[nukeop]

Yubikey is very useful as a 2FA authenticator. I wouldn't use it for SSH and GPG. I wish there were more websites that supported U2F out of the box, or supported using Yubikey as an authenticator without first adding a mobile phone number, which I don't share on a principle.

[tptacek]

The blue Yubikeys sold as U2F keys can't be used for SSH the way this article suggests; it's talking about the Y4 keys, which are essentially tiny USB HSMs. Y4 SSH isn't a 2FA mechanism; it's a way to keep your SSH key on a piece of hardware where it can't be extracted.

[hollander]

I have a Yubikey on my keychain, and never use it. I'm still looking for that application that will make me want to use it daily. I was thinking about using it to unlock my Mac, hoping this would add to its security after Meltdown and Spectre. Maybe add a second admin account which would require Yubikey. Then if that fails, I have another admin account without Yubikey as fallback login.

My main problem is how to handle the loss of the key. Now I have one, but how do I handle the loss of one or more keys and can I lose access to my encrypted laptop? Same goes for Lastpass or other password managers where 2FA might be used. On the other hand, if I have an accident with head trauma and forget my passwords, what then?

[Shoothe]

> Now I have one, but how do I handle the loss of one or more keys

The same way you handle loss of keys to your home, car, etc. - you buy a second pair. If you're using OpenPGP you can provision them with keys any time so it's not a problem but if you're using U2F then you better add at least two to all your services (Yubico has a cheap U2F only key).

[ben1040]

Yep. I got multiple U2F keys. One is on my keychain, another is in a drawer in my desk, and a third is in a safety deposit box at the bank with my other important documents.

[jopsen]

I use my yubikey for 2FA (TOTP), GPG/SSH.

I use an encrypted github for passwords storage: https://www.passwordstore.org/

For backup in case I loose my key I have multiple yubikeys, and whenever I setup 2FA on a site I take screenshot of the QR code and store it in an encrypted tarball in my password-store.

To duplicate my yubikey you'll need one of my yubikeys; and the password for the tarball (which is thus encrypted twice).

[xur17]

I use my yubikey with Password Store as well and absolutely love it. One of my favorite features is the ability to use my passwords in personal scripts / programs without having the save the password in the code. Instead I have the program call out to the password store binary to retrieve the password.

[serf]

>My main problem is how to handle the loss of the key.

if using for 2fa, most offer a way to turn 2fa off temporarily in case of a key-loss.

I suggest buying more than one, associating them both with whatever task, and throwing one in a safe. It's less-than-ideal, but better than losing access completely when your keys are stolen or destroyed.

[r3bl]

I don't give two craps about do the companies have my phone number or not, so I understand their argument.

Phone numbers are something all people have, so using it as a backup if you lose your Yubikey makes sense.

With that said, I do understand that someone using a Yubikey has probably already thought about "what happens if I lose it" and advanced threats against SMS, but if we want them to be used by everyone, this seems like a nice compromise.

[lrvick]

The threats against SMS are not advanced. ESN porting attacks are still -easy- in the US and I have personally had to be a first responder due to an administrator at an employer being hit by it. Suddenly you lose your 2FA backup to everything and an attacker resets all your passwords and takes over all your accounts.

Any aging windows XP machine at a corner cell phone store has permission to port your number.

Even if that gets fixed, in the USA all cell service providers are required to retransmit a message with A5/1 encryption if asked which can be intercepted and decrypted with wireshark, a $20 USB TV tuner, and 2TB of disk space for rainbow tables.

Seriously SMS is downright dangerous as a 2FA method and it is idiotic that vendors support it as a password reset method.

You are better off using nothing at all over SMS to avoid a remote account takeover... or use something that -can't- be remotely stolen like a hardware TOTP/U2F device.

[nukeop]

If you don't care about privacy at all, why would you be interested in a Yubikey? Also, not everyone has or wants to have a mobile phone.

[r3bl]

Saying that I don't care about my privacy at all if I don't care about companies having my phone number is just blatantly false.

There are a lot of things I want to protect (hence, the Yubikey). A phone number isn't one of them.