Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Yes. I won't use U2F on services that don't allow multiple keys because of this. I have two keys in different places so it's easy to use.


How do you handle adding both keys if you store them in different locations?

Right now I do something similar, but I have to keep a list of which accounts I need to add to key 2, and the key is offsite, so I have a several week period during which an account only has one key associated with it.


I have one key permanently plugged in to my desktop at home. I have another on my keychain that I can use at work or if I'm travelling or whatever. This allows quick access to a yubikey anywhere I am. My previous problem (when I owned only 1) was that my keys were always in another room when I was home, and getting up to get them was too annoying when logging in to things. Now I have a backup if either is lost and I'm more-or-less guaranteed to have a yubikey within reach anytime it's needed.


you don't necessarily need two security keys. written down backup codes or an authenticator app are also good second factors.


If you can just fall back to authenticator app by saying "oops don't have yubikey now" then you get no extra security for using a yubikey.


You may consider that the authenticator offers enough security but a Security Key is more convenient. I hate typing 6-digit codes into things, touching the little contact or pressing the button on my Security Keys is much more tolerable.

Now, personally I wouldn't want the phishable Authenticator as fallback, but it's definitely better than SMS for example.


Maybe I'm misunderstanding, but I thought the whole idea of ubikey was that it proves who I am because I have it, no? If I own 4 ubikey, how does the system know whether I'm really me, or if I'm someone whose stolen one of my ubikey?


If you have one Yubikey, how does system know if it’s really you or someone who stole your key?


It is a second factor, so the'll also need to know your password.

You will notice your key missing, then you can disable that key with your backup key. With only a password, it becomes a lot harder to notice someone stole your pw.


Right. That also applies to N number of keys, too.


The different is, if you have 1 U2F key, people who steal your U2F key gain access to one half of the two factors for ALL services you use.

With 4 U2F keys, people who stole 1 of your U2F keys gain that one factor for only the services that you tied to that keys.


U2F is much narrower than full Yubikeys.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: