|
|
|
|
|
|
by filleokus
889 days ago
|
|
|
The problem I've always had with the two yubikey-model (except for cost an inconvenience of course) is that you can't really keep the second key in cold storage, because you need to enroll it to new accounts. That doesn't happen every day, but probably regularly enough that you can't keep in a bank vault or something. On the other hand, you know the second one works and haven't spontaneously bitrotted. My nerdy preferred version would have been (pre-passkey) to have a hardware token where the root secret is generated out-of-device and exist on e.g a paper backup or something. Then I could just buy a new hardware token and inject the same token if the device dies. |
|
|