I don’t know yet where to put this - but here is my question: would it be possible to have as an option in the shop/marketplace to buy a dedicated Yubico Yubikey 5C nano as a module that supports security options of the machine? Would be Yubico interested in such cooperation?
TIA
I’ve been setting up the Yubico 5C NFCs I bought recently today, I was just thinking the exact same thing.
Especially on the FW16 as it has a ridiculous amount of IO (I’ve specced out a very overkill peripheral setup and still have 3 slots unaccounted for) it would be no harm at all to spend a slot on hardware auth.
Sure you could just plug a 5C nano into a type C card, but it would protrude from the chassis and risk getting damaged/broken. Having it integrated into the card with the contact plate being the full side of the card would be so much better imo.
Even if the card is literally just the housing, an off-the-shelf 5C, and a conductive metal strip (I just tested - I can activate my 5C NFC through a keyring) attached to the nano. The cost of it would probably be a bit more than a 5C nano, but it would be worth it for the huge reduction in damage risk.
ETA: open question about a secondary key for backup - it would be somewhat cumbersome to remove it and insert the backup key, but it’s also seems tricky do do so with a 5C nano. 5c nano owners feel free to correct me but I would guess having a 5C nano as an “always plugged in” option with a backup 5 NFC/5C/5C NFC is common? Personally I’ve opted for 2x5C NFC as a main & backup.
It wouldn’t be hard to have a 3d printable plastic Expansion Card with an added metal channel to move from the Auth button to the end of the Expansion Card.
You could also use something like a SoloKeys2 (already has button on end) or Titan.
A big part of wanting it as a first-party or at least officially created product is to have the fit and finish match the other expansion modules and the rest of the chassis. It’s part of why I personally dislike the ethernet card, the clear plastic is cool and all but it stands out, and not in a feature piece way.
There’s a request for expansion card blanks which could make this possible to DIY, but for something as common (and increasingly more common) as hardware keys I think it makes sense to have as a released product.
As mentioned, it can be built from existing production components making the R&D cost negligible and the manufacturing cost easily absorbable. Possibly just use the type-A/audio card housings so the single new part is a metal plate of the required size - or if the housing is conductive enough just electrically couple the Yubikey to it needing 0 new parts, just a wire.
Even without having this be “official,” there are a few requests that could be combined to make this happen:
Obviously there are space limitations that could make it simply unfeasible, but an absolute dream version of this might be an expansion card with 3 USB ports: An internal USB-A one for that one pesky dongle we all have, a slightly sunk-in USB-C port with “under-laptop” access for things like a Yubikey (or if space allows, maybe a slightly sunk-in USB-A port to work with the Yubikey 5 nano, since that puts the touch sensitive spot on the side of the laptop rather than the bottom), and a regular USB-C port for standard usage (even if it has some limitations, I’d happily give up some of the benefits of our ports if I can have a dongle a Yubikey in the same module).
A hack would be to pair an A/C module with a Yubikey Nano A/C, and it would kinda sit flush with the chassis. But I would be “scared” of leaving it in the laptop all the time…
I thought Yubikeys were meant to be an additional hurdle for hackers to overcome. If someone stole your device with the Key, wouldn’t it make the additional security pointless? Even worse, some people have login enabled with U2F, so one can bypass the password and fingerprint reader and directly login in and use the Yubikey to access to other services.
If someone is interested in local/device based security, you can always use your TPM (thank you Microsoft). Both SSH keys and TOTP can be used with a TPM, with many other project being out there.
There is a “dongle hider” thread here:
Maybe it could be adjusted to hold a Yubico.
I struggle with the security implication there. If you make a yubico part of your device, you effectively ruin its separation from that device, and it ceases to be a second factor…
Not saying it couldn’t be done, but I would argue its not a good “secure” idea.
A lot of people don’t think about it, or don’t care that much, as they believe the risk is low. They just want it to be easier, and as convenient as possible.
That’s the trouble with many new security systems. If they aren’t made convenient, people will seek to make them easier, sometimes making security worse than it was to begin with.
For a great example, there is the NIST’s (U.S. National Institute of Standards and Technology) Digital Identity Guidelines. Saying that using complex passwords, combining upper and lower case letters, numbers and symbols, and regularly changing passwords is bad in practice. Just leads to users adopting poor habits, like reusing passwords or creating simple passwords that barely meet the criteria, like “Passw0rd123.” Yet, companies still force such complexities. In fact, it’s hard to find one that doesn’t. Instead of asking users to use easier to remember but still secure passphases, like the famous “Correct horse battery staple” xkcd: Password Strength
I agree with both points, seeing a first party integration is always nice, but leaving it in the laptop does kind of defeat the point