[bsder]

I feel like a broken record, but:

If I have a startup of 5 people, how do I deploy 3 Yubikeys per person? How do I issue a new Yubikey to a person and connect it into systems if one of the old ones gets stolen? How do I disable a stolen Yubikey or all the Yubikeys if that person quits?

And how do I do this when the IT department is one person a couple hours a week?

[timothy-quinn]

Hi! I'm actually the product manager for the product mentioned in that article: https://enterprise.signata.net.

Are you heavily SaaS based for the tools you use in your startup, or do you have some on-prem infrastructure? That'll kind of dictate which path you should go down for provisioning the keys to your users. Our product will be perfect if you're using AD & a Microsoft CA internally (or are willing to set one up), as you could then just set up 3 YubiKeys for each employee, all loaded with certificates for authentication.

And, should one be stolen or an employee leaves, just revoke the certificates on it to kill the access immediately.

Any path you go down should really still only take a bit of time upfront and almost nothing longer term, unless your team grows fast.

You can also hit me up at tim@congruentlabs.co and I can give you more advice if you don't want to mention specifics publicly.

[techslave]

did you not read the question? it’s 5 ppl and either outside IT or random joe employee 1-2 hrs per week. they are not managing AD and CA infrastructure.

[timothy-quinn]

Yeah that's why I added the "if" - But I have seen a lot of very small teams running AD (or Azure AD if they've chosen the Microsoft path), but they tend to just be paranoid about security or running in countries with poor internet connections.

Microsoft also provide pretty cheap deals for startups if they want some basic infrastructure for the office (excluding the hardware of course), so it's not entirely out of the equation on the licencing side either.

Really small teams typically will find U2F auth easiest to work with in the beginning, and then after hitting like 20 users they'll bump into problems like a large enough number of connected systems that they need to manage 2FA for.