I use my Yubikey as a second factor for my KeePass password management.
“YoubiKeys have a PIN” Not that I know of. I never enter a set of digits to use my HMAC-SHA Challenge Response.
" If you can login with just the second factor, it is a bad design." Fully agree!
“if you run apps from untrusted sources. Some exfiltration vectors are…” Agree
“A program on PC can” Anything on my PC could steal my password to log into KeePass as I type it in. And could read the memory and password as sent to applications etc.
If your system is compromised then you’re screwed. So back to my point being a “certified U2F security key” really needed? If it’s lost stolen or the system your using it on is compromised your screwed anyway.
When I am out on the road with just my cell phone and I need to log into say Google and I got my Google authenticator app with it’s new 6 digit number every 30 seconds on my phone along with a stored 15 character random password (as I can’t remember it) is logging in on my phone really 2nd factor? When that device has both my password and the authenticator app both on the same device? I don’t think so. So I moved my authenticator app off of my phone and used the authenticator app on my Flipper. Now I feel I am more secure. Because I must have both devices to gain access to my account.
Just because the Flipper is not fort knocks security, it can still provide increased security in some ways.
Anyway. Back to the original need, it would be nice if someone could make an app to perform HMAC-SHA Challenge Response on the flipper.