taeric

".. the biggest advantage of FIDO2 security keys is that they are cheaper and more user-friendly.".

Not wrong, but also overselling how user friendly the new keys are.

Somewhat amusingly, the yubikeys also support storing a gpg key. So, most of the old stuff still works with them.

wkat4242

Yeah I use the GPG functionality for a lot of stuff. SSH keys, file encryption, my password manager (which is zx2c4's pass, basically using GPG file encryption). The software toolchain is anything but friendly indeed. On Android it's the easiest with Openkeychain but in Linux and Windows it's hard to get gpg running with CCID key support (USB smartcard which is what the Yubikey emulates). It's also pretty buggy, gpg's scdaemon tends to crash a lot.

Technically I could move some of this stuff over to FIDO2. Like SSH logins. But I don't see the point until I can move all my usecases over, and older SSH servers don't support it, like the ones in my HP iLO boxes which I can't update. So I'd still have to keep 2 separate systems side by side which isn't worth it.

So on I go but yeah it isn't for everyone. FIDO2 will make this a lot better. Eventually. Right now Firefox doesn't even support passwordless FIDO2 logins (CTAP2) on Linux or Mac, only on Windows... This really keeps me from implementing it because I use Firefox on FreeBSD and Linux. I really don't get why Mozilla doesn't prioritize this.

vladvasiliu
I haven't tried using the GPG mode on mobile, but I've had absolutely 0 issues with it on Linux. Just followed the arch wiki setup and this random guide I found: https://github.com/drduh/YubiKey-Guide. I use it daily to ssh into hosts and sign git commits.

On Windows, it's a bit more involved, of course, especially for SSH. I seem to remember that I did find at one point some hack which allowed ssh to use the GPG agent. Since I only rarely use Windows, I didn't care enough to test it through. Code signing seems to work well enough. SmartCard emulation also works well enough, but it does seem to conflict with some other mode, either U2F or GPG, can't remember which. You have to un/replug the key to switch modes.

I am also quite... surprised at Firefox's apparent lack of priority for supporting CTAP2. I've seen there are long-open bugs, but not that much interest. My understanding is that on macos and windows, it delegates the user verification to the os, and on linux there isn't anything for that. FWIW, chrome seems fine with implementing their own.