[cbhl]

The way $dayjob makes this work is to issue a nano security key for each computer, and then a bluetooth security key for the iPhone (Android phones can use both NFC and Bluetooth security keys, but iPhones can only use Bluetooth security keys).

It's cumbersome, but less so than when we were plugging and unplugging our one hardware USB-A OTP token into everything (and using a desktop web browser to generate OTPs for the phones).

If you do end up getting a security key, I recommend getting at least two. If one fails, you'll want the other one as a backup so that you can get back into your accounts.

[mtgx]

NFC keys should work for iOS, too, now:

https://9to5mac.com/2018/05/22/yubikey-neo-iphone-lastpass/

[dwaite]

That is the Yubikey OTP functionality, not FIDO.

[bad_user]

What happens if your house burns down with everything in it?

You’d then have to contact support to let you bypass 2FA, but if that’s possible then the 2FA protection is weak, prone to social hacking.

[saltminer]

I keep an extra Yubikey in my bank box, next to my other backup keys. The only account I'd be locked out of is Twitter since they only let you add 1 token (my primary).

[stingraycharles]

AWS also only allows you to add a single device, much to my annoyance. I still haven’t found a solution for that, that doesn’t involve risking getting locked out.

[koolba]

One answer I've seen is to create multiple users for the same person. The second user becomes the "backup" user with a different physical device and is used only to reset the primary.

[ithkuil]

At $dayjob I "solved" that problem by setting up SAML auth so we would all login via gsuite (thus using 2FA via yubikey there). After a few months I set that up we got acquired by a big company that uses RSA secureId software security tokens. The security policy mandates that you have only one active security token instance (which BTW acts as a password replacement instead of 2FA, I assume for better interop with legacy tools that only talk ldap...)

[burntsushi]

AWS at least lets you sign in using alternative methods if you get locked out: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credenti...

[stingraycharles]

Which in itself is a problem: it means the MFA device is not required, if only they have access to my email + phone.

[burntsushi]

Sure, I know. Just pointing out that, at least for AWS, you do not need recovery codes or a second device for MFA. For me personally, phone+email is good enough for my threat model.

[mschout]

Yes, AWS MFA is very poorly implemented.

[packet_nerd]

Most sites let you set up both the Yubikey and a Google auth style TOTP. I always set up both, with TOTP codes saved in KeePassXC and SFTP'd to a backup server.

[lstamour]

If I keep one with me and one at home, then I only have to worry about leaving both at home if I’m caught in the fire. Additionally, if I can prove who I am in person, or via friends attestations or both, that’s a lot better than a forgot password form or SMS hijacking.

[notatoad]

"if your house burns down with everything in it, you'd have to call somebody" seems like a fairly ridiculous concern.

[detaro]

That's not their argument. Please read the last bit of the sentence again.