[tuatoru]

Eleven years ago I got four yubikeys, two pairs as recommended by Yubico. One pair for personal use and one for work.

I tested the personal key pair first. The primary yubikey I had on my (physical) keyring failed spontaneously after less than three weeks of being carried around in my pocket. That was the end of that.

I am not going back to physical tokens, except for RSA tokens and purely mechanical keys. Those have an adequate track record.

[codetrotter]

I have four Yubikeys.

One of them is a black one that work gave me for use with the work computer. I’ve had this Yubikey for over 1 year.

Three of them are blue ones I bought from Amazon, that I also added to my SSO profile at work. I’ve had these Yubikeys for several months.

One of them I keep in my wallet most of the time. One of them I keep on my desk and bring in my backpack when I go somewhere. One I keep in a box. One is somewhere in the room.

I rotate between these, and I switch which one I keep in the wallet, which one I keep in a box etc.

It’s worked well for me so far. None of them have failed yet, and when one does fail or get lost I will remain confident that the other ones I have will continue to work long enough that I can order even more Yubikeys to replace which ever ones went bad.

[tuatoru]

Yeah, if you want to be a charity donating to Yubico, godspeed. Not my cup of tea.

[sneak]

Yubikeys are $50. Ten are $500. Mine protect keys that can decrypt data worth hundreds of millions of dollars.

My $500 worth of Yubikeys has lasted me 5 years and counting, so we're at <$10/month TCO. That's to have 10 of them.

[gymbeaux]

Data worth hundreds of millions of dollars? What’s an example of data that an entity would realistically pay hundreds of millions of dollars for? The only thing that comes to mind would be the database backups of user data of a large company’s software, which is literally irreplaceable if lost (but then infinity is larger than one hundred million…)

[sneak]

I am the co-founder of Keyternal.

https://keytern.al (website painfully out of date)

I estimate the hundreds of thousands of cryptocurrency private keys we safeguard (in conjunction with the keys held in other organizations, via multisig) have at points in time protected somewhere on the order of single digit billions USD.

We're not a wallet provider, just a backup key storage service, so I couldn't get exact figures even if I wanted to: by design we don't have that information about our customers.

The PGP-encrypted keys are held completely offline (cold) in vaults, the set of Yubikeys (in other, different vaults) is used during signing ceremonies to temporarily decrypt them (only in ram, on offline computers without storage) to produce recovery signatures when our customers run out of other options. We're the last resort in a DR plan.

It requires careful coordination with another keyholder (a different organization) to produce valid transactions; neither ours nor theirs alone is sufficient. Transactions need two signatures: one from each. In that sense, neither key is "worth" anything by itself, but together they protect large sums.

[codetrotter]

What happens when someone that stores their keys with you pass away? Do you have contact details for who in their family to reach out to, to help them recover the money of the deceased person?

[mzi]

I have a lot of yubikeys. The one I still use the most is my first one: the rfid enabled that isn't even on their history pages. It's been on my keys for more than 10 years and I wouldn't say it looks new but not very much unlike the 5s it's next to. Neither has ever failed me.

[graton]

I have around 4 Yubikeys on my (physical) key ring. I purchased two of them back in 2014. None of my keys have ever had an issue.

For me the track record has been perfect.