Hacker News new | past | comments | ask | show | jobs | submit login

1Password with WebAuthn 2FA is probably better (harder for generic malware to steal), and leagues more convenient.



Not true. The solution I described would survive a local machine compromise (the GPG key is maintained on the Yubikey), the 1Password based solution won’t. How could generic malware steal secrets that are not even on the device? Furthermore, pass encrypts each password separately (I.e GPG generates a new symmetric key for each password). In case of 1password, if the master password is compromised, it’s game over.

Also, I was a long time 1password user, switched to my current setup after 1Password moved to the rent-seeking subscription business model with 1Password 7.

In terms of convenience, it’s even more convenient than using 1Password. The only minor hitch is having to key in the PIN for the Yubikey if I haven’t used it for a bit.


Your solution doesn't survive a real-time attack on a local machine compromise (wait for you to enter the PIN and then opportunistically use the private key). It only makes doing so harder by automatically re-locking the key.

That said, your system is well past the point of "password storage is no longer the most economical surface to attack".


Occasionally entering the PIN + Physical touch on the Yubikey for every decryption call. Since the private key never leaves the Yubikey, every decryption needs a physical touch.




Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: