privacyguides/i18n
1
0
Fork 0
mirror of https://github.com/privacyguides/i18n.git synced 2025-06-24 03:34:20 +00:00
Code Activity

New Crowdin translations by GitHub Action

Browse Source
This commit is contained in:
Crowdin Bot
2024-06-01 06:34:15 +00:00
parent f7d7c4f3f7
commit 0e5af1d1be
261 changed files with 10940 additions and 2936 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
i18n/cs/basics/multi-factor-authentication.md
View File

@ -36,7 +36,7 @@ Unlike [WebAuthn](#fido-fast-identity-online), TOTP offers no protection against
An adversary could set up a website to imitate an official service in an attempt to trick you into giving out your username, password and current TOTP code. If the adversary then uses those recorded credentials they may be able to log into the real service and hijack the account.
Although not perfect, TOTP is secure enough for most people, and when [hardware security keys](../multi-factor-authentication.md#hardware-security-keys) are not supported [authenticator apps](../multi-factor-authentication.md#authenticator-apps) are still a good option.
Although not perfect, TOTP is secure enough for most people, and when [hardware security keys](../security-keys.md) are not supported [authenticator apps](../multi-factor-authentication.md) are still a good option.
### Hardware security keys

2
i18n/cs/basics/passwords-overview.md
View File

@ -113,7 +113,7 @@ There are many good options to choose from, both cloud-based and local. Choose o
<div class="admonition warning" markdown>
<p class="admonition-title">Don't place your passwords and TOTP tokens inside the same password manager</p>
When using TOTP codes as [multi-factor authentication](../multi-factor-authentication.md), the best security practice is to keep your TOTP codes in a [separate app](../multi-factor-authentication.md#authenticator-apps).
When using [TOTP codes as multi-factor authentication](multi-factor-authentication.md#time-based-one-time-password-totp), the best security practice is to keep your TOTP codes in a [separate app](../multi-factor-authentication.md).
Storing your TOTP tokens in the same place as your passwords, while convenient, reduces the accounts to a single factor in the event that an adversary gains access to your password manager.

104
i18n/cs/multi-factor-authentication.md
View File

@ -1,110 +1,22 @@
---
title: "Multi-Factor Authenticators"
title: "Multi-Factor Authentication"
icon: 'material/two-factor-authentication'
description: These tools assist you with securing your internet accounts with Multi-Factor Authentication without sending your secrets to a third-party.
cover: multi-factor-authentication.webp
---
## Hardware Security Keys
<div class="admonition note" markdown>
<p class="admonition-title">Hardware Keys</p>
### YubiKey
<div class="admonition recommendation" markdown>
![YubiKeys](assets/img/multi-factor-authentication/yubikey.png)
The **YubiKeys** are among the most popular security keys. Some YubiKey models have a wide range of features such as: [Universal 2nd Factor (U2F)](https://en.wikipedia.org/wiki/Universal_2nd_Factor), [FIDO2 and WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online), [Yubico OTP](basics/multi-factor-authentication.md#yubico-otp), [Personal Identity Verification (PIV)](https://developers.yubico.com/PIV), [OpenPGP](https://developers.yubico.com/PGP), [TOTP and HOTP](https://developers.yubico.com/OATH) authentication.
One of the benefits of the YubiKey is that one key can do almost everything (YubiKey 5), you could expect from a hardware security key. We do encourage you to take the [quiz](https://yubico.com/quiz) before purchasing in order to make sure you make the right choice.
[:octicons-home-16: Homepage](https://yubico.com){ .md-button .md-button--primary }
[:octicons-eye-16:](https://yubico.com/support/terms-conditions/privacy-notice){ .card-link title="Privacy Policy" }
[:octicons-info-16:](https://docs.yubico.com){ .card-link title=Documentation}
</details>
[Hardware security key recommendations](security-keys.md) have been moved to their own category.
</div>
The [comparison table](https://yubico.com/store/compare) shows the features and how the YubiKeys compare. We highly recommend that you select keys from the YubiKey 5 Series.
YubiKeys can be programmed using the [YubiKey Manager](https://yubico.com/support/download/yubikey-manager) or [YubiKey Personalization Tools](https://yubico.com/support/download/yubikey-personalization-tools). For managing TOTP codes, you can use the [Yubico Authenticator](https://yubico.com/products/yubico-authenticator). All of Yubico's clients are open source.
For models which support HOTP and TOTP, there are 2 slots in the OTP interface which could be used for HOTP and 32 slots to store TOTP secrets. These secrets are stored encrypted on the key and never expose them to the devices they are plugged into. Once a seed (shared secret) is given to the Yubico Authenticator, it will only give out the six-digit codes, but never the seed. This security model helps limit what an attacker can do if they compromise one of the devices running the Yubico Authenticator and make the YubiKey resistant to a physical attacker.
<div class="admonition warning" markdown>
<p class="admonition-title">Warning</p>
The firmware of YubiKey is not open source and is not updatable. If you want features in newer firmware versions, or if there is a vulnerability in the firmware version you are using, you would need to purchase a new key.
</div>
### Nitrokey
<div class="admonition recommendation" markdown>
![Nitrokey](assets/img/multi-factor-authentication/nitrokey.jpg){ align=right }
**Nitrokey** has a security key capable of [FIDO2 and WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online) called the **Nitrokey FIDO2**. For PGP support, you need to purchase one of their other keys such as the **Nitrokey Start**, **Nitrokey Pro 2** or the **Nitrokey Storage 2**.
[:octicons-home-16: Homepage](https://nitrokey.com){ .md-button .md-button--primary }
[:octicons-eye-16:](https://nitrokey.com/data-privacy-policy){ .card-link title="Privacy Policy" }
[:octicons-info-16:](https://docs.nitrokey.com){ .card-link title=Documentation}
</details>
</div>
The [comparison table](https://nitrokey.com/#comparison) shows the features and how the Nitrokey models compare. The **Nitrokey 3** listed will have a combined feature set.
Nitrokey models can be configured using the [Nitrokey app](https://nitrokey.com/download).
For the models which support HOTP and TOTP, there are 3 slots for HOTP and 15 for TOTP. Some Nitrokeys can act as a password manager. They can store 16 different credentials and encrypt them using the same password as the OpenPGP interface.
<div class="admonition warning" markdown>
<p class="admonition-title">Warning</p>
While Nitrokeys do not release the HOTP/TOTP secrets to the device they are plugged into, the HOTP and TOTP storage is **not** encrypted and is vulnerable to physical attacks. If you are looking to store HOTP or TOTP secrets, we highly recommend that you use a YubiKey instead.
</div>
<div class="admonition warning" markdown>
<p class="admonition-title">Warning</p>
Resetting the OpenPGP interface on a Nitrokey will also make the password database [inaccessible](https://docs.nitrokey.com/pro/linux/factory-reset).
</div>
The Nitrokey Pro 2, Nitrokey Storage 2, and the upcoming Nitrokey 3 supports system integrity verification for laptops with the [Coreboot](https://coreboot.org) + [Heads](https://osresearch.net) firmware.
Nitrokey's firmware is open source, unlike the YubiKey. The firmware on modern NitroKey models (except the **NitroKey Pro 2**) is updatable.
### Criteria
**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you.
#### Minimum Requirements
- Must use high quality, tamper resistant hardware security modules.
- Must support the latest FIDO2 specification.
- Must not allow private key extraction.
- Devices which cost over $35 must support handling OpenPGP and S/MIME.
#### Best-Case
Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page.
- Should be available in USB-C form-factor.
- Should be available with NFC.
- Should support TOTP secret storage.
- Should support secure firmware updates.
## Authenticator Apps
Authenticator Apps implement a security standard adopted by the Internet Engineering Task Force (IETF) called **Time-based One-time Passwords**, or **TOTP**. This is a method where websites share a secret with you which is used by your authenticator app to generate a six (usually) digit code based on the current time, which you enter while logging in for the website to check. Typically these codes are regenerated every 30 seconds, and once a new code is generated the old one becomes useless. Even if a hacker gets one six-digit code, there is no way for them to reverse that code to get the original secret or otherwise be able to predict what any future codes might be.
**Multi-Factor Authentication Apps** implement a security standard adopted by the Internet Engineering Task Force (IETF) called **Time-based One-time Passwords**, or **TOTP**. This is a method where websites share a secret with you which is used by your authenticator app to generate a six (usually) digit code based on the current time, which you enter while logging in for the website to check. Typically these codes are regenerated every 30 seconds, and once a new code is generated the old one becomes useless. Even if a hacker gets one six-digit code, there is no way for them to reverse that code to get the original secret or otherwise be able to predict what any future codes might be.
We highly recommend that you use mobile TOTP apps instead of desktop alternatives as Android and iOS have better security and app isolation than most desktop operating systems.
### Ente Auth
## Ente Auth
<div class="admonition recommendation" markdown>
@ -129,7 +41,7 @@ We highly recommend that you use mobile TOTP apps instead of desktop alternative
</div>
### Aegis Authenticator (Android)
## Aegis Authenticator (Android)
<div class="admonition recommendation" markdown>
@ -154,7 +66,7 @@ We highly recommend that you use mobile TOTP apps instead of desktop alternative
</div>
<!-- markdownlint-disable-next-line -->
### Criteria
## Criteria
**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you.

19
i18n/cs/os/index.md Normal file
View File

@ -0,0 +1,19 @@
---
title: Operating Systems
---
We publish configuration guides for the major operating systems, because you can generally improve the amount of data that is collected about you on any option, especially if you use [privacy tools](../tools.md) like our recommended web browsers in place of native tools where appropriate. However, some operating systems will be more privacy-respecting inherently, and it will be much harder to achieve an equivalent level of privacy on other choices.
If you're starting from scratch, we strongly recommend [Linux](../desktop.md) on desktop and [Android](../android.md) on mobile. If you already use something else and aren't interested in switching, we hope you'll find these guides useful.
## Mobile Operating Systems
- [Android Overview](android-overview.md) :material-star:
- [iOS Overview](ios-overview.md)
## Desktop Operating Systems
- [Linux Overview](linux-overview.md) :material-star:
- [macOS Overview](macos-overview.md)
- [Qubes Overview](qubes-overview.md) :material-star:
- [Windows Overview](windows/index.md)

134
i18n/cs/os/windows/group-policies.md Normal file
View File

@ -0,0 +1,134 @@
---
title: Group Policy Settings
---
Outside of modifying the registry itself, the **Local Group Policy Editor** is the most powerful way to change many aspects of your system without installing third-party tools. Changing these settings requires [Pro Edition](index.md#windows-editions) or better.
These settings should be set on a brand new installation of Windows. Setting them on your existing installation should work, but may introduce unpredictible behavior and is done at your own risk.
All of these settings have an explanation attached to them in the Group Policy editor which explains exactly what they do, usually in great detail. Please pay attention to those descriptions as you make changes, so you know exactly what we are recommending here. We've also explained some of our choices below whenever the explanation included with Windows is inadequate.
## Administrative Templates
You can find these settings by opening `gpedit.msc` and navigating to **Local Computer Policy** > **Computer Configuration** > **Administrative Templates** in the left sidebar. The headers on this page correspond to folders/subfolders within Administrative Templates, and the bullet points correspond to individual policies.
To change any group policy, double click it and select Enabled or Disabled at the top of the window that appears depending on the recommendations below. Some group policies have additional settings that can be configured, and if that's the case the appropriate settings are noted below as well.
### System
#### Device Guard
- Turn On Virtualization Based Security: **Enabled**
- Platform Security Level: **Secure Boot and DMA Protection**
- Secure Launch Configuration: **Enabled**
#### Internet Communication Management
- Turn off Windows Customer Experience Improvement Program: **Enabled**
- Turn off Windows Error Reporting: **Enabled**
- Turn off the Windows Messenger Customer Experience Improvement Program: **Enabled**
Note that disabling the Windows Customer Experience Improvement Program also disables some other tracking features that can be individually controlled with Group Policy as well. We don't list them all here or disable them because this setting covers that.
#### OS Policies
- Allow Clipboard History: **Disabled**
- Allow Clipboard synchronization across devices: **Disabled**
- Enables Activity Feed: **Disabled**
- Allow publishing of User Activities: **Disabled**
- Allow upload of User Activities: **Disabled**
#### User Profiles
- Turn off the advertising ID: **Enabled**
### Windows Components
#### AutoPlay Policies
AutoRun and AutoPlay are features which allow Windows to run a script or perform some other task when a device is connected, sometimes avoiding security measures that involve user consent. This could allow untrusted devices to run malicious code without your knowledge. It's a security best practice to disable these features, and simply open files on your external disks manually.
- Turn off AutoPlay: **Enabled**
- Disallow Autoplay for nonvolume devices: **Enabled**
- Set the default behavior for AutoRun: **Enabled**
- Default AutoRun Behavior: **Do not execute any AutoRun commands**
#### BitLocker Drive Encryption
You may wish to re-encrypt your operating system drive after changing these settings.
- Choose drive encryption method and cipher strength (Windows Vista, Windows Server 2008, Windows 7): **Enabled**
- Select the encryption method: **AES-256**
Setting the cipher strength for the Windows 7 policy still applies that strength to newer versions of Windows.
##### Operating System Drives
- Require additional authentication at startup: **Enabled**
- Allow enhanced PINs for startup: **Enabled**
Despite the names of these policies, this doesn't _require_ you to do anything by default, but it will unlock the _option_ to have a more complex setup (such as requiring a PIN at startup in addition to the TPM) in the Bitlocker setup wizard.
#### Cloud Content
- Turn off cloud optimized content: **Enabled**
- Turn off cloud consumer account state content: **Enabled**
- Do not show Windows tips: **Enabled**
- Turn off Microsoft consumer experiences: **Enabled**
#### Credential User Interface
- Require trusted path for credential entry: **Enabled**
- Prevent the use of security questions for local accounts: **Enabled**
#### Data Collection and Preview Builds
- Allow Diagnostic Data: **Enabled**
- Options: **Send required diagnostic data** (Pro Edition); or
- Options: **Diagnostic data off** (Enterprise or Education Edition)
- Limit Diagnostic Log Collection: **Enabled**
- Limit Dump Collection: **Enabled**
- Limit optional diagnostic data for Desktop Analytics: **Enabled**
- Options: **Disable Desktop Analytics collection**
- Do not show feedback notifications: **Enabled**
#### File Explorer
- Turn off account-based insights, recent, favorite, and recommended files in File Explorer: **Enabled**
#### MDM
- Disable MDM Enrollment: **Enabled**
#### OneDrive
- Save documents to OneDrive by default: **Disabled**
- Prevent OneDrive from generating network traffic until the user signs in to OneDrive: **Enabled**
- Prevent the usage of OneDrive for file storage: **Enabled**
This last setting disables OneDrive on your system; make sure to change it to **Disabled** if you use OneDrive.
#### Push To Install
- Turn off Push To Install service: **Enabled**
#### Search
- Allow Cortana: **Disabled**
- Don't search the web or display web results in Search: **Enabled**
- Set what information is shared in Search: **Enabled**
- Type of information: **Anonymous info**
#### Sync your settings
- Do not sync: **Enabled**
#### Text input
- Improve inking and typing recognition: **Disabled**
#### Windows Error Reporting
- Do not send additional data: **Enabled**
- Consent > Configure Default consent: **Enabled**
- Consent level: **Always ask before sending data**

62
i18n/cs/os/windows/index.md Normal file
View File

@ -0,0 +1,62 @@
---
title: Windows Overview
icon: simple/windows
---
**Microsoft Windows** is a proprietary operating system in widespread use. Recent versions of Windows, especially Windows 11, are widely considered to be the most privacy-invasive and least secure modern operating systems.
If you have the choice between Windows 10 and Windows 11, we would recommend using Windows 10 for as long as possible. Windows 10 will be supported until October 2025. However, no current version of Windows respects your privacy without extensive modifications that are often undone by future updates from Microsoft. Consider [Linux](../linux-overview.md) if you'd prefer an operating system that respects your privacy and preferences.
Microsoft continually adds new cloud-based features to Windows 11 which are enabled by default without user consent. Most recently (as of May 2024), they've introduced a built-in keylogger called **Recall** (part of their AI features) which records every keystroke on your device, and records your screen by screenshotting at regular intervals. This data is stored unsafely in a local database that is decrypted when your device is powered on, meaning it is an easy target for hackers. It will not redact sensitive information like copied passwords or financial information from the database, but it does protect Hollywood movie studios by not recording copyrighted content. This feature is currently only on certain newer devices, but it serves as an example of how little Microsoft cares about your security and privacy.
## Guides
You can enhance your privacy and security on Windows without downloading any third-party tools with these guides:
- Initial Installation (coming soon)
- [Group Policy Settings](group-policies.md)
- Privacy Settings (coming soon)
- Application Sandboxing (coming soon)
- Security Hardening (coming soon)
This section is a work in progress, because it takes considerably more time and effort to make a Windows installation usable compared to other operating systems. Additional guides are coming soon!
## Privacy History
Especially since the release of Windows 8, Microsoft has demonstrated extremely privacy-invasive behavior with their operating system releases, consistently taking advantage of the fact that Windows is the most widely-used desktop operating system. Windows 10 was widely [criticized](https://www.theguardian.com/technology/2015/jul/31/windows-10-microsoft-faces-criticism-over-privacy-default-settings) for having default settings that sent a lot of data and telemetry back to Microsoft, [including](https://en.wikipedia.org/wiki/Criticism_of_Microsoft#Telemetry_and_data_collection) "User's contacts and calendar events, location data and history, 'telemetry' (diagnostics data) [...] and 'advertising ID', as well as further data when the Cortana assistant is enabled" (which it is by default). Windows 10 also made it much more challenging to change default applications (such as your web browser) away from Microsoft-provided apps, which is behavior that still persists today.
At launch, telemetry could not be disabled in non-enterprise editions of Windows 10. It still cannot be disabled, but Microsoft added the ability to [reduce the teletetry](https://www.extremetech.com/computing/243079-upcoming-windows-update-reduces-spying-microsoft-still-mum-data-collects) sent to them.
Windows 11 has introduced even more privacy-invasive behavior, including:
- Being forced to use a Microsoft account instead of a local account on Home editions, and still hiding away local account options on Pro editions and higher.
- Enabling virtually all data collection options by default.
- Heavily integrating Microsoft services like Bing, OneDrive, and Teams in ways which are difficult to remove.
- Adding (cloud-based) AI features to many areas in Windows and various Microsoft Apps.
- Unnecessarily storing massive amounts of sensitive data. Even data which is stored locally and not sent to Microsoft is still a target for hackers or malware on your device.
Microsoft often abuses the automatic updates feature to add new functionality to your device that collects your data and is enabled by default.
Some privacy features in Windows 11 are locked to devices in the European Union. We have not yet found a way to reliably access those settings worldwide.
## Windows Editions
Many critical privacy and security features are unfortunately locked away behind higher-cost editions of Windows, instead of being available in Windows Home Edition. Some features missing from **Windows Home Edition** include Bitlocker Drive Encryption, Hyper-V, and Windows Sandbox. In our Windows guides we will cover how to use all of these features appropriately, so having a premium edition of Windows will be critical.
**Windows Enterprise** provides the most flexibility when it comes to configuring privacy and security settings built in to Windows. For example, they are the only editions that allow you to enable the highest level of restrictions on data sent to Microsoft via telemetry tools. Unfortunately, Enterprise is not available for retail purchase, so it may not be available to you.
The best version available for _retail_ purchase is **Windows Pro Edition**. This version does not allow you to set some of the most restrictive limitations on Microsoft's telemetry unfortunately, but does have nearly all of the features you'll want to use to secure your device, including Bitlocker, Hyper-V, etc.
Students and teachers may be able to obtain **Windows Education** (equivalent to Enterprise) or **Windows Pro Education** (equivalent to Pro) for free (including on personal devices) from their educational institution. Many schools partner with Microsoft via OnTheHub or Microsoft Azure for Education, so you can check those sites or your school's benefits page to see if you qualify. Whether or not you are able to get these licenses depends entirely on your institution. This may be the best way for many people to obtain an Enterprise-level edition of Windows for personal use. There are no additional privacy or security risks associated with using an Education license compared to the retail versions.
It is not recommended to use forks or modified versions of Windows such as Windows AME. Since modified versions of Windows like Windows AME don't receive updates, security features and antivirus definitions in Windows Defender will fall behind the current threat landscape, opening you up to attacks.
## Obtaining Windows
Currently, only Windows 11 license keys are available for purchase, but these keys will work on Windows 10 as well, so you can still purchase a Windows 11 Pro key to activate a Windows 10 install.
The official [Media Creation tool](https://www.microsoft.com/software-download/windows10) is the best way to put a Windows installer on a USB flash drive. Third-party tools like Rufus or Etcher may unexpectedly modify the files, which could lead to boot issues or other troubles with installing.
This tool only lets you install a Home or Pro edition installation, as there are no publicly available downloads for Windows Enterprise Edition. However, if you have an Enterprise Edition license key, you can easily upgrade a Pro installation. Just install Windows Pro without entering a license key during setup, then enter your Enterprise key in the Settings app after completing the install. Your Pro Edition install will upgrade to Enterprise Edition automatically after entering a valid license key.
If you are installing an Education edition, typically a private download will be provided alongside your license key when you obtain it from your institution's benefits portal.

134
i18n/cs/security-keys.md Normal file
View File

@ -0,0 +1,134 @@
---
title: Security Keys
icon: material/key-chain
description: These tools assist you with securing your internet accounts with Multi-Factor Authentication without sending your secrets to a third-party.
cover: multi-factor-authentication.webp
---
A physical **security key** adds a very strong layer of protection to your online accounts. Compared to [authenticator apps](multi-factor-authentication.md), the FIDO2 security key protocol is immune to phishing, and cannot be compromised without physical possession of the key itself. Many services support FIDO2/WebAuthn as a multi-factor authentication option for securing your account, and some services allow you to use a security key as a strong single-factor authenticator with passwordless authentication.
## Yubico Security Key
<div class="admonition recommendation" markdown>
<figure markdown="span">
![Security Key Series by Yubico](assets/img/security-keys/yubico-security-key.webp){ width="315" }
</figure>
The **Yubico Security Key** series is the most cost-effective hardware security key with FIDO Level 2 certification. It supports FIDO2/WebAuthn and FIDO U2F, and works out of the box with most services that support a security key as a second factor, as well as many password managers.
[:octicons-home-16: Homepage](https://www.yubico.com/products/security-key/){ .md-button .md-button--primary }
[:octicons-eye-16:](https://yubico.com/support/terms-conditions/privacy-notice){ .card-link title="Privacy Policy" }
[:octicons-info-16:](https://docs.yubico.com){ .card-link title=Documentation}
</details>
</div>
These keys are available in both USB-C and USB-A variants, and both options support NFC for use with a mobile device as well.
This key provides only basic FIDO2 functionality, but for most people that is all you will need. Some notable features the Security Key series does **not** have include:
- [Yubico Authenticator](https://www.yubico.com/products/yubico-authenticator/)
- CCID Smart Card support (PIV-compatibile)
- OpenPGP
If you need any of those features, you should consider their higher-end [YubiKey](#yubikey) of products instead.
<div class="admonition warning" markdown>
<p class="admonition-title">Warning</p>
The firmware of Yubico's Security Keys is not updatable. If you want features in newer firmware versions, or if there is a vulnerability in the firmware version you are using, you would need to purchase a new key.
</div>
## YubiKey
<div class="admonition recommendation" markdown>
<figure markdown="span">
![YubiKeys](assets/img/security-keys/yubikey.png){ width="400" }
</figure>
The **YubiKey** series from Yubico are among the most popular security keys. The YubiKey 5 Series has a wide range of features such as: [Universal 2nd Factor (U2F)](https://en.wikipedia.org/wiki/Universal_2nd_Factor), [FIDO2 and WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online), [Yubico OTP](basics/multi-factor-authentication.md#yubico-otp), [Personal Identity Verification (PIV)](https://developers.yubico.com/PIV), [OpenPGP](https://developers.yubico.com/PGP), [TOTP and HOTP](https://developers.yubico.com/OATH) authentication.
[:octicons-home-16: Homepage](https://www.yubico.com/products/yubikey-5-overview/){ .md-button .md-button--primary }
[:octicons-eye-16:](https://yubico.com/support/terms-conditions/privacy-notice){ .card-link title="Privacy Policy" }
[:octicons-info-16:](https://docs.yubico.com){ .card-link title=Documentation}
</details>
</div>
The [comparison table](https://yubico.com/store/compare) shows the features and how the YubiKeys compare to each other and to Yubico's [Security Key](#yubico-security-key) series. One of the benefits of the YubiKey series is that one key can do almost everything you could expect from a hardware security key. We encourage you to take their [quiz](https://yubico.com/quiz) before purchasing in order to make sure you make the right choice.
The Yubikey 5 series has FIDO Level 1 certification, which is the most common. However, some governments or other organizations may require a key with Level 2 certification, in which case you'll have to purchase a [Yubikey 5 **FIPS** series](https://www.yubico.com/products/yubikey-fips/) key, or a [Yubico Security Key](#yubico-security-key). Most people do not have to worry about this distinction.
YubiKeys can be programmed using the [YubiKey Manager](https://yubico.com/support/download/yubikey-manager) or [YubiKey Personalization Tools](https://yubico.com/support/download/yubikey-personalization-tools). For managing TOTP codes, you can use the [Yubico Authenticator](https://yubico.com/products/yubico-authenticator). All of Yubico's clients are open source.
For models which support HOTP and TOTP, there are 2 slots in the OTP interface which could be used for HOTP and 32 slots to store TOTP secrets. These secrets are stored encrypted on the key and never expose them to the devices they are plugged into. Once a seed (shared secret) is given to the Yubico Authenticator, it will only give out the six-digit codes, but never the seed. This security model helps limit what an attacker can do if they compromise one of the devices running the Yubico Authenticator and make the YubiKey resistant to a physical attacker.
<div class="admonition warning" markdown>
<p class="admonition-title">Warning</p>
The firmware of YubiKey is not updatable. If you want features in newer firmware versions, or if there is a vulnerability in the firmware version you are using, you would need to purchase a new key.
</div>
## Nitrokey
<div class="admonition recommendation" markdown>
<figure markdown="span">
![Nitrokey](assets/img/security-keys/nitrokey.jpg){ width="300" }
</figure>
**Nitrokey** has a security key capable of [FIDO2 and WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online) called the **Nitrokey FIDO2**. For PGP support, you need to purchase one of their other keys such as the **Nitrokey Start**, **Nitrokey Pro 2** or the **Nitrokey Storage 2**.
[:octicons-home-16: Homepage](https://nitrokey.com){ .md-button .md-button--primary }
[:octicons-eye-16:](https://nitrokey.com/data-privacy-policy){ .card-link title="Privacy Policy" }
[:octicons-info-16:](https://docs.nitrokey.com){ .card-link title=Documentation}
</details>
</div>
The [comparison table](https://nitrokey.com/#comparison) shows the features and how the Nitrokey models compare. The **Nitrokey 3** listed will have a combined feature set.
Nitrokey models can be configured using the [Nitrokey app](https://nitrokey.com/download).
For the models which support HOTP and TOTP, there are 3 slots for HOTP and 15 for TOTP. Some Nitrokeys can act as a password manager. They can store 16 different credentials and encrypt them using the same password as the OpenPGP interface.
<div class="admonition warning" markdown>
<p class="admonition-title">Warning</p>
While Nitrokeys do not release the HOTP/TOTP secrets to the device they are plugged into, the HOTP and TOTP storage is **not** encrypted and is vulnerable to physical attacks. If you are looking to store HOTP or TOTP secrets, we highly recommend that you use a YubiKey instead.
</div>
<div class="admonition warning" markdown>
<p class="admonition-title">Warning</p>
Resetting the OpenPGP interface on a Nitrokey will also make the password database [inaccessible](https://docs.nitrokey.com/pro/linux/factory-reset).
</div>
## Criteria
**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you.
### Minimum Requirements
- Must use high quality, tamper resistant hardware security modules.
- Must support the latest FIDO2 specification.
- Must not allow private key extraction.
- Devices which cost over $35 must support handling OpenPGP and S/MIME.
### Best-Case
Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page.
- Should be available in USB-C form-factor.
- Should be available with NFC.
- Should support TOTP secret storage.
- Should support secure firmware updates.

20
i18n/cs/tools.md
View File

@ -166,7 +166,7 @@ We [recommend](dns.md#recommended-providers) a number of encrypted DNS servers b
<div class="grid cards" markdown>
- ![Ente logo](assets/img/photo-management/ente.svg#only-light){ .twemoji loading=lazy }![Ente logo](assets/img/photo-management/ente.svg#only-dark){ .twemoji loading=lazy } [Ente Photos](photo-management.md#ente)
- ![Ente logo](assets/img/photo-management/ente.svg#only-light){ .twemoji loading=lazy }![Ente logo](assets/img/photo-management/ente.svg#only-dark){ .twemoji loading=lazy } [Ente Photos](photo-management.md#ente-photos)
- ![Stingle logo](assets/img/photo-management/stingle.png#only-light){ .twemoji loading=lazy }![Stingle logo](assets/img/photo-management/stingle-dark.png#only-dark){ .twemoji loading=lazy } [Stingle](photo-management.md#stingle)
- ![PhotoPrism logo](assets/img/photo-management/photoprism.svg){ .twemoji loading=lazy } [PhotoPrism](photo-management.md#photoprism)
@ -336,10 +336,10 @@ For encrypting your operating system drive, we typically recommend using whichev
### Multi-Factor Authentication Tools
**Note:** [Hardware security keys](#security-keys) have been moved to their own category.
<div class="grid cards" markdown>
- ![YubiKeys](assets/img/multi-factor-authentication/mini/yubico.svg){ .twemoji loading=lazy } [YubiKey](multi-factor-authentication.md#yubikey)
- ![Nitrokey](assets/img/multi-factor-authentication/mini/nitrokey.svg){ .twemoji loading=lazy } [Nitrokey](multi-factor-authentication.md#nitrokey)
- ![Ente Auth logo](assets/img/multi-factor-authentication/ente-auth.png){ .twemoji loading=lazy } [Ente Auth](multi-factor-authentication.md#ente-auth)
- ![Aegis logo](assets/img/multi-factor-authentication/aegis.png){ .twemoji loading=lazy } [Aegis Authenticator (Android)](multi-factor-authentication.md#aegis-authenticator-android)
@ -423,6 +423,20 @@ For encrypting your operating system drive, we typically recommend using whichev
[Learn more :material-arrow-right-drop-circle:](real-time-communication.md)
## Hardware
### Security Keys
<div class="grid cards" markdown>
- ![Yubico logo](assets/img/security-keys/mini/yubico.svg){ .twemoji loading=lazy } [Yubico Security Key](security-keys.md#yubico-security-key)
- ![Yubico logo](assets/img/security-keys/mini/yubico.svg){ .twemoji loading=lazy } [YubiKey](security-keys.md#yubikey)
- ![Nitrokey](assets/img/security-keys/mini/nitrokey.svg){ .twemoji loading=lazy } [Nitrokey](security-keys.md#nitrokey)
</div>
[Learn more :material-arrow-right-drop-circle:](security-keys.md)
## Operating Systems
### Mobile