|
|
|
|
|
|
by acupofnope
1971 days ago
|
|
|
> YubiKeys have no password lock of their own I don't know if the author of the blog post means something else but if you're using 2FA tokens (i.e. Yubikey Authenticator) you can put password protection for additional security. |
|
|
This is different from typical U2F operations, though, where website asks for a password ("know") and a hardware token ("have"). For those, password is the secret part already.
If someone phished someone's password AND stole one's Yubikey - well, this is a very peculiar situation, where, indeed, the scenario fails. If someone steals a laptop with Yubikey plugged in - they (hopefully) don't have passwords. Unless someone had set it up to login and open their password manager with just a touch of the said Yubikey, without anything extra. Which is, again, quite a peculiar situation.