I bought NK3 Keys because I thought I can lift up my security level for
online stores etc.
I thought there was an option on most web sites to accept the nitro key as a two-factor auth. device. But for now I have not discovered much.
Only for www.github.com.
But there I need an Application on a smartphone.
I don’t want to use my smartphone because for me the smartphone is the most unsecure part of any of my hardware.
So what are real world user cases for the key?
I mean for a “normal” skilled PC client. not a linux command line expert.
For now sites like amazon and other online stores || banking I use did not even know this .
The Idea to store my GPG keys on the key is also nice but did not work for my Linux for now. Thats maybe only a temporal problem.
Hello my dear. There are plenty, but most do not state correctly the “howto”. Amazon allows the use of Nitrokey (I use it since long time). You will have to have a password and then, when you gave it, you use the nitrokey to generate a one time password. Mailbox.org does provide support for nitrokey and also web.de and so on. You do not need to be a “command line junky” but you have to “read the fucking manual” and to be more precise “for every damn provider” because everybody does prepare their own, often complicated, soup. Often the use of nitrokey is hidden by the words “google authenticator”, which in the end is only to say they offer a one time seed to be imported in the nitrokey app and you can then use it.
I do not know if the nitrokey via NFT has a lot of usage now, if not for the fact that you can use your key to safely log into the websites with your smartphone that do offer the service (once you did previously set it up).
Where nitrokey does not yet work is e.g. alibaba (not that I know off), stupidly not even in websites that should offer it for security reasons like IBKR (yeah, they just discharge the damage on the user… so easy it is).
At least for amazon the setup is straightforward.
So, it depends a lot on what websites you use, and it is up to you to stimulate the usage as a consumer, requesting it from your providers.
Currently most webshop do not offer OTP, nor FIDO, and all this can take a looong time.
Hope that helps a bit.
If you are German: use the NK with mailbox.org, web.de, freenet.de, amazon, galaxus offers it, sipgate offers it. If you run a truenas, you can set it up with NK, so when you ssh into it you gain security.
Banks are currently very outdated and insecure.
A really funny case is the German “Bahn” (train provider). They are clients of the nitrokey, use it in their administration, but let their users out in the rain using password only and do not give a ff about their user security. Says it all really.
I’ll try not to repeat the previous advice but build on it:
As mentioned, make sure that your firmware is upgraded to v. 1.4 or higher. Instructions: Firmware Update - Nitrokey Documentation (sending the Windows instructions, but process is similar for Mac OS & Linux). Features are being phased in, so update often.
Nitrokey 3 - Nitrokey Documentation has other tutorials for use cases. Many tutorials for the “2-series” keys will also work on the NK3, assuming that the feature has been enabled. Yubico tutorials should also be adaptable to the Nitrokey, as they share many of the same protocols.
Phone support is, at best, super dodgy. I can get FIDO working over NFC on my Pixel, but other features (GPG, etc.) don’t work. This isn’t Nitrokey’s fault - most of the external security token apps have been abandoned in favour of OTP, QR Codes, SMS 2FA, etc. New apps probably won’t come along anytime soon because Google & Apple are implementing biometric Webauthn support, with all the security (not to mention legal) risks you identified.
Any software that supports the PGPCard standard should recognise Nitrokeys. For example, Kleopatra can access my NK3 just fine. Once you update the firmware and make sure that udev is configured properly, it should work.
For other NK3 features, GitHub - Nitrokey/nitrokey-app2 is in the works but has minimal features. Unfortunately, playing with the features still requires the CLI.
