Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

It's not about the hardware. In spite of the fact that they can nominally be broken into, most modern USB microcontrollers can easily implement being a security key.

The expense is that the security world hasn't converged on anything remotely approaching a single standard. So, a key has to support ... PGP, OpenSSH, FIDO, FIDO2, U2F ...

For example, you couldn't use some of the older YubiKeys with AWS because AWS only supported time-based TOTP.

That's a LOT of software work, and you can't be "Startup Sloppy" with your code or someone will break it.



The PGP thing is wildly different than the other applications in that it is a complete airgapped system on a key. The decryption and signing is actually done on key so the private key isn't exposed. PGP is pretty much the only thing that does this and as a result can be held up as an example of where we do in fact have a unique standard.




Consider applying for YC's Fall 2026 batch! Applications are open till July 27.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: