I have a question about hardware security keys. Like a yubikey.
I have not actually used one before so maybe I am missing some critical information.
Aren’t they inherently less secure than a TOTP code?
If someone ( like a evil government ) gets your key and knows your password for a particular service or device, they can login.
If these same people try to login but it is secured with a TOTP code instead, they would need access to my phone, which requires a password to unlock and then biometric validation to open TOTP app.
I mean yeah, they could just beat me with a large wrench until I agreed to login for them, but that is true with any method.
I’ve heard that in the US, the 5th amendment protects you from being forced to divulge a password, but they can physically place your finger on the finger print scanner.
There are some hardware keys that have PINs, like OnlyKey, but you’re always going to have trade-offs (OnlyKey has some as well). You are correct that someone could steal the key and know your password, but the likelihood that someone could do both is likely low for most people, and if it’s high for you, you’re probably a state actor or big cybercriminal engaging in some crazy shit anyway.
The core tenets of good security are something you know and something you have. For example, my work uses an RFID badge and a personal code to get into the building. Neither works alone. If somebody steals my badge, they can’t get into the building without my access code. If somebody steals a database of access codes, they can’t get in without the badge that pairs with the code.
A TOTP is something you have, sure, but it’s only secure if someone is unable to extract the secret key (or the code at runtime, which is possible via screen-reading techniques); as long as it exists digitally, secrecy is not guaranteed, and the attack surface is larger—for any device connected to the internet—to have that key stolen.
A physical key is harder to steal over the internet, and an attacker would have to know you have one in the first place to even go about beginning to search for it (I don’t think a court could force you to divulge that you have one or where it is, since you have a right to remain silent, but I’m NAL).
Ultimately, there is no panacea of security, or else everybody would use that one thing. In the end, it comes down to your threat model and the kinds of attacks that are likely to be thrown at you.