[cowtools]

I don't buy this idea that average people can't manage a keypair. Humans already manage secrets in the form of passwords, it's not that much different.

In the worst-case scenario in which users defer to some weak/centralized system, how is that categoricially worse than the centralized systems we already have?

[ryukafalz]

> Humans already manage secrets in the form of passwords, it's not that much different.

Humans are bad at this which is why we recommend password managers.

That said, I do think keypairs are the way forward, I just also think they need either strong integrated software support in whichever device is being used, or strong external hardware support.

(Yubikeys are nice because they kind of extend the “key” metaphor that people are already used to, but I wish they shipped with a paired backup key that was provisioned with the same key material. Maybe colored red to distinguish it.)

[leaflets2]

> but I wish they shipped with a paired backup key that was provisioned with the same key material

Two identical keys, is less secure, for those who would otherwise have bought many different keys.

If you instead buy two different keys, then, when you lose the first, you can know it's safe to continue using the second one. And you can block the first one, without locking yourself out.

Maybe getting two different keys would be a good idea

[ryukafalz]

The trouble with this is that you need the second key present each time you need to enroll it to an account, meaning you can’t stash it in a safe deposit box as a backup. And you have to remember to add it to each and every account or it’s not really functional as a backup.

Yes, two different keys are more secure, but they have some pretty severe usability problems.

[freeone3000]

It is! GitHub suggests this, Gmail requires it. Yubikey has a 2-pack discount that's nearly as cheap as a single key.