From 242494948efc73d6232dd7aa3b4c61918b8aeebc Mon Sep 17 00:00:00 2001 From: Dickson Date: Sun, 15 Mar 2026 22:43:43 -0400 Subject: [PATCH 01/16] Add hardware security key guide --- .../hardware-security-keys.mdx | 147 ++++++++++++++++++ .../pages/guides/account-management/index.mdx | 1 + .../guides/account-management/overview.mdx | 7 + vocs.config.tsx | 1 + 4 files changed, 156 insertions(+) create mode 100644 docs/pages/guides/account-management/hardware-security-keys.mdx diff --git a/docs/pages/guides/account-management/hardware-security-keys.mdx b/docs/pages/guides/account-management/hardware-security-keys.mdx new file mode 100644 index 00000000..a31327e0 --- /dev/null +++ b/docs/pages/guides/account-management/hardware-security-keys.mdx @@ -0,0 +1,147 @@ +--- +title: "YubiKeys and Hardware Security Keys | Security Alliance" +description: "Protect critical accounts with YubiKeys and other FIDO2/WebAuthn security keys: enroll backup keys, disable SMS fallback, store recovery codes safely, and plan account recovery." +tags: + - Security Specialist +contributors: + - role: wrote + users: [dickson] +--- + +import { TagList, AttributionList, TagProvider, TagFilter, ContributeFooter } from '../../../../components' + + + + +# YubiKeys and Hardware Security Keys + + + + +## Summary + +> 🔑 **Key Takeaway for YubiKeys and Hardware Security Keys:** Use FIDO2/WebAuthn security keys such as +> YubiKeys on high-value accounts, register at least two keys per critical account, disable SMS fallback where +> possible, and test recovery before you need it. + +Hardware security keys are one of the strongest practical defenses against phishing, credential stuffing, and +SIM-swap-based account takeovers. They are especially valuable for email, source control, registrars, cloud platforms, +social accounts, and any admin or financial account that could be used to pivot into the rest of your organization. + +This page is intentionally narrow: it focuses on using physical security keys to protect accounts, not on broader +identity architecture or device management. + +### YubiKey-Specific Notes + +YubiKeys are a common choice because they support several different modes. For most readers, the default priority +should be: + +1. **FIDO2 / WebAuthn security keys or passkeys stored on the key** +2. **OATH TOTP on the key** only when the service does not support phishing-resistant options + +If you are buying new keys, choose models that match your devices. USB-C is the simplest default for modern laptops, +while NFC is useful if you expect to authenticate on phones. Buy directly from a reputable seller and verify the setup +prompt carefully so you do not accidentally register a weaker fallback method instead of the hardware key itself. + +--- + +## For Individuals + +These steps apply to personal and work accounts that support FIDO2/WebAuthn security keys or passkeys stored on a +hardware key. + +### Setup Checklist + +- [ ] Buy at least **two** security keys from a reputable vendor such as Yubico +- [ ] Prefer keys that match your device mix: + - USB-C for modern laptops and phones + - NFC if you regularly authenticate on mobile +- [ ] Label one key **Primary** and the other **Backup** +- [ ] Register both keys on every critical account that supports them: + - Primary email + - GitHub and code hosting + - Registrar and DNS providers + - Cloud and deployment platforms + - Banking, custody, or treasury accounts + - Social and communication accounts +- [ ] Where offered, prefer: + - **Security key** + - **Passkey on hardware key** + - Other phishing-resistant WebAuthn/FIDO2 options +- [ ] Disable **SMS** as a recovery or second-factor method wherever the service allows it +- [ ] Save provider-issued backup or recovery codes offline +- [ ] Test both the primary and backup key after enrollment + +### Practical Use + +- Keep the **Primary** key with you for normal logins +- Store the **Backup** key in a separate secure location, not in the same bag or drawer +- Maintain a short note in your password manager listing which critical accounts have which keys enrolled +- If a service allows multiple authentication methods, avoid leaving weaker fallback paths enabled unless they are + operationally necessary +- Replace lost or damaged keys immediately and re-test the remaining enrolled key + +### Recovery Discipline + +- Do not wait until you lose a key to learn how account recovery works +- Verify that your recovery path does not depend on a phone number if you are trying to reduce SIM-swap risk +- If an account only supports app-based MFA or SMS, record that exception clearly and prioritize moving the account to + a stronger provider or stronger configuration when possible + +--- + +## For Team Members + +These guidelines apply to staff using security keys on shared work accounts or privileged individual accounts. + +Team members should: + +- Register hardware keys on their own high-risk work accounts +- Never share a physical key between multiple people +- Keep backup keys physically separate from daily-use devices +- Re-enroll a replacement key immediately if one is lost, stolen, or damaged +- Report any forced downgrade to SMS or weaker MFA to the relevant administrator + +--- + +## For Admins + +These settings and practices apply to administrators responsible for protecting important organization accounts. + +### Program Checklist + +- [ ] Require phishing-resistant MFA for high-privilege accounts wherever the platform supports it +- [ ] Require at least **two** registered security keys for every admin account +- [ ] Standardize on a small set of supported key types so setup and recovery stay simple +- [ ] Document which accounts require hardware keys and review that list regularly +- [ ] Document a recovery process that does not rely on SMS for privileged accounts +- [ ] Remove old or unrecognized security keys during periodic access reviews +- [ ] Revoke lost keys promptly and confirm a replacement key is enrolled + +### Operational Notes + +- Hardware keys reduce phishing risk, but they do not replace strong passwords, session review, or app permission + reviews +- For especially sensitive accounts, store backup keys with separate physical controls so one theft or travel + incident does not remove both factors at once +- When a platform supports passkeys, confirm whether the passkey is being stored on a hardware key or synced software + ecosystem before treating it as equivalent + +--- + +## Related Guides + +- [GitHub Security](/guides/account-management/github) +- [Linear Security](/guides/account-management/linear) +- [Twitter/X Security](/guides/account-management/twitter) +- [GoDaddy Security](/guides/account-management/godaddy) + +## Further Reading + +- [Yubico: YubiKey Authenticator](https://www.yubico.com/products/yubico-authenticator/) +- [Opsek YubiKeys Cheatsheet](https://github.com/Opsek/Yubikeys-cheatsheet) + +--- + + + diff --git a/docs/pages/guides/account-management/index.mdx b/docs/pages/guides/account-management/index.mdx index fc24b196..60f4ea7e 100644 --- a/docs/pages/guides/account-management/index.mdx +++ b/docs/pages/guides/account-management/index.mdx @@ -12,6 +12,7 @@ title: "Account Management" ## Pages - [Account Management](/guides/account-management/overview) +- [YubiKeys and Hardware Security Keys](/guides/account-management/hardware-security-keys) - [Discord Security](/guides/account-management/discord) - [GitHub Security](/guides/account-management/github) - [GoDaddy Security](/guides/account-management/godaddy) diff --git a/docs/pages/guides/account-management/overview.mdx b/docs/pages/guides/account-management/overview.mdx index 0e422a97..74d0daf4 100644 --- a/docs/pages/guides/account-management/overview.mdx +++ b/docs/pages/guides/account-management/overview.mdx @@ -21,6 +21,13 @@ import { TagList, AttributionList, TagProvider, TagFilter, ContributeFooter } fr This section contains practical, step-by-step guides that help you implement security best practices across various platforms and tools. Each guide provides actionable instructions you can follow to secure your operations. +## Foundational Account Protection + +Guidance that applies across many platforms before you get into tool-specific settings. + +- [**YubiKeys and Hardware Security Keys**](/guides/account-management/hardware-security-keys) - Practical guidance + for using YubiKeys and other security keys to harden critical accounts + ## Communication Platforms Guides for securing your communication and community platforms. diff --git a/vocs.config.tsx b/vocs.config.tsx index 0c7d129e..aee460f8 100644 --- a/vocs.config.tsx +++ b/vocs.config.tsx @@ -513,6 +513,7 @@ const config = { collapsed: true, items: [ { text: 'Overview', link: '/guides/account-management/overview' }, + { text: 'YubiKeys and Hardware Security Keys', link: '/guides/account-management/hardware-security-keys' }, { text: 'Discord Security', link: '/guides/account-management/discord' }, { text: 'GitHub Security', link: '/guides/account-management/github' }, { text: 'GoDaddy Security', link: '/guides/account-management/godaddy' }, From 6ad10f5bf0e471c80539d462f9682d145e03340d Mon Sep 17 00:00:00 2001 From: Dickson Date: Sun, 15 Mar 2026 23:43:34 -0400 Subject: [PATCH 02/16] Credit Opsek authors on YubiKey guide --- docs/pages/guides/account-management/hardware-security-keys.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/pages/guides/account-management/hardware-security-keys.mdx b/docs/pages/guides/account-management/hardware-security-keys.mdx index a31327e0..c7dcf7b5 100644 --- a/docs/pages/guides/account-management/hardware-security-keys.mdx +++ b/docs/pages/guides/account-management/hardware-security-keys.mdx @@ -5,7 +5,7 @@ tags: - Security Specialist contributors: - role: wrote - users: [dickson] + users: [dickson, louis, pablo] --- import { TagList, AttributionList, TagProvider, TagFilter, ContributeFooter } from '../../../../components' From 4ae7df048ab116371d8f927b3a1128e88595d789 Mon Sep 17 00:00:00 2001 From: Dickson Date: Fri, 20 Mar 2026 23:11:08 -0400 Subject: [PATCH 03/16] Remove decorative separators from hardware security keys guide --- .../account-management/hardware-security-keys.mdx | 12 ------------ 1 file changed, 12 deletions(-) diff --git a/docs/pages/guides/account-management/hardware-security-keys.mdx b/docs/pages/guides/account-management/hardware-security-keys.mdx index c7dcf7b5..2b4064a0 100644 --- a/docs/pages/guides/account-management/hardware-security-keys.mdx +++ b/docs/pages/guides/account-management/hardware-security-keys.mdx @@ -42,9 +42,6 @@ should be: If you are buying new keys, choose models that match your devices. USB-C is the simplest default for modern laptops, while NFC is useful if you expect to authenticate on phones. Buy directly from a reputable seller and verify the setup prompt carefully so you do not accidentally register a weaker fallback method instead of the hardware key itself. - ---- - ## For Individuals These steps apply to personal and work accounts that support FIDO2/WebAuthn security keys or passkeys stored on a @@ -101,9 +98,6 @@ Team members should: - Keep backup keys physically separate from daily-use devices - Re-enroll a replacement key immediately if one is lost, stolen, or damaged - Report any forced downgrade to SMS or weaker MFA to the relevant administrator - ---- - ## For Admins These settings and practices apply to administrators responsible for protecting important organization accounts. @@ -126,9 +120,6 @@ These settings and practices apply to administrators responsible for protecting incident does not remove both factors at once - When a platform supports passkeys, confirm whether the passkey is being stored on a hardware key or synced software ecosystem before treating it as equivalent - ---- - ## Related Guides - [GitHub Security](/guides/account-management/github) @@ -140,8 +131,5 @@ These settings and practices apply to administrators responsible for protecting - [Yubico: YubiKey Authenticator](https://www.yubico.com/products/yubico-authenticator/) - [Opsek YubiKeys Cheatsheet](https://github.com/Opsek/Yubikeys-cheatsheet) - ---- - From d2df0cd2f86f229432a3dc0315c579ca955a2ca7 Mon Sep 17 00:00:00 2001 From: Dickson Date: Fri, 20 Mar 2026 23:28:11 -0400 Subject: [PATCH 04/16] Fix lint in hardware security keys guide --- .../guides/account-management/hardware-security-keys.mdx | 6 ++++-- wordlist.txt | 3 ++- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/docs/pages/guides/account-management/hardware-security-keys.mdx b/docs/pages/guides/account-management/hardware-security-keys.mdx index 2b4064a0..1ded5f7d 100644 --- a/docs/pages/guides/account-management/hardware-security-keys.mdx +++ b/docs/pages/guides/account-management/hardware-security-keys.mdx @@ -42,6 +42,7 @@ should be: If you are buying new keys, choose models that match your devices. USB-C is the simplest default for modern laptops, while NFC is useful if you expect to authenticate on phones. Buy directly from a reputable seller and verify the setup prompt carefully so you do not accidentally register a weaker fallback method instead of the hardware key itself. + ## For Individuals These steps apply to personal and work accounts that support FIDO2/WebAuthn security keys or passkeys stored on a @@ -85,8 +86,6 @@ hardware key. - If an account only supports app-based MFA or SMS, record that exception clearly and prioritize moving the account to a stronger provider or stronger configuration when possible ---- - ## For Team Members These guidelines apply to staff using security keys on shared work accounts or privileged individual accounts. @@ -98,6 +97,7 @@ Team members should: - Keep backup keys physically separate from daily-use devices - Re-enroll a replacement key immediately if one is lost, stolen, or damaged - Report any forced downgrade to SMS or weaker MFA to the relevant administrator + ## For Admins These settings and practices apply to administrators responsible for protecting important organization accounts. @@ -120,6 +120,7 @@ These settings and practices apply to administrators responsible for protecting incident does not remove both factors at once - When a platform supports passkeys, confirm whether the passkey is being stored on a hardware key or synced software ecosystem before treating it as equivalent + ## Related Guides - [GitHub Security](/guides/account-management/github) @@ -131,5 +132,6 @@ These settings and practices apply to administrators responsible for protecting - [Yubico: YubiKey Authenticator](https://www.yubico.com/products/yubico-authenticator/) - [Opsek YubiKeys Cheatsheet](https://github.com/Opsek/Yubikeys-cheatsheet) + diff --git a/wordlist.txt b/wordlist.txt index 71349ab7..ea7cffd2 100644 --- a/wordlist.txt +++ b/wordlist.txt @@ -332,4 +332,5 @@ SSDF SLSA pids Kata -rootfs \ No newline at end of file +rootfs +Opsek From edb724884e082b0a879a2b36c90d77758c800f25 Mon Sep 17 00:00:00 2001 From: Dickson Date: Fri, 20 Mar 2026 23:55:43 -0400 Subject: [PATCH 05/16] Tighten hardware security keys guide --- .../hardware-security-keys.mdx | 70 ++----------------- 1 file changed, 7 insertions(+), 63 deletions(-) diff --git a/docs/pages/guides/account-management/hardware-security-keys.mdx b/docs/pages/guides/account-management/hardware-security-keys.mdx index 1ded5f7d..a4b2a085 100644 --- a/docs/pages/guides/account-management/hardware-security-keys.mdx +++ b/docs/pages/guides/account-management/hardware-security-keys.mdx @@ -1,6 +1,6 @@ --- -title: "YubiKeys and Hardware Security Keys | Security Alliance" -description: "Protect critical accounts with YubiKeys and other FIDO2/WebAuthn security keys: enroll backup keys, disable SMS fallback, store recovery codes safely, and plan account recovery." +title: "Hardware Security Keys | Security Alliance" +description: "Protect critical accounts with FIDO2/WebAuthn security keys: enroll backup keys, disable SMS fallback, store recovery codes safely, and plan account recovery." tags: - Security Specialist contributors: @@ -13,36 +13,20 @@ import { TagList, AttributionList, TagProvider, TagFilter, ContributeFooter } fr -# YubiKeys and Hardware Security Keys +# Hardware Security Keys ## Summary -> 🔑 **Key Takeaway for YubiKeys and Hardware Security Keys:** Use FIDO2/WebAuthn security keys such as -> YubiKeys on high-value accounts, register at least two keys per critical account, disable SMS fallback where -> possible, and test recovery before you need it. +> 🔑 **Key Takeaway for Hardware Security Keys:** Use FIDO2/WebAuthn security keys on high-value accounts, register +> at least two keys per critical account, disable SMS fallback where possible, and test recovery before you need it. Hardware security keys are one of the strongest practical defenses against phishing, credential stuffing, and SIM-swap-based account takeovers. They are especially valuable for email, source control, registrars, cloud platforms, social accounts, and any admin or financial account that could be used to pivot into the rest of your organization. -This page is intentionally narrow: it focuses on using physical security keys to protect accounts, not on broader -identity architecture or device management. - -### YubiKey-Specific Notes - -YubiKeys are a common choice because they support several different modes. For most readers, the default priority -should be: - -1. **FIDO2 / WebAuthn security keys or passkeys stored on the key** -2. **OATH TOTP on the key** only when the service does not support phishing-resistant options - -If you are buying new keys, choose models that match your devices. USB-C is the simplest default for modern laptops, -while NFC is useful if you expect to authenticate on phones. Buy directly from a reputable seller and verify the setup -prompt carefully so you do not accidentally register a weaker fallback method instead of the hardware key itself. - ## For Individuals These steps apply to personal and work accounts that support FIDO2/WebAuthn security keys or passkeys stored on a @@ -82,52 +66,12 @@ hardware key. ### Recovery Discipline - Do not wait until you lose a key to learn how account recovery works +- If you lose your only key and do not have a second enrolled key or a usable recovery path, you can lock yourself out + of critical accounts at the moment you most need them - Verify that your recovery path does not depend on a phone number if you are trying to reduce SIM-swap risk - If an account only supports app-based MFA or SMS, record that exception clearly and prioritize moving the account to a stronger provider or stronger configuration when possible -## For Team Members - -These guidelines apply to staff using security keys on shared work accounts or privileged individual accounts. - -Team members should: - -- Register hardware keys on their own high-risk work accounts -- Never share a physical key between multiple people -- Keep backup keys physically separate from daily-use devices -- Re-enroll a replacement key immediately if one is lost, stolen, or damaged -- Report any forced downgrade to SMS or weaker MFA to the relevant administrator - -## For Admins - -These settings and practices apply to administrators responsible for protecting important organization accounts. - -### Program Checklist - -- [ ] Require phishing-resistant MFA for high-privilege accounts wherever the platform supports it -- [ ] Require at least **two** registered security keys for every admin account -- [ ] Standardize on a small set of supported key types so setup and recovery stay simple -- [ ] Document which accounts require hardware keys and review that list regularly -- [ ] Document a recovery process that does not rely on SMS for privileged accounts -- [ ] Remove old or unrecognized security keys during periodic access reviews -- [ ] Revoke lost keys promptly and confirm a replacement key is enrolled - -### Operational Notes - -- Hardware keys reduce phishing risk, but they do not replace strong passwords, session review, or app permission - reviews -- For especially sensitive accounts, store backup keys with separate physical controls so one theft or travel - incident does not remove both factors at once -- When a platform supports passkeys, confirm whether the passkey is being stored on a hardware key or synced software - ecosystem before treating it as equivalent - -## Related Guides - -- [GitHub Security](/guides/account-management/github) -- [Linear Security](/guides/account-management/linear) -- [Twitter/X Security](/guides/account-management/twitter) -- [GoDaddy Security](/guides/account-management/godaddy) - ## Further Reading - [Yubico: YubiKey Authenticator](https://www.yubico.com/products/yubico-authenticator/) From 3a37a1200d62899237bbb0aa109805d5b772a604 Mon Sep 17 00:00:00 2001 From: Dickson Date: Sat, 21 Mar 2026 00:06:00 -0400 Subject: [PATCH 06/16] Move hardware security keys guide to endpoint security --- docs/pages/guides/account-management/index.mdx | 1 - docs/pages/guides/account-management/overview.mdx | 7 ------- .../hardware-security-keys.mdx | 0 docs/pages/guides/endpoint-security/index.mdx | 1 + vocs.config.tsx | 2 +- 5 files changed, 2 insertions(+), 9 deletions(-) rename docs/pages/guides/{account-management => endpoint-security}/hardware-security-keys.mdx (100%) diff --git a/docs/pages/guides/account-management/index.mdx b/docs/pages/guides/account-management/index.mdx index 60f4ea7e..fc24b196 100644 --- a/docs/pages/guides/account-management/index.mdx +++ b/docs/pages/guides/account-management/index.mdx @@ -12,7 +12,6 @@ title: "Account Management" ## Pages - [Account Management](/guides/account-management/overview) -- [YubiKeys and Hardware Security Keys](/guides/account-management/hardware-security-keys) - [Discord Security](/guides/account-management/discord) - [GitHub Security](/guides/account-management/github) - [GoDaddy Security](/guides/account-management/godaddy) diff --git a/docs/pages/guides/account-management/overview.mdx b/docs/pages/guides/account-management/overview.mdx index 74d0daf4..0e422a97 100644 --- a/docs/pages/guides/account-management/overview.mdx +++ b/docs/pages/guides/account-management/overview.mdx @@ -21,13 +21,6 @@ import { TagList, AttributionList, TagProvider, TagFilter, ContributeFooter } fr This section contains practical, step-by-step guides that help you implement security best practices across various platforms and tools. Each guide provides actionable instructions you can follow to secure your operations. -## Foundational Account Protection - -Guidance that applies across many platforms before you get into tool-specific settings. - -- [**YubiKeys and Hardware Security Keys**](/guides/account-management/hardware-security-keys) - Practical guidance - for using YubiKeys and other security keys to harden critical accounts - ## Communication Platforms Guides for securing your communication and community platforms. diff --git a/docs/pages/guides/account-management/hardware-security-keys.mdx b/docs/pages/guides/endpoint-security/hardware-security-keys.mdx similarity index 100% rename from docs/pages/guides/account-management/hardware-security-keys.mdx rename to docs/pages/guides/endpoint-security/hardware-security-keys.mdx diff --git a/docs/pages/guides/endpoint-security/index.mdx b/docs/pages/guides/endpoint-security/index.mdx index f9f5eae7..5f4c85a5 100644 --- a/docs/pages/guides/endpoint-security/index.mdx +++ b/docs/pages/guides/endpoint-security/index.mdx @@ -11,4 +11,5 @@ title: "Endpoint Security" ## Pages +- [Hardware Security Keys](/guides/endpoint-security/hardware-security-keys) - [Zoom Hardening Guide](/guides/endpoint-security/zoom-hardening) diff --git a/vocs.config.tsx b/vocs.config.tsx index aee460f8..6fa7ce70 100644 --- a/vocs.config.tsx +++ b/vocs.config.tsx @@ -513,7 +513,6 @@ const config = { collapsed: true, items: [ { text: 'Overview', link: '/guides/account-management/overview' }, - { text: 'YubiKeys and Hardware Security Keys', link: '/guides/account-management/hardware-security-keys' }, { text: 'Discord Security', link: '/guides/account-management/discord' }, { text: 'GitHub Security', link: '/guides/account-management/github' }, { text: 'GoDaddy Security', link: '/guides/account-management/godaddy' }, @@ -534,6 +533,7 @@ const config = { text: 'Endpoint Security', collapsed: true, items: [ + { text: 'Hardware Security Keys', link: '/guides/endpoint-security/hardware-security-keys' }, { text: 'Zoom Hardening', link: '/guides/endpoint-security/zoom-hardening' }, ] }, From 3c6f40a2534e5c5fdf8bfa46a656bb26c360c723 Mon Sep 17 00:00:00 2001 From: Dickson Date: Sat, 21 Mar 2026 00:25:44 -0400 Subject: [PATCH 07/16] Tighten hardware keys guide metadata --- .../pages/guides/endpoint-security/hardware-security-keys.mdx | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/pages/guides/endpoint-security/hardware-security-keys.mdx b/docs/pages/guides/endpoint-security/hardware-security-keys.mdx index a4b2a085..3318842c 100644 --- a/docs/pages/guides/endpoint-security/hardware-security-keys.mdx +++ b/docs/pages/guides/endpoint-security/hardware-security-keys.mdx @@ -1,6 +1,6 @@ --- title: "Hardware Security Keys | Security Alliance" -description: "Protect critical accounts with FIDO2/WebAuthn security keys: enroll backup keys, disable SMS fallback, store recovery codes safely, and plan account recovery." +description: "Use hardware security keys on critical accounts, keep a backup enrolled, and avoid weak recovery paths." tags: - Security Specialist contributors: @@ -74,8 +74,8 @@ hardware key. ## Further Reading -- [Yubico: YubiKey Authenticator](https://www.yubico.com/products/yubico-authenticator/) - [Opsek YubiKeys Cheatsheet](https://github.com/Opsek/Yubikeys-cheatsheet) +- [Yubico: YubiKey Authenticator](https://www.yubico.com/products/yubico-authenticator/) From a795a06d77ee4c4f4557e39759467069282f3cc6 Mon Sep 17 00:00:00 2001 From: Dickson Wu <33645481+DicksonWu654@users.noreply.github.com> Date: Sat, 21 Mar 2026 00:32:11 -0400 Subject: [PATCH 08/16] Update hardware-security-keys.mdx --- docs/pages/guides/endpoint-security/hardware-security-keys.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/pages/guides/endpoint-security/hardware-security-keys.mdx b/docs/pages/guides/endpoint-security/hardware-security-keys.mdx index 3318842c..9b9aaa56 100644 --- a/docs/pages/guides/endpoint-security/hardware-security-keys.mdx +++ b/docs/pages/guides/endpoint-security/hardware-security-keys.mdx @@ -5,7 +5,7 @@ tags: - Security Specialist contributors: - role: wrote - users: [dickson, louis, pablo] + users: [pablo, louis, dickson] --- import { TagList, AttributionList, TagProvider, TagFilter, ContributeFooter } from '../../../../components' From d57f7d4224689d229013784b1ca6d539ee350a39 Mon Sep 17 00:00:00 2001 From: Dickson Wu <33645481+DicksonWu654@users.noreply.github.com> Date: Sat, 21 Mar 2026 00:32:56 -0400 Subject: [PATCH 09/16] Update hardware-security-keys.mdx --- docs/pages/guides/endpoint-security/hardware-security-keys.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/pages/guides/endpoint-security/hardware-security-keys.mdx b/docs/pages/guides/endpoint-security/hardware-security-keys.mdx index 9b9aaa56..48361b47 100644 --- a/docs/pages/guides/endpoint-security/hardware-security-keys.mdx +++ b/docs/pages/guides/endpoint-security/hardware-security-keys.mdx @@ -5,7 +5,7 @@ tags: - Security Specialist contributors: - role: wrote - users: [pablo, louis, dickson] + users: [louis, dickson] --- import { TagList, AttributionList, TagProvider, TagFilter, ContributeFooter } from '../../../../components' From 6f46f1c21907b692501f77a1446595415b8a20ff Mon Sep 17 00:00:00 2001 From: Dickson Date: Sun, 15 Mar 2026 22:43:43 -0400 Subject: [PATCH 10/16] Add hardware security key guide --- .../hardware-security-keys.mdx | 147 ++++++++++++++++++ .../pages/guides/account-management/index.mdx | 1 + .../guides/account-management/overview.mdx | 7 + vocs.config.tsx | 1 + 4 files changed, 156 insertions(+) create mode 100644 docs/pages/guides/account-management/hardware-security-keys.mdx diff --git a/docs/pages/guides/account-management/hardware-security-keys.mdx b/docs/pages/guides/account-management/hardware-security-keys.mdx new file mode 100644 index 00000000..a31327e0 --- /dev/null +++ b/docs/pages/guides/account-management/hardware-security-keys.mdx @@ -0,0 +1,147 @@ +--- +title: "YubiKeys and Hardware Security Keys | Security Alliance" +description: "Protect critical accounts with YubiKeys and other FIDO2/WebAuthn security keys: enroll backup keys, disable SMS fallback, store recovery codes safely, and plan account recovery." +tags: + - Security Specialist +contributors: + - role: wrote + users: [dickson] +--- + +import { TagList, AttributionList, TagProvider, TagFilter, ContributeFooter } from '../../../../components' + + + + +# YubiKeys and Hardware Security Keys + + + + +## Summary + +> 🔑 **Key Takeaway for YubiKeys and Hardware Security Keys:** Use FIDO2/WebAuthn security keys such as +> YubiKeys on high-value accounts, register at least two keys per critical account, disable SMS fallback where +> possible, and test recovery before you need it. + +Hardware security keys are one of the strongest practical defenses against phishing, credential stuffing, and +SIM-swap-based account takeovers. They are especially valuable for email, source control, registrars, cloud platforms, +social accounts, and any admin or financial account that could be used to pivot into the rest of your organization. + +This page is intentionally narrow: it focuses on using physical security keys to protect accounts, not on broader +identity architecture or device management. + +### YubiKey-Specific Notes + +YubiKeys are a common choice because they support several different modes. For most readers, the default priority +should be: + +1. **FIDO2 / WebAuthn security keys or passkeys stored on the key** +2. **OATH TOTP on the key** only when the service does not support phishing-resistant options + +If you are buying new keys, choose models that match your devices. USB-C is the simplest default for modern laptops, +while NFC is useful if you expect to authenticate on phones. Buy directly from a reputable seller and verify the setup +prompt carefully so you do not accidentally register a weaker fallback method instead of the hardware key itself. + +--- + +## For Individuals + +These steps apply to personal and work accounts that support FIDO2/WebAuthn security keys or passkeys stored on a +hardware key. + +### Setup Checklist + +- [ ] Buy at least **two** security keys from a reputable vendor such as Yubico +- [ ] Prefer keys that match your device mix: + - USB-C for modern laptops and phones + - NFC if you regularly authenticate on mobile +- [ ] Label one key **Primary** and the other **Backup** +- [ ] Register both keys on every critical account that supports them: + - Primary email + - GitHub and code hosting + - Registrar and DNS providers + - Cloud and deployment platforms + - Banking, custody, or treasury accounts + - Social and communication accounts +- [ ] Where offered, prefer: + - **Security key** + - **Passkey on hardware key** + - Other phishing-resistant WebAuthn/FIDO2 options +- [ ] Disable **SMS** as a recovery or second-factor method wherever the service allows it +- [ ] Save provider-issued backup or recovery codes offline +- [ ] Test both the primary and backup key after enrollment + +### Practical Use + +- Keep the **Primary** key with you for normal logins +- Store the **Backup** key in a separate secure location, not in the same bag or drawer +- Maintain a short note in your password manager listing which critical accounts have which keys enrolled +- If a service allows multiple authentication methods, avoid leaving weaker fallback paths enabled unless they are + operationally necessary +- Replace lost or damaged keys immediately and re-test the remaining enrolled key + +### Recovery Discipline + +- Do not wait until you lose a key to learn how account recovery works +- Verify that your recovery path does not depend on a phone number if you are trying to reduce SIM-swap risk +- If an account only supports app-based MFA or SMS, record that exception clearly and prioritize moving the account to + a stronger provider or stronger configuration when possible + +--- + +## For Team Members + +These guidelines apply to staff using security keys on shared work accounts or privileged individual accounts. + +Team members should: + +- Register hardware keys on their own high-risk work accounts +- Never share a physical key between multiple people +- Keep backup keys physically separate from daily-use devices +- Re-enroll a replacement key immediately if one is lost, stolen, or damaged +- Report any forced downgrade to SMS or weaker MFA to the relevant administrator + +--- + +## For Admins + +These settings and practices apply to administrators responsible for protecting important organization accounts. + +### Program Checklist + +- [ ] Require phishing-resistant MFA for high-privilege accounts wherever the platform supports it +- [ ] Require at least **two** registered security keys for every admin account +- [ ] Standardize on a small set of supported key types so setup and recovery stay simple +- [ ] Document which accounts require hardware keys and review that list regularly +- [ ] Document a recovery process that does not rely on SMS for privileged accounts +- [ ] Remove old or unrecognized security keys during periodic access reviews +- [ ] Revoke lost keys promptly and confirm a replacement key is enrolled + +### Operational Notes + +- Hardware keys reduce phishing risk, but they do not replace strong passwords, session review, or app permission + reviews +- For especially sensitive accounts, store backup keys with separate physical controls so one theft or travel + incident does not remove both factors at once +- When a platform supports passkeys, confirm whether the passkey is being stored on a hardware key or synced software + ecosystem before treating it as equivalent + +--- + +## Related Guides + +- [GitHub Security](/guides/account-management/github) +- [Linear Security](/guides/account-management/linear) +- [Twitter/X Security](/guides/account-management/twitter) +- [GoDaddy Security](/guides/account-management/godaddy) + +## Further Reading + +- [Yubico: YubiKey Authenticator](https://www.yubico.com/products/yubico-authenticator/) +- [Opsek YubiKeys Cheatsheet](https://github.com/Opsek/Yubikeys-cheatsheet) + +--- + + + diff --git a/docs/pages/guides/account-management/index.mdx b/docs/pages/guides/account-management/index.mdx index fc24b196..60f4ea7e 100644 --- a/docs/pages/guides/account-management/index.mdx +++ b/docs/pages/guides/account-management/index.mdx @@ -12,6 +12,7 @@ title: "Account Management" ## Pages - [Account Management](/guides/account-management/overview) +- [YubiKeys and Hardware Security Keys](/guides/account-management/hardware-security-keys) - [Discord Security](/guides/account-management/discord) - [GitHub Security](/guides/account-management/github) - [GoDaddy Security](/guides/account-management/godaddy) diff --git a/docs/pages/guides/account-management/overview.mdx b/docs/pages/guides/account-management/overview.mdx index 0e422a97..74d0daf4 100644 --- a/docs/pages/guides/account-management/overview.mdx +++ b/docs/pages/guides/account-management/overview.mdx @@ -21,6 +21,13 @@ import { TagList, AttributionList, TagProvider, TagFilter, ContributeFooter } fr This section contains practical, step-by-step guides that help you implement security best practices across various platforms and tools. Each guide provides actionable instructions you can follow to secure your operations. +## Foundational Account Protection + +Guidance that applies across many platforms before you get into tool-specific settings. + +- [**YubiKeys and Hardware Security Keys**](/guides/account-management/hardware-security-keys) - Practical guidance + for using YubiKeys and other security keys to harden critical accounts + ## Communication Platforms Guides for securing your communication and community platforms. diff --git a/vocs.config.tsx b/vocs.config.tsx index 8f50b117..2d40c001 100644 --- a/vocs.config.tsx +++ b/vocs.config.tsx @@ -531,6 +531,7 @@ const config = { collapsed: true, items: [ { text: 'Overview', link: '/guides/account-management/overview' }, + { text: 'YubiKeys and Hardware Security Keys', link: '/guides/account-management/hardware-security-keys' }, { text: 'Discord Security', link: '/guides/account-management/discord' }, { text: 'GitHub Security', link: '/guides/account-management/github' }, { text: 'GoDaddy Security', link: '/guides/account-management/godaddy' }, From e4ff5a4d4afaf037bbc7dc3409be5c5e7cffac83 Mon Sep 17 00:00:00 2001 From: Dickson Date: Sun, 15 Mar 2026 23:43:34 -0400 Subject: [PATCH 11/16] Credit Opsek authors on YubiKey guide --- docs/pages/guides/account-management/hardware-security-keys.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/pages/guides/account-management/hardware-security-keys.mdx b/docs/pages/guides/account-management/hardware-security-keys.mdx index a31327e0..c7dcf7b5 100644 --- a/docs/pages/guides/account-management/hardware-security-keys.mdx +++ b/docs/pages/guides/account-management/hardware-security-keys.mdx @@ -5,7 +5,7 @@ tags: - Security Specialist contributors: - role: wrote - users: [dickson] + users: [dickson, louis, pablo] --- import { TagList, AttributionList, TagProvider, TagFilter, ContributeFooter } from '../../../../components' From 0639a3911255a2bee52c2296b98a005482b7ba82 Mon Sep 17 00:00:00 2001 From: Dickson Date: Fri, 20 Mar 2026 23:11:08 -0400 Subject: [PATCH 12/16] Remove decorative separators from hardware security keys guide --- .../account-management/hardware-security-keys.mdx | 12 ------------ 1 file changed, 12 deletions(-) diff --git a/docs/pages/guides/account-management/hardware-security-keys.mdx b/docs/pages/guides/account-management/hardware-security-keys.mdx index c7dcf7b5..2b4064a0 100644 --- a/docs/pages/guides/account-management/hardware-security-keys.mdx +++ b/docs/pages/guides/account-management/hardware-security-keys.mdx @@ -42,9 +42,6 @@ should be: If you are buying new keys, choose models that match your devices. USB-C is the simplest default for modern laptops, while NFC is useful if you expect to authenticate on phones. Buy directly from a reputable seller and verify the setup prompt carefully so you do not accidentally register a weaker fallback method instead of the hardware key itself. - ---- - ## For Individuals These steps apply to personal and work accounts that support FIDO2/WebAuthn security keys or passkeys stored on a @@ -101,9 +98,6 @@ Team members should: - Keep backup keys physically separate from daily-use devices - Re-enroll a replacement key immediately if one is lost, stolen, or damaged - Report any forced downgrade to SMS or weaker MFA to the relevant administrator - ---- - ## For Admins These settings and practices apply to administrators responsible for protecting important organization accounts. @@ -126,9 +120,6 @@ These settings and practices apply to administrators responsible for protecting incident does not remove both factors at once - When a platform supports passkeys, confirm whether the passkey is being stored on a hardware key or synced software ecosystem before treating it as equivalent - ---- - ## Related Guides - [GitHub Security](/guides/account-management/github) @@ -140,8 +131,5 @@ These settings and practices apply to administrators responsible for protecting - [Yubico: YubiKey Authenticator](https://www.yubico.com/products/yubico-authenticator/) - [Opsek YubiKeys Cheatsheet](https://github.com/Opsek/Yubikeys-cheatsheet) - ---- - From 1a1d6175f9961b714f81ff1405ad076261d91137 Mon Sep 17 00:00:00 2001 From: Dickson Date: Fri, 20 Mar 2026 23:28:11 -0400 Subject: [PATCH 13/16] Fix lint in hardware security keys guide --- .../guides/account-management/hardware-security-keys.mdx | 6 ++++-- wordlist.txt | 1 + 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/docs/pages/guides/account-management/hardware-security-keys.mdx b/docs/pages/guides/account-management/hardware-security-keys.mdx index 2b4064a0..1ded5f7d 100644 --- a/docs/pages/guides/account-management/hardware-security-keys.mdx +++ b/docs/pages/guides/account-management/hardware-security-keys.mdx @@ -42,6 +42,7 @@ should be: If you are buying new keys, choose models that match your devices. USB-C is the simplest default for modern laptops, while NFC is useful if you expect to authenticate on phones. Buy directly from a reputable seller and verify the setup prompt carefully so you do not accidentally register a weaker fallback method instead of the hardware key itself. + ## For Individuals These steps apply to personal and work accounts that support FIDO2/WebAuthn security keys or passkeys stored on a @@ -85,8 +86,6 @@ hardware key. - If an account only supports app-based MFA or SMS, record that exception clearly and prioritize moving the account to a stronger provider or stronger configuration when possible ---- - ## For Team Members These guidelines apply to staff using security keys on shared work accounts or privileged individual accounts. @@ -98,6 +97,7 @@ Team members should: - Keep backup keys physically separate from daily-use devices - Re-enroll a replacement key immediately if one is lost, stolen, or damaged - Report any forced downgrade to SMS or weaker MFA to the relevant administrator + ## For Admins These settings and practices apply to administrators responsible for protecting important organization accounts. @@ -120,6 +120,7 @@ These settings and practices apply to administrators responsible for protecting incident does not remove both factors at once - When a platform supports passkeys, confirm whether the passkey is being stored on a hardware key or synced software ecosystem before treating it as equivalent + ## Related Guides - [GitHub Security](/guides/account-management/github) @@ -131,5 +132,6 @@ These settings and practices apply to administrators responsible for protecting - [Yubico: YubiKey Authenticator](https://www.yubico.com/products/yubico-authenticator/) - [Opsek YubiKeys Cheatsheet](https://github.com/Opsek/Yubikeys-cheatsheet) + diff --git a/wordlist.txt b/wordlist.txt index be285213..827fc322 100644 --- a/wordlist.txt +++ b/wordlist.txt @@ -337,3 +337,4 @@ rootfs GitHub GitLab GoDaddy +Opsek From a0c71f1ee8ec2b4783f4c9d1643c2f7d1a3035e5 Mon Sep 17 00:00:00 2001 From: Dickson Date: Fri, 20 Mar 2026 23:55:43 -0400 Subject: [PATCH 14/16] Tighten hardware security keys guide --- .../hardware-security-keys.mdx | 70 ++----------------- 1 file changed, 7 insertions(+), 63 deletions(-) diff --git a/docs/pages/guides/account-management/hardware-security-keys.mdx b/docs/pages/guides/account-management/hardware-security-keys.mdx index 1ded5f7d..a4b2a085 100644 --- a/docs/pages/guides/account-management/hardware-security-keys.mdx +++ b/docs/pages/guides/account-management/hardware-security-keys.mdx @@ -1,6 +1,6 @@ --- -title: "YubiKeys and Hardware Security Keys | Security Alliance" -description: "Protect critical accounts with YubiKeys and other FIDO2/WebAuthn security keys: enroll backup keys, disable SMS fallback, store recovery codes safely, and plan account recovery." +title: "Hardware Security Keys | Security Alliance" +description: "Protect critical accounts with FIDO2/WebAuthn security keys: enroll backup keys, disable SMS fallback, store recovery codes safely, and plan account recovery." tags: - Security Specialist contributors: @@ -13,36 +13,20 @@ import { TagList, AttributionList, TagProvider, TagFilter, ContributeFooter } fr -# YubiKeys and Hardware Security Keys +# Hardware Security Keys ## Summary -> 🔑 **Key Takeaway for YubiKeys and Hardware Security Keys:** Use FIDO2/WebAuthn security keys such as -> YubiKeys on high-value accounts, register at least two keys per critical account, disable SMS fallback where -> possible, and test recovery before you need it. +> 🔑 **Key Takeaway for Hardware Security Keys:** Use FIDO2/WebAuthn security keys on high-value accounts, register +> at least two keys per critical account, disable SMS fallback where possible, and test recovery before you need it. Hardware security keys are one of the strongest practical defenses against phishing, credential stuffing, and SIM-swap-based account takeovers. They are especially valuable for email, source control, registrars, cloud platforms, social accounts, and any admin or financial account that could be used to pivot into the rest of your organization. -This page is intentionally narrow: it focuses on using physical security keys to protect accounts, not on broader -identity architecture or device management. - -### YubiKey-Specific Notes - -YubiKeys are a common choice because they support several different modes. For most readers, the default priority -should be: - -1. **FIDO2 / WebAuthn security keys or passkeys stored on the key** -2. **OATH TOTP on the key** only when the service does not support phishing-resistant options - -If you are buying new keys, choose models that match your devices. USB-C is the simplest default for modern laptops, -while NFC is useful if you expect to authenticate on phones. Buy directly from a reputable seller and verify the setup -prompt carefully so you do not accidentally register a weaker fallback method instead of the hardware key itself. - ## For Individuals These steps apply to personal and work accounts that support FIDO2/WebAuthn security keys or passkeys stored on a @@ -82,52 +66,12 @@ hardware key. ### Recovery Discipline - Do not wait until you lose a key to learn how account recovery works +- If you lose your only key and do not have a second enrolled key or a usable recovery path, you can lock yourself out + of critical accounts at the moment you most need them - Verify that your recovery path does not depend on a phone number if you are trying to reduce SIM-swap risk - If an account only supports app-based MFA or SMS, record that exception clearly and prioritize moving the account to a stronger provider or stronger configuration when possible -## For Team Members - -These guidelines apply to staff using security keys on shared work accounts or privileged individual accounts. - -Team members should: - -- Register hardware keys on their own high-risk work accounts -- Never share a physical key between multiple people -- Keep backup keys physically separate from daily-use devices -- Re-enroll a replacement key immediately if one is lost, stolen, or damaged -- Report any forced downgrade to SMS or weaker MFA to the relevant administrator - -## For Admins - -These settings and practices apply to administrators responsible for protecting important organization accounts. - -### Program Checklist - -- [ ] Require phishing-resistant MFA for high-privilege accounts wherever the platform supports it -- [ ] Require at least **two** registered security keys for every admin account -- [ ] Standardize on a small set of supported key types so setup and recovery stay simple -- [ ] Document which accounts require hardware keys and review that list regularly -- [ ] Document a recovery process that does not rely on SMS for privileged accounts -- [ ] Remove old or unrecognized security keys during periodic access reviews -- [ ] Revoke lost keys promptly and confirm a replacement key is enrolled - -### Operational Notes - -- Hardware keys reduce phishing risk, but they do not replace strong passwords, session review, or app permission - reviews -- For especially sensitive accounts, store backup keys with separate physical controls so one theft or travel - incident does not remove both factors at once -- When a platform supports passkeys, confirm whether the passkey is being stored on a hardware key or synced software - ecosystem before treating it as equivalent - -## Related Guides - -- [GitHub Security](/guides/account-management/github) -- [Linear Security](/guides/account-management/linear) -- [Twitter/X Security](/guides/account-management/twitter) -- [GoDaddy Security](/guides/account-management/godaddy) - ## Further Reading - [Yubico: YubiKey Authenticator](https://www.yubico.com/products/yubico-authenticator/) From 44503c002dbf6376c34d0e88321ee1a14e126e6c Mon Sep 17 00:00:00 2001 From: Dickson Date: Sat, 21 Mar 2026 00:06:00 -0400 Subject: [PATCH 15/16] Move hardware security keys guide to endpoint security --- docs/pages/guides/account-management/index.mdx | 1 - docs/pages/guides/account-management/overview.mdx | 7 ------- .../hardware-security-keys.mdx | 0 docs/pages/guides/endpoint-security/index.mdx | 1 + vocs.config.tsx | 2 +- 5 files changed, 2 insertions(+), 9 deletions(-) rename docs/pages/guides/{account-management => endpoint-security}/hardware-security-keys.mdx (100%) diff --git a/docs/pages/guides/account-management/index.mdx b/docs/pages/guides/account-management/index.mdx index 60f4ea7e..fc24b196 100644 --- a/docs/pages/guides/account-management/index.mdx +++ b/docs/pages/guides/account-management/index.mdx @@ -12,7 +12,6 @@ title: "Account Management" ## Pages - [Account Management](/guides/account-management/overview) -- [YubiKeys and Hardware Security Keys](/guides/account-management/hardware-security-keys) - [Discord Security](/guides/account-management/discord) - [GitHub Security](/guides/account-management/github) - [GoDaddy Security](/guides/account-management/godaddy) diff --git a/docs/pages/guides/account-management/overview.mdx b/docs/pages/guides/account-management/overview.mdx index 74d0daf4..0e422a97 100644 --- a/docs/pages/guides/account-management/overview.mdx +++ b/docs/pages/guides/account-management/overview.mdx @@ -21,13 +21,6 @@ import { TagList, AttributionList, TagProvider, TagFilter, ContributeFooter } fr This section contains practical, step-by-step guides that help you implement security best practices across various platforms and tools. Each guide provides actionable instructions you can follow to secure your operations. -## Foundational Account Protection - -Guidance that applies across many platforms before you get into tool-specific settings. - -- [**YubiKeys and Hardware Security Keys**](/guides/account-management/hardware-security-keys) - Practical guidance - for using YubiKeys and other security keys to harden critical accounts - ## Communication Platforms Guides for securing your communication and community platforms. diff --git a/docs/pages/guides/account-management/hardware-security-keys.mdx b/docs/pages/guides/endpoint-security/hardware-security-keys.mdx similarity index 100% rename from docs/pages/guides/account-management/hardware-security-keys.mdx rename to docs/pages/guides/endpoint-security/hardware-security-keys.mdx diff --git a/docs/pages/guides/endpoint-security/index.mdx b/docs/pages/guides/endpoint-security/index.mdx index f9f5eae7..5f4c85a5 100644 --- a/docs/pages/guides/endpoint-security/index.mdx +++ b/docs/pages/guides/endpoint-security/index.mdx @@ -11,4 +11,5 @@ title: "Endpoint Security" ## Pages +- [Hardware Security Keys](/guides/endpoint-security/hardware-security-keys) - [Zoom Hardening Guide](/guides/endpoint-security/zoom-hardening) diff --git a/vocs.config.tsx b/vocs.config.tsx index 2d40c001..edc6b7ed 100644 --- a/vocs.config.tsx +++ b/vocs.config.tsx @@ -531,7 +531,6 @@ const config = { collapsed: true, items: [ { text: 'Overview', link: '/guides/account-management/overview' }, - { text: 'YubiKeys and Hardware Security Keys', link: '/guides/account-management/hardware-security-keys' }, { text: 'Discord Security', link: '/guides/account-management/discord' }, { text: 'GitHub Security', link: '/guides/account-management/github' }, { text: 'GoDaddy Security', link: '/guides/account-management/godaddy' }, @@ -552,6 +551,7 @@ const config = { text: 'Endpoint Security', collapsed: true, items: [ + { text: 'Hardware Security Keys', link: '/guides/endpoint-security/hardware-security-keys' }, { text: 'Zoom Hardening', link: '/guides/endpoint-security/zoom-hardening' }, ] }, From 2dd604668f868b35a91217ddfc1b81d2cdf8f57c Mon Sep 17 00:00:00 2001 From: Dickson Date: Sat, 21 Mar 2026 00:25:44 -0400 Subject: [PATCH 16/16] Tighten hardware keys guide metadata --- .../pages/guides/endpoint-security/hardware-security-keys.mdx | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/pages/guides/endpoint-security/hardware-security-keys.mdx b/docs/pages/guides/endpoint-security/hardware-security-keys.mdx index a4b2a085..3318842c 100644 --- a/docs/pages/guides/endpoint-security/hardware-security-keys.mdx +++ b/docs/pages/guides/endpoint-security/hardware-security-keys.mdx @@ -1,6 +1,6 @@ --- title: "Hardware Security Keys | Security Alliance" -description: "Protect critical accounts with FIDO2/WebAuthn security keys: enroll backup keys, disable SMS fallback, store recovery codes safely, and plan account recovery." +description: "Use hardware security keys on critical accounts, keep a backup enrolled, and avoid weak recovery paths." tags: - Security Specialist contributors: @@ -74,8 +74,8 @@ hardware key. ## Further Reading -- [Yubico: YubiKey Authenticator](https://www.yubico.com/products/yubico-authenticator/) - [Opsek YubiKeys Cheatsheet](https://github.com/Opsek/Yubikeys-cheatsheet) +- [Yubico: YubiKey Authenticator](https://www.yubico.com/products/yubico-authenticator/)