krypton-ios VS sekey

I used this when it was still Krypton [0], it worked very well, it just gives you a "Want to log in?" notification on your phone, but for almost anything imaginable (inc SSH). I don't see it used much though.

[0] https://krypt.co/

Using your SIM card for MFA when logging in to an SSH server (through paid API requests to a third party)

There are ways to use your phone's secure storage capabilities for key storage. I've dabbled with using Krypt.co [1] for this, though that's sadly been deprecated and will at some point be replaced by a paid-for cloud service from Akamai. I'm sure there are other options available as well.

A far superior method for SSH security would be a physical U2F key or even a smart card. It's also possible to set up TOTP as a second factor ([2], works with any TOTP solution, not just Google Authenticator). I don't see a need for this paid-for third party service unless you're already using their services for some kind of verification mechanism.

[1]: https://krypt.co/

[2]: https://github.com/google/google-authenticator-libpam

Krypton (https://krypt.co), now owned by Akamai (https://akamai.com/mfa) who removed one of the best features, IMO (SSH key on a phone...) does this to an extent... Akamai says it's FIDO2... have not used it in a while... It is free though until Akamai decides not to give it away...

Here's the announcement on the website of the FIDO alliance: https://fidoalliance.org/apple-google-and-microsoft-commit-t...

I hope this cross device system will be cross platform, but I wouldn't be surprised if you could only choose between macOS/iOS, Chrome/Chrome, or Edge/Edge sync.

Funnily enough, a system for signing web authentication requests from a mobile device is far from new: I've been using https://krypt.co/ for years (though it's on the long road of sunsetting right now) and I hope that will last long enough for the new cross device standard to replace it.

> For the purpose of login in with a private key, i would prefer some browser extension (or built in the browser) that generates a key from a seed (like a crypto wallet) and only does that. This doesn't exist at this point.

What about https://www.yubico.com/products/yubikey-5-overview/ or https://cloud.google.com/titan-security-key/ or https://krypt.co/ (before it was acquired, I still use it though) or any of it's equivalents?

NOTE: Sometimes, if you are using a key-manager like Krypt.co you will not have the typical .pub file to copy, in which case using ssh-copy-id -f option will force it to copy anything close to a public key and this works for me.

Krypton is a great little multi-factor authentication tool that stores your SSH and U2F keys on your phone and provides an SSH agent and a browser extension that send approval requests to your phone when those keys are invoked. Ie., you ssh into your server and a notification pops up on your phone asking you if it's okay. It also handily GPG-signs your Git commits.

Here's the URL, since finding it via search is hard: https://krypt.co/

check this https://krypt.co/

Trusting your HSM vendor is a requirement if you don't want your keys to be exportable, and there's much less risk in doing so compared to trusting Apple for other things like secure communications (iMessage is e2ee but doesn't tell you when your peer changes/adds keys and backups to iCloud by default).

Also, a lot of people who use Krypton don't know that SSH keys actually don't use the secure enclave because it doesn't support rsa or ed25519: https://github.com/kryptco/krypton-ios/issues/73#issuecommen...

> relaying auth requests to your phone for approval and storing secrets in the Secure Enclave

Like https://github.com/kryptco/kr [key stored in a [...] mobile app]?

Also, newer Macs have a Secure Enclave (supports 256-bit secp256r1 ECC keys):

https://github.com/maxgoedjen/secretive [storing and managing SSH keys in the Secure Enclave [...] or a Smart Card (such as a YubiKey)]

https://github.com/sekey/sekey [Use Touch ID / Secure Enclave for SSH Authentication!]

Similar to the recommendations to use a YubiKey/hardware token, SeKey on a Mac lets you use a key generated in the Secure Enclave in an unexportable form (https://github.com/sekey/sekey)