[stingraycharles]

As someone who uses Yubikey for about 5 years for SSH, GPG and O2F, an extra key is indeed the solution I use.

Effectively it means all integrations must support multiple keys, and you’ll have to register both. Of course, this doesn’t work everywhere, such as AWS. In those cases, I typically use my “main” key.

I’d argue that the key breaking due to wear or being lost is less of a risk than human error: just last week I had to enter the admin GPG code for the first time in years, and I forgot it initially, which caused the device to lock itself, and apparently the recovery code didn’t work. Caused me a few hours of stress to get it resolved.

So yeah it requires some discipline. What’s important is that you need to identity the services you absolutely cannot lose access to: in my case it’s my email and password manager. For those two, I properly manage backup codes, regularly test both yubikeys, etc. The rest can all be recovered through email, if it needs to be.

[aborsy]

You pull your GPG key from offline backups, reset the applet and load it again.

The same Gpg key can be used for SSH too.

You can generate keys inside Yubikey, but you also have the option of bring your own key, which surely you keep safe offline.

[Hackbraten]

> Of course, this doesn’t work everywhere, such as AWS

I’ve worked around that by creating one IAM user per Yubikey.

[artdigital]

I have a question - do you disable regular OTP 2FA on services you use the Yubikey? I have one too and religiously added it to all kinds of things, but each service allowed me to just skip the yubikey when a regular OTP code was entered, effectively making me not use the yubikey

[rgoulter]

If you have only one Yubikey, and use it as the only factor of authentication to a website, you'll need to ensure you store the 2FA recovery codes safely. Whereas, if you have both Yubikey and TOTP as factors of authentication, if you lose the Yubikey, you'll still be able to login.

I view that as "Yubikey more convenient than TOTP". You can either use TOTP, or the Yubikey, and it's easier to tap a button than to enter a code.

[cuu508]

WebAuthn is more convenient but also more secure. You don't have to be as vigilant when checking what URL your browser is pointing at.

[Xylakant]

Not the GP, but I also use YK as a primary auth mechanism and TOTO as fallback.

Since I only use TOTP as fallback, I am much more vigilant if I suddenly get a TOTP prompt. I should never get one, only in circumstances where I explicitly want one. Every other instance is a big red flag. Is that perfect? No. Is it better than TOTP: yes.

[INTPenis]

>just last week I had to enter the admin GPG code for the first time in years, and I forgot it initially

Now this is scary.

I'm going to reveal some of my opsec but my password manager (pass(1)) does have yubikeys registered but it also accepts my GPG key. So even if I lose my yubikeys I can still unlock all the passwords, otp codes and everything I have in there.

I just can't feel comfortable with any other solution than my head being the final master key.

[krzyk]

I use pass also but only with GPG and I feel a bit uncomfortable that I don't know anything about GPG, I don't remember if I set a password there or how to move it to another computer for backup or sync of the stored data in pass.

[INTPenis]

Yeah gpg is a big hurdle. My suggestion is to learn about subkeys. Create subkeys for everything you want to do.

That way you have one main key that can revoke subkeys, subkeys do everything like access to files, emails, passwords.

[mihaigalos]

I backup everything directly to GitHub. I first encrypt/seal my passwords/files using a Yubikey+PIN then git push them.

Here's my take on the automation: https://github.com/mihaigalos/pass

[smartbit]

Which password manager do you use that supports Yubikey?

[5e92cb50239222b]

https://keepassxc.org

[lalopalota]

Bitwarden's paid plan supports yubikey.

[infini8]

As does Vaultwarden - the self-hosted unofficial version of Bitwarden