Skip to content

Update MFA content #341

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
TommyTran732 wants to merge 1 commit into
base: main
Choose a base branch
from
Draft

Update MFA content #341

TommyTran732 wants to merge 1 commit into from

Conversation

@TommyTran732
Copy link
Member

@TommyTran732 TommyTran732 commented Mar 17, 2025

No description provided.

@cloudflare-workers-and-pages
Copy link

cloudflare-workers-and-pages bot commented Mar 17, 2025
edited
Loading

Deploying privsec-dev with  Cloudflare Pages  Cloudflare Pages

Latest commit: 545d3dc
Status:🚫  Build failed.

View logs

@TommyTran732 TommyTran732 marked this pull request as draft March 17, 2025 09:36
@netlify
Copy link

netlify bot commented Mar 17, 2025
edited
Loading

Deploy Preview for privsec-dev ready!

Name Link
🔨 Latest commit 545d3dc
🔍 Latest deploy log https://app.netlify.com/sites/privsec-dev/deploys/67d7ecfa0dbe3e00087ec9e3
😎 Deploy Preview https://deploy-preview-341--privsec-dev.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify site configuration.

@TommyTran732 TommyTran732 added the [c] update existing Existing content updates (beyond trivial fixes) label Mar 17, 2025
Ganwtrs
Ganwtrs reviewed Dec 13, 2025
View reviewed changes
content/posts/knowledge/Multi-factor Authentication.md

### OnlyKey

The OnlyKey encrypts its entire internal storage against the user PIN and static secrets baked into the hardware. The PIN consists of digits from 1 to 6, has the maximum length of 10 digits, and has to be physically typed on the key. The Onlykey supports a duress PIN, which other security keys do not have. For further protection against physical attacks, the key is also potted in resin.
Copy link
Contributor

@Ganwtrs Ganwtrs Dec 13, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It might be worth mentioning that OnlyKey has a backup feature. Although backups can only happen after inputting the correct passphrase or PGP key, it introduces another attack vector

OnlyKey and the Nitrokey 3A have a FIDO2 Level 1 certification, while the Yubikey 5 and Yubikey Security Key have a FIDO Level 2 certification.

OnlyKeys and probably Yubikeys are written in C, Trezor is half written in C, and Nitrokey (and Solokey) is written in Rust

@Ganwtrs
Copy link
Contributor

Ganwtrs commented Dec 13, 2025
edited
Loading

Trezor Safe 7 now has multiple secure elements, but they have no plans to be FIDO2 Certified

Also, GrapheneOS is planning on allowing the HSM in Pixels to be used as an HSM for other workstations

Ganwtrs
Ganwtrs reviewed Dec 16, 2025
View reviewed changes
content/posts/knowledge/Multi-factor Authentication.md

### Nitrokey

Nitrokeys, much like the Yubikey, do not encrypt its FIDO2 storage in a meaningful manner. Additionally, it is explicitly noted in their app that the HOTP/TOTP secret storage is also [not encrypted](https://docs.nitrokey.com/nitrokeys/features/totp/general).
Copy link
Contributor

@Ganwtrs Ganwtrs Dec 16, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It seems that the Nitrokey 3 encrypts external storage with the secure element

Also, Nitrokey 3 HOTP/TOTP is encrypted
https://discuss.privacyguides.net/t/mention-nitrokey-3as-fido2-certification/20620/13

Ganwtrs
Ganwtrs reviewed Dec 24, 2025
View reviewed changes
content/posts/knowledge/Multi-factor Authentication.md

Some NitroKeys do support password storage, however, it is tied to the OpenPGP interface. Resetting the OpenPGP interface will make the password database [inaccessible](https://docs.nitrokey.com/nitrokeys/pro/factory-reset).

Nitrokeys support firmware updates and receieve them quite frequently. However, the they does not have any potting to protect themselves against physical attacks.
Copy link
Contributor

@Ganwtrs Ganwtrs Dec 24, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
Nitrokeys support firmware updates and receieve them quite frequently. However, the they does not have any potting to protect themselves against physical attacks.
Nitrokeys support firmware updates and receive them quite frequently. However, they do not have any potting to protect themselves against physical attacks.

Ganwtrs
Ganwtrs reviewed Dec 24, 2025
View reviewed changes
content/posts/knowledge/Multi-factor Authentication.md

### OnlyKey

The OnlyKey encrypts its entire internal storage against the user PIN and static secrets baked into the hardware. The PIN consists of digits from 1 to 6, has the maximum length of 10 digits, and has to be physically typed on the key. The Onlykey supports a duress PIN, which other security keys do not have. For further protection against physical attacks, the key is also potted in resin.
Copy link
Contributor

@Ganwtrs Ganwtrs Dec 24, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
The OnlyKey encrypts its entire internal storage against the user PIN and static secrets baked into the hardware. The PIN consists of digits from 1 to 6, has the maximum length of 10 digits, and has to be physically typed on the key. The Onlykey supports a duress PIN, which other security keys do not have. For further protection against physical attacks, the key is also potted in resin.
The OnlyKey encrypts its entire internal storage against the user PIN and static secrets baked into the hardware. The PIN consists of digits from 1 to 6, has the maximum length of 10 digits, and has to be physically typed on the key. The OnlyKey supports a duress PIN, which other security keys do not have. For further protection against physical attacks, the key is also potted in resin.

Ganwtrs
Ganwtrs reviewed Dec 24, 2025
View reviewed changes
content/posts/knowledge/Multi-factor Authentication.md

Nitrokeys, much like the Yubikey, do not encrypt its FIDO2 storage in a meaningful manner. Additionally, it is explicitly noted in their app that the HOTP/TOTP secret storage is also [not encrypted](https://docs.nitrokey.com/nitrokeys/features/totp/general).

Some NitroKeys do support password storage, however, it is tied to the OpenPGP interface. Resetting the OpenPGP interface will make the password database [inaccessible](https://docs.nitrokey.com/nitrokeys/pro/factory-reset).
Copy link
Contributor

@Ganwtrs Ganwtrs Dec 24, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
Some NitroKeys do support password storage, however, it is tied to the OpenPGP interface. Resetting the OpenPGP interface will make the password database [inaccessible](https://docs.nitrokey.com/nitrokeys/pro/factory-reset).
Some Nitrokeys do support password storage. However, it is tied to the OpenPGP interface. Resetting the OpenPGP interface will make the password database [inaccessible](https://docs.nitrokey.com/nitrokeys/pro/factory-reset).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@Ganwtrs Ganwtrs Ganwtrs left review comments

Reviewers whose approvals may not affect merge requirements

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

[c] update existing Existing content updates (beyond trivial fixes)

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@TommyTran732 @Ganwtrs