The magic with FIDO security keys is the same public key encryption as nostr uses. Your private key is on the USB key and the server gets the public key. The private key never leaves the USB, the event signing happens on the key.
This way you need physical access to the key to get in. A password leak doesn't let some rando in Nigeria into your account. Account access is still susceptible to wrench attacks but that is a smaller attacker pool than anyone on the planet with internet.
One thing to keep in mind is a Yubikey is a one of a kind deal. Lose it and you are toast. The solution is, register 2 keys on you account. 1 key for use and 1 goes in your safe and treated as seriously as your seed.
An onlykey offers an encrypted backup feature that allows you to clone keys. So I register 1 and clone it both now work. Hardware passwords are nice too. The only downside is some services don't properly support FIDO auth, they scan to see if it is a yubikey and refuse to work with other brands.
Google forced employees to go to hardware key 2fa years ago and it saved them a fortune because accounts accessed by social engineering attacks went to 0. It isn't a guarantee, but limiting unauthorized access to wrench attacks really cuts down the number of successful attacks.
I'd be willing to DM for use case details but I don't want to layout a roadmap publicly of how I secure all my accounts.
TLDR, this is a big jump in preventing hackers from accessing your accounts and I highly recommend you get 2 and use them.
Bill Cypher /
npub1qy…dmu7u
2025-05-22 02:23:02
in reply to nevent1q…7rl7
Author Public Key
npub1qyxlpj2gl6dt2nfvkl4yyrl6pr2hjkycrdh2dr5r42n7ktwn7pdqrdmu7uPublished at
2025-05-22 02:23:02Event JSON
{
"id": "a17a95904d61d70dca8d7de72ab2788a7bdc53dcd61e3ff66c05efe1cf1208f7",
"pubkey": "010df0c948fe9ab54d2cb7ea420ffa08d57958981b6ea68e83aaa7eb2dd3f05a",
"created_at": 1747880582,
"kind": 1,
"tags": [
[
"e",
"0023421545183dcf811764c34a7c0b7a113951ad5e835472b8423fe31834f2e2",
"",
"root"
],
[
"e",
"a683cb804992321b7238f9ceedfc206b3b4b289b44602159f9e75dffd8df7ddc"
],
[
"e",
"b4d47ae38853a28850b1a05f4a7cad8538ab109476596ff74440d6f315e70707",
"",
"reply"
],
[
"p",
"010df0c948fe9ab54d2cb7ea420ffa08d57958981b6ea68e83aaa7eb2dd3f05a"
],
[
"p",
"d28413712171c33e117d4bd0930ac05b2c51b30eb3021ef8d4f1233f02c90a2b"
]
],
"content": "The magic with FIDO security keys is the same public key encryption as nostr uses. Your private key is on the USB key and the server gets the public key. The private key never leaves the USB, the event signing happens on the key.\n\nThis way you need physical access to the key to get in. A password leak doesn't let some rando in Nigeria into your account. Account access is still susceptible to wrench attacks but that is a smaller attacker pool than anyone on the planet with internet. \n\nOne thing to keep in mind is a Yubikey is a one of a kind deal. Lose it and you are toast. The solution is, register 2 keys on you account. 1 key for use and 1 goes in your safe and treated as seriously as your seed.\n\nAn onlykey offers an encrypted backup feature that allows you to clone keys. So I register 1 and clone it both now work. Hardware passwords are nice too. The only downside is some services don't properly support FIDO auth, they scan to see if it is a yubikey and refuse to work with other brands.\n\nGoogle forced employees to go to hardware key 2fa years ago and it saved them a fortune because accounts accessed by social engineering attacks went to 0. It isn't a guarantee, but limiting unauthorized access to wrench attacks really cuts down the number of successful attacks. \n\nI'd be willing to DM for use case details but I don't want to layout a roadmap publicly of how I secure all my accounts.\n\nTLDR, this is a big jump in preventing hackers from accessing your accounts and I highly recommend you get 2 and use them. ",
"sig": "eaec509c9f6a996978edcd400dd3f0e7b7425994876cf42876ab8eacaa995bc49f73f14ed77d04ff804c10ba8ddb15de1548c0b407840f39f9c6b654d8e1b644"
}