Introduction: The Death of Passwords

Flow of “脱 Password” started from around 2024 was completed in 2026. If you still remember password like CorrectHorseBatteryStaple, you are late.

Authentication of engineer shifted completely from “Thing you know (Password)” to “Thing you have (Device)”. It is Passkey based on FIDO2/WebAuthn standard that realizes this.

1. Hardware: Physical “Origin of Trust”

Security of only software is broken if infected with malware. Hardware security key (YubiKey) does not put secret key out of device, so key itself is safe even if PC is taken over.

2. Network: Anywhere “Home LAN”

Free Wi-Fi in cafe is dangerous? It is story of past. Now use Tailscale and pass all communication to encrypted overlay network (WireGuard).

Tailscale + Exit Node

If set home Raspberry Pi or Apple TV to “Exit Node”, access from outside becomes all via home IP. By this, can access in-house system with IP restriction safely.

# Execute on home server
sudo tailscale up --advertise-exit-node

NextDNS

Firewall at DNS level. Not only advertisement block, but also access to known phishing site and malware distribution domain is blocked at stage of DNS resolution. By linking with Tailscale, can make go through NextDNS even with mobile line.

3. Workflow: Integration to Development Flow

YubiKey is not just tool for Web login. Demonstrates true value by incorporating into daily work of developer (Git, SSH).

Git Commit Signing

It is already manner to put “Verified” badge on GitHub commit log. To prevent others from spoofing email address and committing (Spoofing), sign with OpenPGP key in YubiKey.

# ~/.gitconfig
[user]
 signingkey = <YubiKey-GPG-Key-ID>
[commit]
 gpgsign = true

SSH with YubiKey (FIDO2)

Since OpenSSH 8.2, became able to treat FIDO2 key directly as SSH key.

# Key generation (Secret key is generated in YubiKey and cannot be taken out)
ssh-keygen -t ecdsa-sk -O resident

By this, touch to YubiKey is required every time at server login. You may think “Troublesome”, but this is strongest defensive wall “Malware cannot SSH arbitrary”.

4. Software: Passkey Manager

Passkey is tied to device, but it is painful to register again every time replace PC. So, use manager that can synchronize Passkey with cloud.

Recommend 1Password for engineers. Especially “SSH Agent” function is powerful, no need to place ~/.ssh/id_ed25519 locally, risk of secret key leakage decreases drastically.

5. OS Hardening: Doubt Default Settings

Finally, raise defensive power of OS itself.

• FileVault / BitLocker : Disk encryption is essential. Even if lose PC, data becomes same as garbage scrap.
• Lockdown Mode (Apple) : Ultimate defense mode. Minimize attack surface (Attack Surface) such as disabling JIT compiler and restricting preview of attachment file. Can respond to threat of level “Life is targeted”.

Deep Dive: The Essence of Zero Trust Architecture

Perimeter-based security, where “it’s safe once you’re inside the secondary network,” has collapsed. The principles of Zero Trust are simple:

1. Never Trust, Always Verify: Even for access from within the same LAN, verify the health of the device and the authentication of the user every time.
2. Least Privilege: Give only the minimum necessary privileges for the necessary amount of time.
3. Assume Breach: Operate on the premise that you have already been breached to minimize damage (segmentation).

Engineers prefer tools like Tailscale because they allow for building this advanced Zero Trust environment at an individual level without complex VPN settings.

Conclusion: Security is “Habit”

Action to touch YubiKey, action to turn on Tailscale. By incorporating these into daily routine, can maintain highest level security without consciousness. When attacker targeted your data, if make think “This guy is troublesome (Cost does not pay)”, it is your win.

Related Articles

• Ultimate Home Network 2026
• Biohacking for Engineers