WIP: Adding Yubikey page

[AndrewMohawk]

Frameworks PR Checklist

Added yubikey updates

[vercel]

The latest updates on your projects. Learn more about Vercel for Git ↗︎

Name	Status	Preview	Comments	Updated (UTC)
frameworks	✅ Ready (Inspect)	Visit Preview	💬 Add feedback	Jan 6, 2025 9:56pm

[tebayoso]

@mattaereal we have to be careful with the assets as Vercel quotes the egress traffic, and we might find ourselfs blasted in the next invoice.

[mattaereal]

@mattaereal we have to be careful with the assets as Vercel quotes the egress traffic, and we might find ourselfs blasted in the next invoice.

noted.

[AndrewMohawk]

This is only a rough draft, something so I force myself to do it, should I just host the content elsewhere? @tebayoso @mattaereal (presumably this will be a problem for other things as well -- I couldnt see where images are kept for frameworks)

[devtooligan]

I think this is great and having a section on hardware security keys is important. It's a nice explainer on the security risks and the different technologies. Here are some comments:

• Personally, I only use Yubikeys and only recommend Yubikeys to clients, but afaik there are a lot of solid alternatives - do we want to generalize this to "hardware security key" or something and use Yubikey as an example? Are we officially endorsing Yubikey?

• imo FIDO2 should be MUST HAVE, table stakes for any stakeholder interacting with critical services. They're cheap and eliminate an entire category of attacks. The only downside is not all services use FIDO2 yet

• I think it might be nice to offer some procedural suggestions such as:

  • Use FIDO2 enabled hardware keys as the only form of authentication when available (no phone, no authenticator, no password)
  • For critical services use 2 hardware keys, one is a backup stored in separately in a secure location

[mattaereal]

If the assets are the only thing stoping you from update the content @AndrewMohawk , then let's ask @davidthegardens to help us out, I'll have to inevitably do it for most of our content sometime in the future anyway

[davidthegardens]

Fair enough, should i setup an s3 bucket for you guys?

[mattaereal]

Yeah, go ahead! It would be nice to have them uploaded automatically with some sort of bot, action or mention, by a specific group of people.

[mattaereal]

@AndrewMohawk, are you still wanting to improve this part? Attribution has been added and it's live.

You should git pull to match the current structure.

For the moment, just put the link of the image / description of the image you'd want to put within the content, until we find the best way to do this. I don't want to push @davidthegardens to create a bucket and then create github action and adapt it to upload pictures until we have something tangible

[mattaereal]

Momentarily @scode2277 can upload any picture until she wraps up the mechanism to allow them to be uploaded automatically. I will consider this branch PR obsolete and close it next week if there's not more activity in it. We can reopen it whenever you are ready to continue working on this! No worries

[scode2277]

The uploaded image links are:

• https://frameworks-static.s3.us-east-2.amazonaws.com/images/user-team-security/5c.png
• https://frameworks-static.s3.us-east-2.amazonaws.com/images/user-team-security/5Cmini.png
• https://frameworks-static.s3.us-east-2.amazonaws.com/images/user-team-security/howyubikeyswork.png
• https://frameworks-static.s3.us-east-2.amazonaws.com/images/user-team-security/authenticator.png

You can just discard the images from the repo and replace them with these links :))