[hnbear]

In addition, Okta Admins can also recover accounts, so loss of the Yubi doesn't mean the account is locked out forever. You can easily provision a different 2FA method.

When we deployed we banned Verify (didn't want any OTP), but encouraged TouchID, and the Yubi. If someone was locked out we could temporarily enable Verify, or reset their Macbook or Okta access so they could reregister into either.

But,in deploying 1500 or so yubikeys over a 5+ year period we never saw one actually break. Employees would often say they'd broken, but troubleshooting normally was user error.

The worst we saw were a few cases where Yubis needed unplugging and replugging (sometimes being left out for an hour or so).