Hacker News new | ask | show | jobs
by MadsRC 1040 days ago
Do you though?

It’s been my understanding that for corporate use, only a single one should be issued because:

1: There’s an establish support team in your org that can always issue a new one (except for a few edge cases, super critical things) 2: You can’t trust users with 2 devices

For private use, nr. 1 would not be true so the recommendation rightly is to issue 2.
5 comments
androidbishop 1040 days ago
Google was one of the earliest adopters of Yubikeys, and they used them for EVERYTHING. When I worked there, we always received 2 keys: one of those itty bitty ones that sits in your USB port permanently, and a regular key that fit into our security badge holder, or you could keep at home, or whatever. The switch to security keys reduced account takeovers to 0:

https://krebsonsecurity.com/2018/07/google-security-keys-neu...

link
netheril96 1040 days ago
I have four. One attached to the desktop, one attached to the laptop, and two carried with all my mechanical keys (one of them supports NFC and another supports USB-C).
link
androidbishop 1040 days ago
glutton ;-p
link
lokar 1040 days ago
And if you somehow get locked out you can show up at the help desk in person, or VC in with your manager on the call to Id you
link
lijok 1040 days ago
I've not heard an argument before for why a user cannot be trusted with 2 keys
link
Spooky23 1040 days ago
It depends on where you work.

I’ve supported users who would eBay the second one, if they were smart enough to do that.

link
diarrhea 1040 days ago
But is an engineers time not worth more than an additional key users can do self service with? Seems like a really thin argument given how cheap the keys can be.
link
darthwalsh 1040 days ago
At Google the IT desk had a jar of Yubikey. You could just take and enroll however many you wanted.
link
DANmode 1040 days ago
Your manager holds your backup.

If you're their number two, possibly you hold theirs.

link
eropple 1040 days ago
I've never heard of this practice and would throw the book at anyone who implemented it in a shop I worked at.

You keep both your keys, one securely and one at-the-ready.

link
DANmode 1039 days ago
This is fair, but I have to note, a little out of date for startups which can be 100% remote to the point of founders not having a home city, let alone one stable, secure place to stash a backup.

Yes, safety deposit boxes. Yes, family, yes friends. Yes, attorneys.

But also what I said initially.

link