I have a question about hardware security keys. Like a yubikey.
I have not actually used one before so maybe I am missing some critical information.
Aren’t they inherently less secure than a TOTP code?
If someone ( like a evil government ) gets your key and knows your password for a particular service or device, they can login.
If these same people try to login but it is secured with a TOTP code instead, they would need access to my phone, which requires a password to unlock and then biometric validation to open TOTP app.
I mean yeah, they could just beat me with a large wrench until I agreed to login for them, but that is true with any method.
I’ve heard that in the US, the 5th amendment protects you from being forced to divulge a password, but they can physically place your finger on the finger print scanner.
They can be, depending on the types of threats you expect to face. If physical theft is an expected threat, then a hardware token runs the risk of being stolen and abused. For example, your attackers might just buy off cops to rob you and take your stuff. Having the physical device locked with a PIN/Passcode can mitigate this threat somewhat. But, that just becomes another password the attackers need to figure out.
On the other side of the coin, TOTP applications have started offering Cloud Backup options for accounts. What this demonstrates is that it’s possible to move those accounts between devices remotely. A hacked device means those codes may be exfiltrated to an attackers device and you will be none the wiser. Good security hygiene and device hardening can help mitigate these issues. But, it also means you need to a lot of trust in a lot of third parties. Also, you need to be unimportant enough for an attacker to not burn a 0-day on.
Ultimately, security is all about trade-offs. If you worry about physical security and don’t expect to face a threat which might compromise your phone, then a TOTP app might be a better option. If you are more worried about a hacked device being used to leak credentials, then a physical token may be a better choice. Each way you go has some ability to mitigate the risks. PIN for a physical token and device hardening for TOTP. But, neither is a silver bullet.
And, if your threat model includes someone willing and able to engage in rubber hose cryptanalysis, then you’re probably fucked anyway.
Ya, it’s a weird space that you cannot be legally forced to divulge a password, except in cases where the content of the drive is a “foregone conclusion” (as defined by the US Supreme Court). But, they can absolutely collect biometric markers (including forcing a fingerprint scan).