New ask Hacker News story: Ask HN: What are the current best practices for security token usage?
Ask HN: What are the current best practices for security token usage?
3 by taeric | 0 comments on Hacker News.
I recently took the plunge and bought some security tokens. I originally intended to just get the bundle from Google and call it a day. However, I found that really only lets me secure a few sights, and that it doesn't let me secure anything else locally, since it is not a OpenPGP card. To that end, I then picked up a YubiKey and have started doing what I can to set that up. So far, it has been fine and having the backup keys for my google account is still fine. However, I'm left with two lingering "this feels wrong" points. The first is that I don't know what a good backup strategy for my private key is. Yes, I could print it out and store in a security box. I can also store it there in a flash card before I transfer it to a yubikey. Both of these feel somewhat off, though. I can't say why. (I've similarly thought of just transferring the same private key to two yubikeys and storing one in a safe box.) The more pressing problem, is that I haven't seen a good path for making it such that I need to use this key. Ideally, I'd make it so that I have to use this thing every day. Not necessarily because I'm paranoid, but because if I'm not using it every day, then I have nothing to let me know it actually works, such that if I break it or the scheme I'm using, I will never know. So, my questions for the crowd. What is the best workflow today for building good security? Is it really down to just discipline to test backups and perform disaster recovery every quarter or so from standard backup solutions?
3 by taeric | 0 comments on Hacker News.
I recently took the plunge and bought some security tokens. I originally intended to just get the bundle from Google and call it a day. However, I found that really only lets me secure a few sights, and that it doesn't let me secure anything else locally, since it is not a OpenPGP card. To that end, I then picked up a YubiKey and have started doing what I can to set that up. So far, it has been fine and having the backup keys for my google account is still fine. However, I'm left with two lingering "this feels wrong" points. The first is that I don't know what a good backup strategy for my private key is. Yes, I could print it out and store in a security box. I can also store it there in a flash card before I transfer it to a yubikey. Both of these feel somewhat off, though. I can't say why. (I've similarly thought of just transferring the same private key to two yubikeys and storing one in a safe box.) The more pressing problem, is that I haven't seen a good path for making it such that I need to use this key. Ideally, I'd make it so that I have to use this thing every day. Not necessarily because I'm paranoid, but because if I'm not using it every day, then I have nothing to let me know it actually works, such that if I break it or the scheme I'm using, I will never know. So, my questions for the crowd. What is the best workflow today for building good security? Is it really down to just discipline to test backups and perform disaster recovery every quarter or so from standard backup solutions?
No comments