Apologies if this is the wrong place to ask, but I’m struggling to find good info (or perhaps to understand the info I’ve been reading).
From what I understand, Yubikey seems to be market-leader, very popular and secure. However, then shipping cost for a single yubikey to my country (from official website) is $75usd which kinda blows my mind.
So I’ve been looking into Solokey as the shipping cost for that is about $5usd.
The main info I’m finding about Solokey security is basically people/articles repeating the same thing. Solokey = open source = more secure.
I stumbled on a reddit comment comparing yubikey with solokey in one aspect… updates.
Yubikey firmware cannot be updated, SoloKey can.
According to this guy, it can be considered quite a weakness of Solokey as a compromised system could potential read/update firmware:
> Solokey is a Level1 fido device, meaning it is safe from general malware, but not an OS compromise. This also means if you plug a solokey into a compromised device, your solokey could become compromised. Yubikey is a Level3 fido device which means it’s not only impervious to OS compromise, but supposedly someone having direct access to the hardware. Yubikey is actually designed that attempting to access the data physically is a combination of impossible or self-destructing.
> Of course a device that cannot be tampered with also cannot be upgraded, which is why no firmware upgrades. And because the yubkey is also resistant to physical alterations to “look inside”, this means they are pretty much impossible to debug. This is why they are no longer opensource. The only tools in the market that allow you to design transistors and debug them without access to them are closed source with NDAs. Can’t have you cake and eat it to. You either get a closed source Level3 security or sub-Level3 than is possibly opensource.
> Personally, I want my security device to do one thing and one thing only, security. Not really concerned about having a miniature raspberry pi.
Is this commenter accurate on what he’s saying? Is there a legitimate concern with Solokey security?
I’m hoping there’s people here that have the technical knowledge to understand the security pros/cons between different Hardware Keys.
Also, if anyone knows good in-depth technical security reviews on hardware keys I’d hugely appreciate if you could send me a link.
I feel what I’ve found so far has just been marketing blurbs and opinions without technical backing.
Thanks for any advice, tips or knowledge sharing :)