Hacker News new | ask | show | jobs
by crote 406 days ago
This doesn't solve the problem, unfortunately.

The issue with hard tokens is that there is only one of them. By design, you can't back up a Yubikey's content to a second token. This means that any time you add 2FA to a new account, you must have all of your hard tokens in your possession to enroll them. This means a "one token on your keyring for daily use, one token in a safety deposit box as backup" approach isn't possible.

Yubico did propose a potential solution five years ago[0], but that proposal seems to have gone nowhere. Until something like that gets implemented, FIDO2 (and by extension Passkeys) requires some form software implementation backed by cloud synchronization to actually be usable for the average person.

[0]: https://www.yubico.com/blog/yubico-proposes-webauthn-protoco...
1 comments
hanikesn 406 days ago
It works well enough. When you need to signup for a new service on the go, you can add your backup key when you get to it. Having the backup key in a safety deposit box hardly accessible seems like a non-goal given you protect it with a pin with a very limited number of retries.
link
godelski 406 days ago 

  > When you need to signup for a new service on the go, you can add your backup key when you get to it
Good on paper, bad in practice.

Requires you to remember doing that each and every time. Incidentally this isn't that different from just grabbing your keys like the parent suggested. Only it introduces a new variable: time delay. A lot can happen in that time and we all know the reality is that even a diligent person is going to slip now and then. It surely isn't a reasonable expectation for an average person.

link
blibble 406 days ago
I have three: 1) local usage 2) local backup key 3) remote backup key

every few months I swap 2 and 3, and re-enroll any missing (kept track of with a spreadsheet)

quite annoying, offline enrollment would be considerably better

link
rssoconnor 406 days ago
This is the way.
link
lxgr 406 days ago
> Having the backup key in a safety deposit box hardly accessible seems like a non-goal

It's absolutely a goal, since a PIN doesn't prevent your security key from loss, theft, or physical destruction.

link
bitzun 406 days ago
I keep it in a secure separate location in case my house catches on fire.
link