Editorial
Passkeys and hardware keys, what is the difference?
April 30, 2026
Editorial
Passkey
The word “passkey” started showing up in marketing material in 2023. By 2026 it is everywhere. Apple, Google, and Microsoft all market passkey support. Banks now offer passkeys. Password managers all sync them. Browsers prompt you to create a passkey on every login.
If you have been using hardware security keys for years, the marketing is confusing, because it talks about passkeys as if they are something new. They are not. Passkeys are a marketing name for a technology that has shipped in your hardware key since FIDO2 launched.
EUCLEAK and your Yubikey
April 30, 2026
Editorial
Yubico
Security
In September 2024, security researchers at NinjaLab disclosed EUCLEAK, a side channel attack against the Infineon ECDSA library running on the NXP A700x family of secure elements. That family of chips ships inside Yubico’s Yubikey 5 series, the Yubikey 5 FIPS series, the Security Key Series, and the Google Titan keys. Roughly speaking, every popular FIDO2 token built on that platform is in scope.
If you own a Yubikey, you probably saw the headlines and wondered if you needed to throw your key in the trash. The short answer is no. The longer answer is more interesting, and it is worth understanding so you can make a sensible decision about whether to replace your key.
Crypto wallets, smartphones, and other things that double as FIDO keys
April 30, 2026
Editorial
Passkey
The catalog focuses on dedicated FIDO security keys, the kind of small USB or NFC device whose only purpose in life is to be a hardware authenticator. There is a growing category of devices whose primary purpose is something else, but which can also act as a FIDO2 key. These are worth knowing about, both because they sometimes overlap with what you already own, and because their tradeoffs are different from a dedicated key.
Why cloning FIDO tokens is a bad idea
May 8, 2022
Editorial
I regularly see tech folks ask if it’s possible to clone Yubikeys either for malicious or backup purposes.
As an example of a comment I read on a popular news aggregator’s comment section:
Are there any FIDO security keys that explicitly support backing up and restoring their master secrets? I would love to move from Username + Password + TOTP but my current workflow requires that I am able to regain access to my digital accounts using nothing but a few page paper backup including core service passwords & exported TOTP secrets.
Hello, World!
September 18, 2021EditorialWelcome to the U2F Garden!
The goal of the U2F Garden is to provide a guide on the many and varied U2F tokens and keys out there in the world. There’s a lot of them out there and I wanted to make sure that there was a good guide on what keys support what features.
Where’d this all start?
This started when I wanted to make a small adjustment to my typical SSH configuration. Normally, I’d use the PKCS11 features in my Yubikey to support this stuff. That’s great, until you realize that a Yubikey is… Expensive. And there’s other USB PKCS11 tokens out there. And then OpenSSH went ahead and implemented a feature I’d wanted for some time: U2F support!