[lrvick]

Are you perhaps reflecting on the OSX experience a couple years ago? Things have really matured since then.

I have deployed yubikey 4 based ssh auth, commit signing, and password management to enigneering teams at 3 companies in the past 2+ years.

The Linux experience has always been solid and as of gpg 2.1+ and High Seirra mostly fixing their smartcard stack, I can say the OSX setup is now quite reliable as well.

For examples for ssh setup see: https://github.com/lrvick/security-token-docs/blob/master/Us...

Aside: I would -not- recommend Duo to anyone. Beyond putting your security entirely in the hands of a third party with unknown internal auditing and security practices, there is no way to disable SMS 2FA for the admin accounts and support has steadfastly ignored requests to allow this to be disabled. This means sim porting + phishing and you cna control a duo admin account. There is also no secure element componet involved with Duo so malware on the phone can bypass it if sophisticated attackers are in your threat profile.