The non-auditability of YubiKeys' design makes me a bit nervous.
@cwebber @benhamill The idea the researches presented is that you hide smaller logic pieces not part of the schematics in inner layers of the design in such a way that the bigger components on the outer layers oovershadow them so you would not find them using x-rays.
My argument is that purely an open schematics does not give you a sufficient root of trust, you would need to manufacture the board yourself or by someone you trust.
@elomatreb The main things I'm using my #YubiKey for right now are U2F and TOTP over NFC. AFAICT #OnlyKey's U2F support only works with Chrome, which I only use for work, and it doesn't have NFC at all, so while I supported the project and carry one on my keyring, I haven't ended up actually using it since memorizing the small number of #Diceware passphrases I won't use a software password manager for isn't that hard. Hoping it becomes more useful in the future.
@elomatreb The problem is that a physical token with secure PIN entry is best suited for single-factor zero-knowledge authentication. #OnlyKey could theoretically do both password and U2F or TOTP but again only with Chrome/Chromium, and of those only U2F helps with MITM. The browser's built-in password manager may well be the best MITM mitigation aside from U2F.