First of all, I want to apologize for forgetting to update my Namecoin domain and Zeronet mirror for such a long time.
Anyway, I will be off to another city soon, leaving my Qubes OS desktop behind. However, due to performance and battery life concerns, I probably will not be running Qubes on my (rather old) laptop. This means that I need another way to manage PGP keys and such instead of VMs.
I had been eyeing the Yubikey (and similar hardware security keys) for a long time, so I thought I might as well try it out. I got the regular Yubikey 4 instead of the Neo because of the price and that some say that the Neo does not support 4096 bit RSA keys. (Again, some seem to say that they do, so if you want to get a Neo, you might want to do some research on this.)
It comes in tamper-evident packaging, so you might want to inspect that before opening.
U2F is a two-factor authenication standard that also protects against phishing.
To test the U2F (and also OTP) functionality, the official demo site can be used.
Setting up and logging in via U2F is pretty straightforward and supported by a lot of major sites. Just enable it in the website’s settings, plug the key in, and touch the metallic button.
On Firefox, you may need to follow this guide to enable U2F. Also, due to some implementation incompatibilities, Chrome / Chromium is needed to add keys to Google, though logging in can still be done with Firefox.
PGP / SSH
Before getting the Yubikey, I have no idea that PGP keys can also double as SSH authentication keys.
There is a pretty nice guide about setting up PGP and SSH. Note that while the product page claims that ECC is supported, it is actually referring to PIV, and only RSA keys (<= 4096 bits) are supported in PGP.
Like the guide suggested, only my sub-keys are transferred to the Yubikey, while the encrypted master key lies on a USB drive and is accessed with Tails.
There are only three PGP key slots: signature, encryption, and authentication. However, it seems that they are not limited to the stated purpose, e.g. you can sign with the authentication key and vice versa.
The Yubikey also supports TOTP and HOTP (i.e. the numeric codes in Google Authenticator), though since using it on my phone would be a bit inconvenient, I am still just using an app right now.
Yubico (the company that manufactures Yubikeys) advised having a backup device, but since for U2F I can still use TOTP on my phone while for PGP my master keys are already stored elsewhere, I find it unnecessary.
In conclusion, I think it is a great purchase. The security benefits of isolating confidential data on a separate device aside, the hardware is compact and sturdy, and the overall user experience is pretty nice. U2F is definitely more convenient and secure than TOTP, and using PGP is sort of like split-GPG in Qubes, but with touching a physical button instead of clicking in a dialog.
On the other hand, after my purchase, there was this scandal about Yubico, which kind of sucks. Also, some say that it is not as indestructible as it claims to be, though that is about an older version, and at least newer versions mitigates the acetone attack. Last but not least, some might dislike that a part of it, including the PGP portion, is closed source. These are probably things to consider if you are thinking of getting one.