You can add location information to your Tweets, such as your city or precise location, from the web and via third-party applications. You always have the option to delete your Tweet location history. Learn more
So far I've favored the first one, because you *know* all those keys based on a random STM32 are going to be glitchable, and closed stuff *might* be better. But after ROCA and other fails, maybe open firmware is better and just hope nobody physically attacks your key?
Keep in mind that this depends on your use case, e.g. a key keeping SSH keys needs to be more secure than a key used for FIDO U2F login for a handful of websites, because the latter is a second factor only and easier to revoke/replace.
Also keep in mind that open does not mean secure, I've seen some absolutely abysmal firmware in "open" firmware projects along these lines too. I guess what I'm asking is whether it's worth doing #2 "right" with the caveat of being vulnerable to physical attacks.
Microsoft will happily log you in with the fido token only, and they’re pushing for this to be a standard across the web, so “only a 2nd factor” might hold true for now, but who knows for how long
What I don’t understand is why can’t all these vendors open source their firmware blobs and protocols for attestation of the device
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.
