this is for an important account and you have no backup plan (⇒ don't). And if the backup options are 1) exploitable in your threat model and 2) not very secure, this obviously reduces or nukes the advantage of using a security key in the first place.
A typical backup option which is not insecure from my POV if well handled is a set of recovery codes, but for this you need to store them very carefully, safely... and not forget how to access them in x years! In these conditions, setting up a new account requires “some work”.
And I say all this despite wishing FIDO2 great success, 'cause SIM swapping attacks in particular are quite scary given how much important stuff still depends on codes sent by SMS. 
Nutzt hier jemand Dropbox über den Safari-Browser auf macOS und hat Google Titan Keys? Lassen sich bei euch die Titan Keys als Security Keys im Dropbox-Account hinterlegen? In Safari klappt die Einbindung nicht. Es kommt die Fehlermeldung "Key Not Found". In Edge konnte ich einen von zwei Titan Keys einrichten. #fido2 #securitykeys #dropbox
TIL the maximum number of security keys I can add to my Apple account is ... six. 
Say it ain't so, @rmondello !
It's been 12 days since I (and a few others) noticed ... and we're still unable to rename security keys within a Google Account.
https://www.reddit.com/r/GoogleSupport/comments/1gahuqa/cannot_rename_fido2_security_key/
Renaming keys is essential, to keep them identified and disambiguated.
Security key vendor I hadn't seen before: "SLING". Appears to be repackaged TrustKey (formerly eWBM) T110 and T120. Interestingly, the hostname (www dot slingsecure dot com) does not currently resolve.
Sieht so aus, als würde #paypal nun endlich #passkeys und #securitykeys anbieten!
Well, that's the source of the key I found on eBay. How did I not hear about these new security keys sooner??
"Google’s new Titan Security Keys let you store passkeys"
https://9to5google.com/2023/11/15/titan-security-key-passkey/
And the Google blog post says they hold up to 250 passkeys.
Blog post: https://blog.google/technology/safety-security/titan-security-key-google-store/
Google Store link (waitlist only at this writing): https://store.google.com/product/titan_security_key
Heyyy I'm thinking about buying a security key, probably for only using it with keepassxc, can you guys recommend something solid, that's not overly expensive for a student?
I don't wanna /have money for 50eur security key
Also with USB-A port
There are few with open source hardware which I like but still expensive 30eur, idk what's Sooo expensive on a key like that(I get it custom hardware but still)
#security #passwordmanager #password #securitykeys
#yubikey #keepassxc #securitykey
Requiring Javascript for Login Flows
The modern web and all its client-side code makes #javascript pretty much a requirement to surf the internet. Should #identity providers still go the extra step to make login flows work without javascript or is it reasonable to make JS a requirement?
Please comment if you want to add nuance, and thanks for sharing :)
btw. Google and Microsoft require JS for logins while Facebook, Amazon, and Github apparently don't. But JS obviously becomes a requirement once you use #securitykeys / #passkeys / #webauthn.
For decades, users have authenticated on systems with usernames and passwords. This method of authentication has not changed since the beginning of the Internet. As the Internet became a more hostile place and threats emerged, ...
https://blog.tinned-software.net/secure-authentication-and-how-it-changed-over-time/
For those that use #hardware #SecurityKeys (#YubiKey etc) do you have a #backup at home or offsite? Do you just carry key(s) with you? I'm curious!
This is a multiple choice poll, pick the option(s) that apply to you!
Boost for reach? Thanks! 
(I have a key I carry with me, as well as a backup in a secure place at home, and a key at a trusted friends place as an offsite backup. Yes, adding new keys can be frustrating with managing the offsite ones back and forth...)
@hexmasteen
1PAssword, AOL, AWS, Bank of America, Bitucket, Cloudflare, Coinbase, Dropbox, Facebook, Fastmail, Gandi, GitHub, GitLab, GoDaddy, Google, Login.gov, Mastodon, MongoDB, Namecheap, Nitrado, Norton, NVIDIA, PaPal, Proton, Stripe, StrongKey, Twitter, runZero, Wordpress, Yahoo, ZeroTier
#securitykeys
