[winternett]

Give copies of the keys to all your co-workers, and leave one under the doormat too for a good time... Hah!

All the added complexity of implementing minimum character limits on passwords and requiring them to be changed every 3 months literally drove people to write passwords on post its and put them on PC monitors back in 2019... Some things never change...

Maybe we should add second and third passwords, and then keep goin until admins lose root access and just use Sudo.... LOL!

[microtonal]

A YubiKey under the doormat protects against one of primary intended scenario: preventing phishing. It's unlikely that a phisher on the other side of the world has access to your doormat. Moreover:

- Modern FIDO2 keys allow you to set a password (I think sites have to implement the newer FIDO2/Webauthn standards rather than U2F to use this functionality). So then when someone takes it from under your doormat, it is worthless.

- Passkeys are coming. E.g. on Apple platforms they will be secured between devices using end-to-end encryption (through iCloud keychain) and they use biometric authentication to unlock (Face ID or Touch ID). This will make non-password authentication a lot more convenient.

[winternett]

I know, I've used them multiple times.

The thing is, no one can explain to me how it's better than just requiring 2+ passwords on each user account. You can't authenticate if you lose the Yubi when tech support is not available without circumventing the very process it was based upon... Nothing is failproof. Of course each specific use case is different.

If Facebook demanded I use a dongle or even biometrics, that would very well be the exact point I quit it though.

[ziddoap]

>The thing is, no one can explain to me how it's better than just requiring 2+ passwords on each user account.

Really? It seems pretty straightforward. In one case I have a physical object that must be physically stolen from me to access my account. In the other case, if I make 2 poor passwords, my account can be accessed from anywhere in the world, no physical access required. The pool of people who can realistically compromise my account drops exponentially.

>You can't authenticate if you lose the Yubi when tech support is not available without circumventing the very process it was based upon.

Perfect is the enemy of good. Some people sometimes losing their Yubi and having to authenticate in a different way one time is not a good reason to argue for not having them at all.

[fragmede]

U2F ("Yubi") doesn't have a "password" that's exposed to the user (you), so the attacker would have to steal it in order to get its password. Meanwhile, two passwords are basically the same as having one long password, and if the attacker gets that, then they're in.

(Yes, if the attacker can factor very large prime numbers, then they can get the "Yubi password", but if they can do that, there's a lot of bitcoin they could steal.)

U2F also signs the auth with the site's domain name, so even if the user tries to log into faceb00k.com (zeros), U2F won't let the attacker reuse the credentials on facebook.com.

This does require that you actually lose access without the second factor. In higher security environments this is enforced - if you lose the U2F device, then you can't log in. Obviously if the site lets you log in without the device then having the device doesn't actually matter.

Lost device flow is a weakness, but typically they're more involved and require the attacker to have more details about the user than a simple phish attack would have access to.

[staticassertion]

> The thing is, no one can explain to me how it's better than just requiring 2+ passwords

I'm sure many people can explain this. It's not hard. FIDO2 tokens are not phishable, the domain name is part of the challenge.

[KronisLV]

> All the added complexity of implementing minimum character limits on passwords and requiring them to be changed every 3 months literally drove people to write passwords on post its and put them on PC monitors back in 2019... Some things never change...

This does seem a bit silly, but is also the "logical" thing for many people, who won't be able to remember all of their different passwords and don't know of any better solution - thus the less tech savvy will store their passwords in a text file, a spreadsheet, or a post it note on their computer.

Personally, I don't know any of my passwords anymore. Everything is randomly generated by KeePass with the password databases being distributed across my devices or SD cards/HDDs for backups (encrypted). Once you stop thinking of passwords as something that you should "know", but rather something that you "have", then it becomes way easier. Far too many people have the wrong mindset and attempt to use the same password for multiple sites - they're one breach away from having a really bad time.

And yet, somehow we don't really talk about that and don't educate people. I don't believe that in school or university, across more than a decade of education a password manager of any sort was ever mentioned, be it a web based one or a file based one. Not even proper encryption (outside of SSL/TLS, but for websites), no mentions of PGP/GPG either. And that's after getting a Master's Degree in Software Engineering. Of course, I talked with peers and other people, including professors about these topics, but they were never officially covered in any of the courses.

That makes me think that outside of ads on YouTube for popular SaaS offerings in the space, it's a pretty dire situation for the average person.

[staticassertion]

> Give copies of the keys to all your co-workers, and leave one under the doormat too for a good time... Hah!

Straw man, not going to address this.

> write passwords on post its and put them on PC monitors back in 2019

This is fine

> requiring them to be changed every 3 months

NIST recommends against this

I don't really get your post.

[winternett]

> I don't really get your post.

That's because we are going down a rabbit hole far away from the original premise... We are talking mostly about social media here (as cited above) using 2FA... 2FA in more high value settings is a separate discussion.

In Private settings, 2FA can still be compromised by data scraped from social media, that catalogues data even on people who do not create social media profiles.

I am not arguing against the technical merits of how 2FA operates, but even with a Yubi Key, a user with system access can be compromised if they are physically extorted or abducted along with their key. The real world is a factor in security, it is not overcome by encryption.

I have listed several aspects of flaws to the security model in other posts here. Arguing about the technical bones of 2FA is a distraction/sidebar from those other valid points.