Ask HN: 2FA hardware?
Right now I'm using Google Authenticator and I manage the services manually on my smartphone.
I use 2FA for my e-mail accounts, VPS, games and more. But it feels really silly to have it on my phone. Specially since I use 2FA for my phone e-mail account.
Is there any specialized hardware that I could use to replace this setup? Something that is compatible with any service and doesn't require a phone or a computer? Like a standalone solution. Everybody recommending Yubikey: because this [0], use that [1] instead. Amazon uses Gemalto [2] for AWS MFA, but I've had bad experience with it, and cannot recommend it. [0]: https://plus.google.com/+KonstantinRyabitsev/posts/4a7RNxtt7... You could use any kind of hardware token like RSA, Fortinet or many other manufactors. The usually offer a software version four your desktop as well. But usually you'll hate this additional piece of crap in your pocket. The combination of something in your mind (password) and something in your hand (smartphone) is the optimal setup. If you have a password or fingerprint to unlock your phone and the token generator app for 2FA it should be enough security. One option might be something like a Pebble. I use mine for H/TOTP codes just fine => https://github.com/JumpMaster/QuickAuth. It's always with you and works completely offline and outside of any service. It still requires your phone to add seeds, but they are generated completely independently once seeded. Just an idea that doesn't require buying specializes single-task hardware. Google: Yubico ; the NFC-enabled version has a Google Authenticator-like app (Yubico Authenticator) Oh I get it now, I misunderstood what Yubico could be used for. Thank you! It can be used for a lot of things. GPG (even over NFC), U2F, 2FA, Yeah, we use Yubico yubikey nanos at work for ssh 2fa as well as gmail 2fa. It's pretty nice. I always use huge passwords, do you think using an easier to remember ~10 digits password will be secure enough if I use 2FA? Or there is another attack vector that I'm not aware of? I imagine if somebody steal my password I would get notified (Gmail) and could easily switch to a new one, no damage done. I think a good password manager + 2fa will be adequate. Make password manager long but memorable and then make passwords you generate crazy long, like 24 characters or more. That and 2fa all the things. But if you're using accounts in "public" (like in the office) computers, aren't you trading an unlikely bruteforce for a single point of failure: your password manager, who's also in the cloud? Unless you also use 2FA on the password manager and there's no way for a compromised OS to copy your entire (unlocked) password manager DB. Oh god, I went too far. Most password managers encrypt your contents one-way, and don't offer a forgot-password feature. Not all are in the cloud (1Password, KeePass, etc), though they can be cloudified via sync (for instance, use Dropbox or iCloud) Some support the Yubikey for authentication. I use my Pebble Time smart watch. I press one button on my watch and it instantly displays a list of 2FA codes for a bunch of sites.