I would put greater emphasis on not locking yourself out, since that's the most likely threat for many people. Losing your phone (or having it die on you) is common and you should assume you'll do it sooner or later. Print out backup codes and store them somewhere safe that you won't forget before enabling two-factor authentication that depends on you having your phone or other device that can break.

> Switch your carrier to Google Fi

Now no one can socially engineer access to your account -- including you yourself, in case you're locked out :-)

I think calling this 'paranoid' is a bit misleading. Paranoia suggests you are deluded or irrational, and that nobody's out to get you. In reality, people might be out to get you, just like walking a city street, someone might be looking to mug you. The difference is, they aren't looking for you specifically, the chances are pretty low of you running into them, and you shouldn't be overly worried or take too many precautions just because of that possibility. But you should be informed, and let your awareness of the possibility inform your actions.

I have a Yubikey but I can't use it fully yet:

- There is no Yubikey OTP app for the iPhone

- Safari iOS does not respond to WebAuthn APIs (the apis are available but don't have any effect). I rather use plain Safari or Firefox, so Brave browser is not an option for me.

I can't help but think the author has recommended (1) storing backup keys (presumably in 1Password?) (2) storing OTP key generation QR codes in 1Password, so it can generate OTP codes for you.

Doesn't this defeat the whole purpose of "two"-factor authentication? If your 1Password gets hacked the attacker has both your passcode and one-time password?

You should consider keeping these two separate: If your 1Password unlocks with FaceID, do not make your Authy (or etc.) also unlock with FaceID. Otherwise, you're defeating the purpose of 2FA (something you "know" and something you "have"), I think.

For some reason I‘m basically locked out of any paid Google product because my Google Pay account is disabled for whatever reason. I think it might have been flagged for fraud years ago and now cannot use it at all, including for Fi. It’s crazy.

SSH key storage needs more info I think. I am using SSH enough that this '...can also do SSH...' would want to be the main topic.

advanced modes disabling API keys means a lot of the older third party integrations which depend on a simple API token are SOL. this worries me, lockin risks.

>I use and love 1Password and pay for the cloud account

Is it just me, or does a hosted password manager smell like an absolutely terrible idea to anyone else?

OP comment from Reddit post:

>Hey folks, OP here. I’ve been using security keys for a few years now and decided to spend some spare time over the last few months writing this up. Despite the name it’s pretty detailed (15k words!) and hope it can help folks understand the benefits of security keys and what fido2 brings to the table.

> TOTP risks - You could still fall victim to a fake website (or real one being proxied via man-in-the-middle like with Evilginx 2 and Modlishka)

> Security key benefits - Even if the user willingly tried to log into a fake phishing site, the security key authentication would not work as the domain would differ.

Why are security keys secure against man-in-the-middle attacks?

Now we have APIs for 2FA tokens in place.

When will we get an API for password managers? That'd enable effective domain name checks and such.

These hardware tokens usually support PGP as well! It's possible to generate a full set of keys on the device. Combining this with an offline primary key makes for a very secure system that's also relatively easy to use.

There is a depressing lack of open standards with these off-the-shelf physical tokens. It's unfortunate that a company's security can rely on the APIs of another company which could go bankrupt and disappear at any time.

Unpopular opinion: These keys are about selling the idea that physical-based security is somehow magically better.

If you have good password hygene (read: a decent password manager) then I'll need to breach your host to obtain it - if you use a security key, I'll have to breach your host and hijack your session which is slightly more convenient but chances are you're royally screwed once you're breached anyway.

Sure there's some edge cases where this might work (one-way keyloggers, etc) but these aren't realistic threats for a large majority of people.

Somehow a sales team have taken a bullet hole, and attempted to use a square peg to band-aid it.

Stop buying stupid products and just use a damn password manager.