[leftbehind]

We haven't had any issue getting all of our staff -- nontechnical users alike -- on yubikeys. As part of education we skip the PKI portion and just point out that it is "like your physical house key. You plug it in and touch it to turn the key to unlock"

[Groxx]

For business use, handing out yubikeys is completely reasonable - if they're lost or broken, the company is the authority and they can (and do) just re-issue a new one and work goes on with only a temporary interruption. They're easy to explain, fast to use, provide practical security, and are simple to recover in case of total failure.

For personal use, that equation is wildly different. Google isn't going to let you attach a brand new key, you've just lost your account forever because it rained.

[SoftTalker]

Yes, and our staff uses ssh keys (generally but not always without issue) and a commercial MFA app. It's one thing to get this stuff used in a controlled environemnt where you have a help desk or administrators who can do a lot of the setup. You just hand the employee their YubiKey or smart card and say "use this."

Trying to imagine your grandmother setting it up herself to be able to log in to her Facebook is another matter, and why these things have never worked for the general public.

[close04]

You probably use certificates and a company PKI to manage them. No need to stress if one is lost or locked, just revoke and whip up a new certificate.

At home Yubikey is probably synonymous to FIDO not PIV/PKI. No whipping up a new one if you lose it. You better have 3 of them enrolled at any time, and have at least one stored off site.

[leftbehind]

We enroll them as standard fido/webauthn - I hate the other modes.

I agree it requires significantly more work when you can't just call the locksmith for a new one -- IT -- if you lose one on your personal account you can only go get the spare key hidden under the doormat, a printed code in your safe, or lose the account.