-
Notifications
You must be signed in to change notification settings - Fork 55
Add YubiKey and hardware security key guide #416
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Open
DicksonWu654
wants to merge
9
commits into
security-alliance:develop
Choose a base branch
from
DicksonWu654:codex/issue-405-hardware-security-keys
base: develop
Could not load branches
Branch not found: {{ refName }}
Loading
Could not load tags
Nothing to show
Loading
Are you sure you want to change the base?
Some commits from the old base branch may be removed from the timeline,
and old review comments may become outdated.
+85
−1
Open
Changes from all commits
Commits
Show all changes
9 commits
Select commit
Hold shift + click to select a range
2424949
Add hardware security key guide
DicksonWu654 6ad10f5
Credit Opsek authors on YubiKey guide
DicksonWu654 4ae7df0
Remove decorative separators from hardware security keys guide
DicksonWu654 d2df0cd
Fix lint in hardware security keys guide
DicksonWu654 edb7248
Tighten hardware security keys guide
DicksonWu654 3a37a12
Move hardware security keys guide to endpoint security
DicksonWu654 3c6f40a
Tighten hardware keys guide metadata
DicksonWu654 a795a06
Update hardware-security-keys.mdx
DicksonWu654 d57f7d4
Update hardware-security-keys.mdx
DicksonWu654 File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Some comments aren't visible on the classic Files Changed page.
There are no files selected for viewing
81 changes: 81 additions & 0 deletions
81
docs/pages/guides/endpoint-security/hardware-security-keys.mdx
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,81 @@ | ||
| --- | ||
| title: "Hardware Security Keys | Security Alliance" | ||
| description: "Use hardware security keys on critical accounts, keep a backup enrolled, and avoid weak recovery paths." | ||
| tags: | ||
| - Security Specialist | ||
| contributors: | ||
| - role: wrote | ||
| users: [louis, dickson] | ||
| --- | ||
|
|
||
| import { TagList, AttributionList, TagProvider, TagFilter, ContributeFooter } from '../../../../components' | ||
|
|
||
| <TagProvider> | ||
| <TagFilter /> | ||
|
|
||
| # Hardware Security Keys | ||
|
|
||
| <TagList tags={frontmatter.tags} /> | ||
| <AttributionList contributors={frontmatter.contributors} /> | ||
|
|
||
| ## Summary | ||
|
|
||
| > 🔑 **Key Takeaway for Hardware Security Keys:** Use FIDO2/WebAuthn security keys on high-value accounts, register | ||
| > at least two keys per critical account, disable SMS fallback where possible, and test recovery before you need it. | ||
|
|
||
| Hardware security keys are one of the strongest practical defenses against phishing, credential stuffing, and | ||
| SIM-swap-based account takeovers. They are especially valuable for email, source control, registrars, cloud platforms, | ||
| social accounts, and any admin or financial account that could be used to pivot into the rest of your organization. | ||
|
|
||
| ## For Individuals | ||
|
|
||
| These steps apply to personal and work accounts that support FIDO2/WebAuthn security keys or passkeys stored on a | ||
| hardware key. | ||
|
|
||
| ### Setup Checklist | ||
|
|
||
| - [ ] Buy at least **two** security keys from a reputable vendor such as Yubico | ||
| - [ ] Prefer keys that match your device mix: | ||
| - USB-C for modern laptops and phones | ||
| - NFC if you regularly authenticate on mobile | ||
| - [ ] Label one key **Primary** and the other **Backup** | ||
| - [ ] Register both keys on every critical account that supports them: | ||
| - Primary email | ||
| - GitHub and code hosting | ||
| - Registrar and DNS providers | ||
| - Cloud and deployment platforms | ||
| - Banking, custody, or treasury accounts | ||
| - Social and communication accounts | ||
| - [ ] Where offered, prefer: | ||
| - **Security key** | ||
| - **Passkey on hardware key** | ||
| - Other phishing-resistant WebAuthn/FIDO2 options | ||
| - [ ] Disable **SMS** as a recovery or second-factor method wherever the service allows it | ||
| - [ ] Save provider-issued backup or recovery codes offline | ||
| - [ ] Test both the primary and backup key after enrollment | ||
|
|
||
| ### Practical Use | ||
|
|
||
| - Keep the **Primary** key with you for normal logins | ||
| - Store the **Backup** key in a separate secure location, not in the same bag or drawer | ||
| - Maintain a short note in your password manager listing which critical accounts have which keys enrolled | ||
| - If a service allows multiple authentication methods, avoid leaving weaker fallback paths enabled unless they are | ||
| operationally necessary | ||
| - Replace lost or damaged keys immediately and re-test the remaining enrolled key | ||
|
|
||
| ### Recovery Discipline | ||
|
|
||
| - Do not wait until you lose a key to learn how account recovery works | ||
| - If you lose your only key and do not have a second enrolled key or a usable recovery path, you can lock yourself out | ||
| of critical accounts at the moment you most need them | ||
| - Verify that your recovery path does not depend on a phone number if you are trying to reduce SIM-swap risk | ||
| - If an account only supports app-based MFA or SMS, record that exception clearly and prioritize moving the account to | ||
| a stronger provider or stronger configuration when possible | ||
|
|
||
| ## Further Reading | ||
|
|
||
| - [Opsek YubiKeys Cheatsheet](https://github.com/Opsek/Yubikeys-cheatsheet) | ||
| - [Yubico: YubiKey Authenticator](https://www.yubico.com/products/yubico-authenticator/) | ||
|
|
||
| </TagProvider> | ||
| <ContributeFooter /> | ||
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -332,4 +332,5 @@ SSDF | |
| SLSA | ||
| pids | ||
| Kata | ||
| rootfs | ||
| rootfs | ||
| Opsek | ||
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Uh oh!
There was an error while loading. Please reload this page.