The much bigger problem is that you also need to enroll a second Yubikey into every service you use, but also safely store that backup key somewhere, ideally outside your own house. That's just not realistic.
Yubico had some ideas around "paired Yubikeys" which shared the same root secret, but I believe that model won't work anymore with FIDO/CTAP2 due to some counter value that was added there over U2F. (It might be possible for them to just not have a security counter; I'm not sure.)
I'm curious if that's really true. I've had a Yubikey in my keyring for years and it's pretty convenient. It's smaller than my car key and isn't very noticeable.
I have the NFC enabled variant so it can be used with a mobile phone
I also have a Yubikey for work, so I know how they work and how small they are.
I still stand by the idea that most users wouldn't be happy having to cary it around. We can't even get most users to use password managers which are built into their phones (1 in 3) and there was a collective meltdown when Apple removed the headphone jack which required people to cary a dongle for wired headphones. Telling people they need to cary around a yubikey for anything they want to log into just isn't going to fly.
I’m trying to get people at my workplace to use yubikeys. I would have thought it’d be easy, since “touch the blinking green circle on your yubikey” is a way less obnoxious form of 2FA than “pull out your phone, wait for a text, type in the number” or “pull out your phone, open up the 2FA app, scroll to the service, type in the number”. I was wrong though, it’s like pulling teeth and I’m not sure why!
I think you’re right, any change has to fight against the “this is how I do it already” inertia.
For me, the problem with YubiKeys is not the normal usage. That works great.
The problems are the "corner" cases: enrolling new keys, removing old keys, handling unintentional destruction of the key. The last one, in particular, is really problematic.
Some of the security mechanisms that a YubiKey provides are an extreme inconvenience. For example, I want to be able to clone my key via some mechanism in case it gets destroyed. I don't want to have to enroll 3 separate keys in every service on the planet just in case I put one in the wash accidentally. That's not possible with a YubiKey--for good reason--but it's a significant annoyance.
We consider "duplicating a physical key" such a common need that we have automated machines to do it at 7 Eleven. The fact that we don't have the same consideration of digital ones is problematic.
Yubikey was even planning working on a FIDO extension that would allow that for a while, but I don't think it went anywhere.
It's a real shame, as I'd also love "Yubikey twins" of which I can put one in a safe deposit box and have the other one always with me, without needing to periodically synchronize them to all services I'm using them on.
How is a Yubikey any different than other physical keys people have been carrying for hundreds of years? It seems much more intuitive to carry a digital key for your digital accounts.
Password managers have the added complexity of still needing a password themselves and all the quirks that come with auto filling and programmatically reading forms.
I'm not sure Apple head phones are quite a fair comparison. Outrage was also due to proprietary connectors that were patent encumbered.
I lost my yubikey once. There are always ways to recover your accounts, and it's especially easy for ones you're already signed into on multiple devices.
They're completely different! The similarity is at the physical/surface level only.
Physical keys work in one (or rarely in several, but basically unchanging set of) locks, and I carry around about 2-3 of them.
Hardware security keys, by contrast, work in many different places/accounts, potentially even for multiple accounts on the same service, but only after registering them there.
That's not how people experience physical keys: You don't, for example, move apartments or visit a friend, and the landlord/friend "registers/adds your key for their lock". If you lose your physical key, you can't "quickly revoke it from all doors" that it locks (without kicking everybody else out).
> How is a Yubikey any different than other physical keys people have been carrying for hundreds of years?
1. Not everyone caries keys (I don't and haven't for years)
2. Because every other existing alternative doesn't require you to cary something extra. Asking people to cary something with them to be able to sign into accounts will feel like a step backwards to most people.
3. Because most people only need to pull out their keys a few times a day. Requiring a Yubikey for every sign in means you'd now need to constantly be pulling your Yubikey out to sign into things.
> Password managers have the added complexity of still needing a password themselves and all the quirks that come with auto filling and programmatically reading forms.
I don't buy this. I use Lastpass which is arguably the most widely used password manager. I sign in using the master password maybe once a month and it works seamlessly on my phone. Apple and Google both have their own native solutions as well and still only 1/3 of people use them.
> Outrage was also due to proprietary connectors that were patent encumbered.
I think you're living in a bubble. Just go look back at the headlines from when that was announced. Almost no one gave a shit about it being a proprietary connector. People were upset because they were being forced to buy and cary a bunch of dongles. Just look at the comments on these reddit posts:
> 3. Because most people only need to pull out their keys a few times a day. Requiring a Yubikey for every sign in means you'd now need to constantly be pulling your Yubikey out to sign into things.
I just leave it connected to my computer. It requires a physical touch for every interaction so it can't be 'milked' for tokens like old fashioned smart cards.
I used to do that for a while, and it got annoying very quickly. It still requires grabbing my keychain when e.g. sitting on the couch or lying in bed, NFC doesn't always read (there's very little UX feedback on whether I'm holding it in the right place and there is possibly an application layer problem or I'm not even close), and most of all it doesn't work on my computer, where I need to plug it in to the USB-C port (much less seamless than tapping).
Now I only have the Yubikey as a backup authenticator for my most valuable accounts and use a software solution for most low-value things.
The technically savvy do. The others don't but not because they don't want to--they don't know they exist. Everyone I know carries around NFC devices--either work badges or credit cards. I don't see how having an extra NFC device in addition to the multiple ones you already have is a burden.
I'm an EM at a large tech company. Spent a decade as a developer. I have a Yubikey for work and I hate it. I understand why I need it and the value it provides, but I hate having to cary around one more thing.
The fact that this user thinks the average person would be happy to have to cary one around is wildly out of touch.
It's actually a LOT easier to explain to your grandma than a recent MFA app like Microsoft authenticator that requires a smartphone, the user to unlock it, choose the notification, to enter a code from a list and confirm with fingerprint.
With passkeys via yubikey it's insert key, enter pincode (just like at the atm), touch and go. You don't even have to enter your account name or email because that's derived automatically.
Anyone who can get cash out can use a yubikey. Very different for MFA apps.
My mother will not learn to use a Yubikey, or remember to carry one. You may not believe that (or simply dismiss anyone who won't/can't as unworthy to join in on modern life), but I can assure you it's true.
Have you actually tried this? I’ve found yhe Yubikey model is much easier for normal people because they’re used to using physical keys or cards. What’s hard is a) the cost and b) the hassle of having to pair multiple keys, which is where the biometric phone/laptop based solutions are better since it’s one tap for a familiar prompt.
Yes, as a matter of fact I am painfully aware of my mothers limitations with respect to technology and gadgets, as well as her extensive peer group who I somehow get roped into supporting. Your condescension is noted.
I have mine on my keyring. Not sure what the big problem is there.
The bigger issue with yubikeys is that you need more than one in case you lose one. And most sites only allow one passkey per account because all the mobile implementations can sync the private key. Yubikeys can't and that's actually a good thing because it makes them unique and eliminates the whole sync mechanism as an attack plane.
> And most sites only allow one passkey per account because all the mobile implementations can sync the private key.
Even when/if sites do allow multipe passkeys per account, the fundamental contradiction remains: Your backup key(s) are supposed to be kept somewhere secure where they won't get lost, stolen or destroyed, which ideally means some sort of off-site backup (at your bank or whereever), but at the same time every time you register for a new service you do need to register all your backup keys, too.
True. That is a problem. Especially because with Webauthn you can't just enrol a public key. It's one of the reasons I like openpgp for authentication e.g. over SSH. I can just give it a list of public keys to accept without having all those keys actually to hand.
