Yubikey 5C NFC (2 Pack) $69.99

mrmochi

Nov 30, 2025 06:35 AM

4,943 Posts

Joined Dec 2005

mrmochiNov 30, 2025 06:35 AM

4,943 Posts

Bought 2 5C's for $96.49 from yubikey with 20% off student code months ago. Wish I had waited. I will say they feel pretty useless though.

1

3

4

LavenderPickle7682

Nov 30, 2025 09:24 AM

3,837 Posts

Joined Sep 2019

LavenderPickle7682Nov 30, 2025 09:24 AM

3,837 Posts

Our community has rated this post as helpful. If you agree, why not thank LavenderPickle7682

Quote from mrmochi

:

Bought 2 5C's for $96.49 from yubikey with 20% off student code months ago. Wish I had waited. I will say they feel pretty useless though.

Most of this hardware security is kinda useless.

Exception #1: If you're a business using it to access your intranet/private network, absolutely useful.

Exception #2: You deal with large amounts of money through banking/investment organizations who support hardware keys.

Most normal consumers: You'll make your life miserable trying to implement this.

There are VERY precious few consumer sites which allow hardware tokens like this -- and most of them don't even allow two of them for redundancy! This means all your eggs are in one basket. And if you break/lose that singular key, your life will become a nightmare for the next two weeks as you jump through endless hoops to prove your identity....if you even can recover the account.

--------

Here's something I've said elsewhere, and I'll repeat here.

--------

For 90-99% of people, they'll be mostly fine if they do these password best practices:

-General Approach-

--> Be thoughtful. Use NOTHING immediately guessable to your online "persona", geography, age, school, real name, etc.

--> Reuse nothing between services. This is called compartmentalization - so that if anything gets compromised, it minimizes any fallout.

--> Randomization and obfuscation are your friends. No one can guess what you are doing if you don't know what you're doing.

--> Trust no one. Treat everything as if it's a hostile actor...every email, every text, every phone call, every website. It's not paranoia -- they really are out there to get you.

--> Speaking of hostile actors -- the official ones are the worst. Orwell's 1984 apparently was an instruction manual. Police, Customs, etc will enthusiastically take your device and image it. Don't use biometrics -- have a 6+ character passphase locking every device. Assume that your physical device (and any accounts/details on them) are completely compromised once the mobile is confiscated from your possession -- TRASH IT. Use a "burner" device and accounts when you travel just for this potential situation. Many businesses mandate this when traveling to hostile countries like China, Russia, or the United States.

--> Adopt an allow-list mentality, blocking everything else until absolutely PROVEN BEYOND A DOUBT to be safe. And even then, assume they don't care about keeping your data private.

-Specific Actions-

1. Use a password manager for:
- strong, unique, randomized passwords
- randomizing security questions and their answers
- usernames - no username should be used twice
- use different, randomly generated email addresses for each service (and the same for secondary recovery emails) -- especially for important categories like: medical, banking, investments, insurance, etc. And segregate those from your personal email, retail mailing lists, online shopping, etc.

--> Bitwarden is free. 1Password is a popular paid option. They have free trials. Just give them both a whirl.

--> Make a calendar entry to check your accounts every 30-90 days, as some services may time-out inactive accounts.

2. Use a form of 2FA whenever available, such as emailed one-time-code or authenticator application like Authy/Google Authenticator/Microsoft Authenticator.

--> SMS is the worst method to use -- I'd avoid it since mobiles are an easy target for theft and spoofing. SMS ties you to a singular device, and single points of failure are the bane of security.

--> Furthermore, using mobile as a "pass key" is becoming the newest hot fad...let me know how that works out when you drop your phone or leave it behind somewhere or have it stolen when traveling. Recovering from that is almost as bad as recovering from a lost singular Yubikey.

--> At least with software authenticators, you can install them on multiple devices (primary phone, backup mobile, tablets, etc). Those $30 Tracfone deals from HSN and QVC? Buy one of them and don't even bother to activate them on a mobile network -- use them as a mobileOS wifi-only device.

3. Only access critical/essential services from a single, secure location (home), on a secure desktop/laptop, on a known secure WIRED network. Bonus points if you have a separate computer just for accessing these services -- one that isn't used daily as a general machine. All of this greatly reduces your exposed attack surface.

--> Yes. That means taking your medical and banking information OFF your mobile phone. You know, that fragile dainty device that sometimes has glass on BOTH sides, that's often 5+ feet above the ground, and is a hot target for thieves. You don't NEED those accounts on the go. So don't take them with you. Mobile is inherently insecure due to it's very nature -- so don't put anything on it that you wouldn't want a random stranger finding.

--> Being dependent on Mobile Networks can be even a further risk. It neglects the fact that not everyone has readily access to mobile technology -- that could be due to cost or network coverage (rural areas or foreign travel). And you can have a hiccup in your mobile provider -- which locks you out of everything tied to it. It's an authentication method that's dependent on many things, including your ability to continually pay money every month. And some places refuse to cooperate with VOIP (Google Voice) or pre-paid cellular options (Tracfone, SimplyMobile, Cricket, etc). Mobile is great while it works properly...until it doesn't, then it becomes an unmitigated nightmare. Don't tie any authentication to mobile unless you have a backup unit in safe place -- assume mobile can be stolen/lost at any time. (it's like a house key. keep one on your keyring, and another stored in a hidden safe place on your property. make sure it still works from time to time.)

4. STOP visiting unknown sites/scanning QR codes/using free wifi/opening attachments in emails. It's like licking random bathroom surfaces. Eww.

5. Use a popular advert blocker, such as uBlock Origin. So many adverts contain malicious payloads -- even a few of the three-letter US government security/investigative agencies openly recommend using advert blockers as a standard practice. It's not theft, it's not piracy -- it's called protecting yourself in a hostile world.

--> Some people use other tools like script blockers or network-based advert blockers like the PiHole. They are good tools, but a bit harder to implement and even more so to troubleshoot if there's a hiccup or a false-positive blocking. UBlock Origin is an easy-to-install browser plugin that's ridiculously effective and rather easy to manage/turn off + on. It covers 99% of issues and is simple to use...take the easy win. Expand with other tools later if you need more. You probably won't.

------

For anyone who says "woah, that's way too much" -- dude, you're on a thread talking about using a $50+ USB hardware token for secure access to internet sites. You should be ALREADY doing the above things in addition to the Yubikey, if that product appeals to you.

------

edit: no idea why the downvotes. none of this was written to be disrespectful. anyone care to comment as to why?

39

14

2

11

Oil_Burner

Nov 30, 2025 01:29 PM

1,127 Posts

Joined May 2018

Oil_BurnerNov 30, 2025 01:29 PM

1,127 Posts

Quote from LavenderPickle7682

:

Most of this hardware security is kinda useless.

Exception: If you're a business using it access your intranet/private network, absolutely useful.

Most normal consumers: You'll make your life miserable trying to implement this. The VERY precious few places that allow hardware tokens like this don't even allow two of them! Which means all your eggs are in one basket. And if you break that singular key, your life will become a nightmare for the next two weeks as you jump through endless hoops to prove your identity. If you even can recover the account.

--------

Here's something I've said elsewhere, and I'll repeat here.

--------

For 90-99% of people, they'll be mostly fine if they do these things:

--> Be thoughtful. Use NOTHING immediately guessable to your online "persona", geography, age, school, real name, etc.

--> Reuse nothing between services. This is called compartmentalization - so that if anything gets compromised, it minimizes any fallout.

--> Randomization and obfuscation are your friends. No one can guess what you are doing if you don't know what you're doing.

--> Trust no one. Treat everything as if it's a hostile actor...every email, every text, every phone call, every website. It's not paranoia -- they really are out there to get you.

--> Speaking of hostile actors -- the official ones are the worst. Orwell's 1984 apparently was an instruction manual. Police, Customs, etc will enthusiastically take your device and image it. Don't use biometrics -- have a 6+ character passphase locking every device. Assume that your physical device (and any accounts/details on them) are completely compromised once the mobile is confiscated from your possession -- TRASH IT. Use a "burner" device when you travel just for this.

--> Adopt an allow-list mentality, blocking everything else until absolutely PROVEN BEYOND A DOUBT to be safe. And even then, assume they don't care about keeping your data private.

1. Use a password manager for:
- strong, unique, randomized passwords
- randomizing security questions and their answers
- usernames - no username should be used twice
- use different, randomly generated email addresses for each service (and the same for secondary recovery emails) -- especially for important categories like: medical, banking, investments, insurance, etc. And segregate those from your personal email, retail mailing lists, online shopping, etc.

--> Bitwarden is free. 1Password is a popular paid option.

--> Make a calendar entry to check each of these accounts between 30-90 days, as some services may time-out inactive accounts.

2. Use a form of 2FA whenever available, such as emailed one-time-code or authenticator application like Authy/Google Authenticator/Microsoft Authenticator.

--> SMS is the last ditch method -- avoid it since mobiles are a target for theft and spoofing. Using mobile as "pass key" is becoming the newest hot fad...let me know how that works out when you drop your phone or leave it behind somewhere or have it stolen when traveling. Recovering from that is almost as bad as recovering from a lost singular Yubikey.

--> At least with software authenticators, you can install them on multiple devices (primary phone, backup mobile, "I"-Pad, etc). Those $30 TrackPhone deals from HSN and QVC? Buy one of them and don't even bother to activate them on a mobile network -- use them as a mobileOS wifi-only device.

3. Only access critical/essential services from a single, secure location (home), on a secure desktop/laptop, on a known secure WIRED network. Bonus points if you have a separate computer just for accessing these services -- one that isn't used daily as a general machine. All of this greatly reduces your exposed attack surface.

--> Yes. That means taking your medical and banking information OFF your mobile phone. You know, that fragile dainty device that sometimes has glass on BOTH sides, that's often 5+ feet above the ground, and is a hot target for thieves. You don't NEED those accounts on the go. So don't take them with you. Mobile is inherently insecure due to it's very nature -- so don't put anything on it that you wouldn't want a random stranger finding.

4. STOP visiting unknown sites/scanning QR codes/using free wifi/opening attachments in emails. It's like licking random bathroom surfaces. Eww.

5. Use a popular advert blocker, such as uBlock Origin. So many adverts contain malicious payloads -- even a few of the three-letter US government security/investigative agencies openly recommend using advert blockers as a standard practice. It's not theft, it's not piracy -- it's called protecting yourself in a hostile world.

For anyone who says "woah, that's way too much" -- dude, you're on a thread talking about using a $50+ USB hardware token for secure access to internet sites. You should be ALREADY doing the above things in addition to the Yubikey, if that product appeals to you.

Great write up and I understand where you're coming from! however the bad actors are not after you. They go for the easy ones. I would not advise hardware security keys to anyone who tend to lose or misplace things, forget, or are just clumsy around themselves.

1

captivater

Nov 30, 2025 01:35 PM

730 Posts

Joined Dec 2013

captivaterNov 30, 2025 01:35 PM

730 Posts

Quote from LavenderPickle7682

:

Most of this hardware security is kinda useless. Exception #1: If you're a business using it access your intranet/private network, absolutely useful.Exception #2: You deal with large amounts of money through banking/investment organizations who support hardware keys.Most normal consumers: You'll make your life miserable trying to implement this. The VERY precious few consumer places that allow hardware tokens like this don't even allow two of them! Which means all your eggs are in one basket. And if you break that singular key, your life will become a nightmare for the next two weeks as you jump through endless hoops to prove your identity. If you even can recover the account. --------Here's something I've said elsewhere, and I'll repeat here.--------For 90-99% of people, they'll be mostly fine if they do these things:--> Be thoughtful. Use NOTHING immediately guessable to your online "persona", geography, age, school, real name, etc. --> Reuse nothing between services. This is called compartmentalization - so that if anything gets compromised, it minimizes any fallout. --> Randomization and obfuscation are your friends. No one can guess what you are doing if you don't know what you're doing. --> Trust no one. Treat everything as if it's a hostile actor...every email, every text, every phone call, every website. It's not paranoia -- they really are out there to get you. --> Speaking of hostile actors -- the official ones are the worst. Orwell's 1984 apparently was an instruction manual. Police, Customs, etc will enthusiastically take your device and image it. Don't use biometrics -- have a 6+ character passphase locking every device. Assume that your physical device (and any accounts/details on them) are completely compromised once the mobile is confiscated from your possession -- TRASH IT. Use a "burner" device and accounts when you travel just for this potential situation. Many businesses mandate this when traveling to hostile countries like China, Russia, or the United States.--> Adopt an allow-list mentality, blocking everything else until absolutely PROVEN BEYOND A DOUBT to be safe. And even then, assume they don't care about keeping your data private. 1. Use a password manager for:- strong, unique, randomized passwords- randomizing security questions and their answers- usernames - no username should be used twice- use different, randomly generated email addresses for each service (and the same for secondary recovery emails) -- especially for important categories like: medical, banking, investments, insurance, etc. And segregate those from your personal email, retail mailing lists, online shopping, etc. --> Bitwarden is free. 1Password is a popular paid option.--> Make a calendar entry to check each of these accounts between 30-90 days, as some services may time-out inactive accounts.2. Use a form of 2FA whenever available, such as emailed one-time-code or authenticator application like Authy/Google Authenticator/Microsoft Authenticator.--> SMS is the last ditch method -- avoid it since mobiles are a target for theft and spoofing. Using mobile as "pass key" is becoming the newest hot fad...let me know how that works out when you drop your phone or leave it behind somewhere or have it stolen when traveling. Recovering from that is almost as bad as recovering from a lost singular Yubikey.--> At least with software authenticators, you can install them on multiple devices (primary phone, backup mobile, "I"-Pad, etc). Those $30 TrackPhone deals from HSN and QVC? Buy one of them and don't even bother to activate them on a mobile network -- use them as a mobileOS wifi-only device. 3. Only access critical/essential services from a single, secure location (home), on a secure desktop/laptop, on a known secure WIRED network. Bonus points if you have a separate computer just for accessing these services -- one that isn't used daily as a general machine. All of this greatly reduces your exposed attack surface. --> Yes. That means taking your medical and banking information OFF your mobile phone. You know, that fragile dainty device that sometimes has glass on BOTH sides, that's often 5+ feet above the ground, and is a hot target for thieves. You don't NEED those accounts on the go. So don't take them with you. Mobile is inherently insecure due to it's very nature -- so don't put anything on it that you wouldn't want a random stranger finding.4. STOP visiting unknown sites/scanning QR codes/using free wifi/opening attachments in emails. It's like licking random bathroom surfaces. Eww.5. Use a popular advert blocker, such as uBlock Origin. So many adverts contain malicious payloads -- even a few of the three-letter US government security/investigative agencies openly recommend using advert blockers as a standard practice. It's not theft, it's not piracy -- it's called protecting yourself in a hostile world. For anyone who says "woah, that's way too much" -- dude, you're on a thread talking about using a $50+ USB hardware token for secure access to internet sites. You should be ALREADY doing the above things in addition to the Yubikey, if that product appeals to you.------edit: no idea why the downvotes. none of this was written to be disrespectful. anyone care to comment as to why?

Intricate post. But it relies on the premise that people practice adequate infosec. Reality is, most don't.The use cases which prompted me to begin using keys: international travel & assisting my elderly family members with their accounts.I encountered only one account which did not allow secondary verification methods: Apple.It was either hw keys or other methods. In agreement with your position, I did not utilize the hw keys for the Apple accounts.

3

LavenderPickle7682

Nov 30, 2025 01:36 PM

3,837 Posts

Joined Sep 2019

LavenderPickle7682Nov 30, 2025 01:36 PM

3,837 Posts

Quote from Oil_Burner

:

Great write up and I understand where you're coming from! however the bad actors are not after you. They go for the easy ones. I would not advise hardware security keys to anyone who tend to lose or misplace things, forget, or are just clumsy around themselves.

Bad actors are after everyone and anyone. If you don't think you're an easy mark....oh honey, you're considered an easy mark to someone. And even if they're wrong, they'll still try.

3

thunderriver

Nov 30, 2025 01:43 PM

155 Posts

Joined Feb 2011

thunderriverNov 30, 2025 01:43 PM

155 Posts

They are nice if you want to carry the authenticator key with you physically, and not fully rely on software based solutions. I personally don't think I will buy them again as the older version of the key has hardware firmware bug that the company refuses to supply fix or to replace existing keys out there. For "security" reason, you are forced to pay for new keys if you care about the hardware firmware fix. I am not paying for their mistakes.

6

Sarisin48

Nov 30, 2025 02:21 PM

1,199 Posts

Joined Jun 2010

Sarisin48Nov 30, 2025 02:21 PM

1,199 Posts

Quote from LavenderPickle7682

:

Most of this hardware security is kinda useless.

Exception #1: If you're a business using it access your intranet/private network, absolutely useful.

Exception #2: You deal with large amounts of money through banking/investment organizations who support hardware keys.

Most normal consumers: You'll make your life miserable trying to implement this. The VERY precious few consumer places that allow hardware tokens like this don't even allow two of them! Which means all your eggs are in one basket. And if you break that singular key, your life will become a nightmare for the next two weeks as you jump through endless hoops to prove your identity. If you even can recover the account.

--------

Here's something I've said elsewhere, and I'll repeat here.

--------

For 90-99% of people, they'll be mostly fine if they do these things:

--> Be thoughtful. Use NOTHING immediately guessable to your online "persona", geography, age, school, real name, etc.

--> Reuse nothing between services. This is called compartmentalization - so that if anything gets compromised, it minimizes any fallout.

--> Randomization and obfuscation are your friends. No one can guess what you are doing if you don't know what you're doing.

--> Trust no one. Treat everything as if it's a hostile actor...every email, every text, every phone call, every website. It's not paranoia -- they really are out there to get you.

--> Speaking of hostile actors -- the official ones are the worst. Orwell's 1984 apparently was an instruction manual. Police, Customs, etc will enthusiastically take your device and image it. Don't use biometrics -- have a 6+ character passphase locking every device. Assume that your physical device (and any accounts/details on them) are completely compromised once the mobile is confiscated from your possession -- TRASH IT. Use a "burner" device and accounts when you travel just for this potential situation. Many businesses mandate this when traveling to hostile countries like China, Russia, or the United States.

--> Adopt an allow-list mentality, blocking everything else until absolutely PROVEN BEYOND A DOUBT to be safe. And even then, assume they don't care about keeping your data private.

1. Use a password manager for:
- strong, unique, randomized passwords
- randomizing security questions and their answers
- usernames - no username should be used twice
- use different, randomly generated email addresses for each service (and the same for secondary recovery emails) -- especially for important categories like: medical, banking, investments, insurance, etc. And segregate those from your personal email, retail mailing lists, online shopping, etc.

--> Bitwarden is free. 1Password is a popular paid option.

--> Make a calendar entry to check each of these accounts between 30-90 days, as some services may time-out inactive accounts.

2. Use a form of 2FA whenever available, such as emailed one-time-code or authenticator application like Authy/Google Authenticator/Microsoft Authenticator.

--> SMS is the last ditch method -- avoid it since mobiles are a target for theft and spoofing. Using mobile as "pass key" is becoming the newest hot fad...let me know how that works out when you drop your phone or leave it behind somewhere or have it stolen when traveling. Recovering from that is almost as bad as recovering from a lost singular Yubikey.

--> At least with software authenticators, you can install them on multiple devices (primary phone, backup mobile, "I"-Pad, etc). Those $30 TrackPhone deals from HSN and QVC? Buy one of them and don't even bother to activate them on a mobile network -- use them as a mobileOS wifi-only device.

3. Only access critical/essential services from a single, secure location (home), on a secure desktop/laptop, on a known secure WIRED network. Bonus points if you have a separate computer just for accessing these services -- one that isn't used daily as a general machine. All of this greatly reduces your exposed attack surface.

--> Yes. That means taking your medical and banking information OFF your mobile phone. You know, that fragile dainty device that sometimes has glass on BOTH sides, that's often 5+ feet above the ground, and is a hot target for thieves. You don't NEED those accounts on the go. So don't take them with you. Mobile is inherently insecure due to it's very nature -- so don't put anything on it that you wouldn't want a random stranger finding.

4. STOP visiting unknown sites/scanning QR codes/using free wifi/opening attachments in emails. It's like licking random bathroom surfaces. Eww.

5. Use a popular advert blocker, such as uBlock Origin. So many adverts contain malicious payloads -- even a few of the three-letter US government security/investigative agencies openly recommend using advert blockers as a standard practice. It's not theft, it's not piracy -- it's called protecting yourself in a hostile world.

For anyone who says "woah, that's way too much" -- dude, you're on a thread talking about using a $50+ USB hardware token for secure access to internet sites. You should be ALREADY doing the above things in addition to the Yubikey, if that product appeals to you.

------

edit: no idea why the downvotes. none of this was written to be disrespectful. anyone care to comment as to why?

Thank you for the write up. I actually tried using the Yubikeys and it didn't work for me. As a senior it is difficult to keep up with the evolving tech world and what to do to protect yourself. I switched to Bitwarden and try to do the best I can with conscious decisions on security. Your post was very helpful for me and I am copying, pasting and printing it out if you don't mind.

1

dfw6000

Nov 30, 2025 02:26 PM

42 Posts

Joined Jan 2014

dfw6000Nov 30, 2025 02:26 PM

42 Posts

While I understand the dilemma around using security keys, worth mentioning that 1 packs of this are also available on Amazon for $38.50 (one time coupon)

dealsgame

Nov 30, 2025 03:46 PM

159 Posts

Joined Jun 2019

dealsgameNov 30, 2025 03:46 PM

159 Posts

On Amazon Key C NFC for $29 https://a.co/d/hBbmOSn

1

Vasto

Nov 30, 2025 06:21 PM

131 Posts

Joined Mar 2010

VastoNov 30, 2025 06:21 PM

131 Posts

I have 6 Yubikeys of various generations and styles. If you aren't managing GPG keys, they have limited usefulness compared to Passkeys. I've stopped enrolling them on websites these days.

SKV4m

Nov 30, 2025 06:36 PM

5,302 Posts

Joined Mar 2013

SKV4mNov 30, 2025 06:36 PM

5,302 Posts

Oh dang I've been scanning all the qrcodes using all the free wifi never change passwords

MusicShark

Nov 30, 2025 06:38 PM

7,513 Posts

Joined Nov 2010

MusicSharkNov 30, 2025 06:38 PM

7,513 Posts

Quote from LavenderPickle7682

:

Most of this hardware security is kinda useless.

Exception #1: If you're a business using it access your intranet/private network, absolutely useful.

Exception #2: You deal with large amounts of money through banking/investment organizations who support hardware keys.

Most normal consumers: You'll make your life miserable trying to implement this. The VERY precious few consumer places that allow hardware tokens like this don't even allow two of them! Which means all your eggs are in one basket. And if you break that singular key, your life will become a nightmare for the next two weeks as you jump through endless hoops to prove your identity. If you even can recover the account.

--------

Here's something I've said elsewhere, and I'll repeat here.

--------

For 90-99% of people, they'll be mostly fine if they do these things:

--> Be thoughtful. Use NOTHING immediately guessable to your online "persona", geography, age, school, real name, etc.

--> Reuse nothing between services. This is called compartmentalization - so that if anything gets compromised, it minimizes any fallout.

--> Randomization and obfuscation are your friends. No one can guess what you are doing if you don't know what you're doing.

--> Trust no one. Treat everything as if it's a hostile actor...every email, every text, every phone call, every website. It's not paranoia -- they really are out there to get you.

--> Speaking of hostile actors -- the official ones are the worst. Orwell's 1984 apparently was an instruction manual. Police, Customs, etc will enthusiastically take your device and image it. Don't use biometrics -- have a 6+ character passphase locking every device. Assume that your physical device (and any accounts/details on them) are completely compromised once the mobile is confiscated from your possession -- TRASH IT. Use a "burner" device and accounts when you travel just for this potential situation. Many businesses mandate this when traveling to hostile countries like China, Russia, or the United States.

--> Adopt an allow-list mentality, blocking everything else until absolutely PROVEN BEYOND A DOUBT to be safe. And even then, assume they don't care about keeping your data private.

1. Use a password manager for:
- strong, unique, randomized passwords
- randomizing security questions and their answers
- usernames - no username should be used twice
- use different, randomly generated email addresses for each service (and the same for secondary recovery emails) -- especially for important categories like: medical, banking, investments, insurance, etc. And segregate those from your personal email, retail mailing lists, online shopping, etc.

--> Bitwarden is free. 1Password is a popular paid option.

--> Make a calendar entry to check each of these accounts between 30-90 days, as some services may time-out inactive accounts.

2. Use a form of 2FA whenever available, such as emailed one-time-code or authenticator application like Authy/Google Authenticator/Microsoft Authenticator.

--> SMS is the last ditch method -- avoid it since mobiles are a target for theft and spoofing. Using mobile as "pass key" is becoming the newest hot fad...let me know how that works out when you drop your phone or leave it behind somewhere or have it stolen when traveling. Recovering from that is almost as bad as recovering from a lost singular Yubikey.

--> At least with software authenticators, you can install them on multiple devices (primary phone, backup mobile, "I"-Pad, etc). Those $30 TrackPhone deals from HSN and QVC? Buy one of them and don't even bother to activate them on a mobile network -- use them as a mobileOS wifi-only device.

3. Only access critical/essential services from a single, secure location (home), on a secure desktop/laptop, on a known secure WIRED network. Bonus points if you have a separate computer just for accessing these services -- one that isn't used daily as a general machine. All of this greatly reduces your exposed attack surface.

--> Yes. That means taking your medical and banking information OFF your mobile phone. You know, that fragile dainty device that sometimes has glass on BOTH sides, that's often 5+ feet above the ground, and is a hot target for thieves. You don't NEED those accounts on the go. So don't take them with you. Mobile is inherently insecure due to it's very nature -- so don't put anything on it that you wouldn't want a random stranger finding.

4. STOP visiting unknown sites/scanning QR codes/using free wifi/opening attachments in emails. It's like licking random bathroom surfaces. Eww.

5. Use a popular advert blocker, such as uBlock Origin. So many adverts contain malicious payloads -- even a few of the three-letter US government security/investigative agencies openly recommend using advert blockers as a standard practice. It's not theft, it's not piracy -- it's called protecting yourself in a hostile world.

For anyone who says "woah, that's way too much" -- dude, you're on a thread talking about using a $50+ USB hardware token for secure access to internet sites. You should be ALREADY doing the above things in addition to the Yubikey, if that product appeals to you.

------

edit: no idea why the downvotes. none of this was written to be disrespectful. anyone care to comment as to why?

Wow....

2

cscamp20

Nov 30, 2025 07:12 PM

5,122 Posts

Joined Sep 2012

cscamp20Nov 30, 2025 07:12 PM

5,122 Posts

This should be at least between $20 to $25 to be a slickdeal.

1

Timless

Nov 30, 2025 07:20 PM

2,783 Posts

Joined May 2018

TimlessNov 30, 2025 07:20 PM

2,783 Posts

Quote from Sarisin48

:

Thank you for the write up. I actually tried using the Yubikeys and it didn't work for me. As a senior it is difficult to keep up with the evolving tech world and what to do to protect yourself. I switched to Bitwarden and try to do the best I can with conscious decisions on security. Your post was very helpful for me and I am copying, pasting and printing it out if you don't mind.

you can use one of these to access bitwarden.
probably a good idea, since you've stored so much important info in bitwarden.

Oil_Burner

Nov 30, 2025 07:21 PM

1,127 Posts

Joined May 2018

Oil_BurnerNov 30, 2025 07:21 PM

1,127 Posts

Quote from LavenderPickle7682

:

Bad actors are after everyone and anyone. If you don't think you're an easy mark....oh honey, you're considered an easy mark to someone. And even if they're wrong, they'll still try.

I am only worried about most of the GenZ and the senior citizens, they are the most hard hit.

Yubikey 5C NFC (2 Pack) $69.99

$70

$100

Community Voting

Leave a Comment

23 Comments

Leave a Comment

Related Searches

Popular Deals

Trending Deals