They author makes a few good points, but I find the author's critique of Yubikey weak:
>Cost. The average YubiKey is £50...
If that's too expensive for ensuring your internet security, then either you underestimate the risks, or undervalue your information. If a Yubikey cost 10 times more it would still be a bargain.
>Usability. Buy a device, register it, install the app, configure it, find the setting in the website, enable it, hope your machine has the right sort of USB ports, press the button at the right time.
Pressing the button at the right tight was a joke, right? Although, I admit it may be challenging for people with disabilities. Websites making it hard to find 2FA settings is not a Yubikey's problem, it's a website problem. Setting up a Yubikey is rather straight forward too. The main issue is the inability to clone a Yubikey programmatically, but that's the price of security.
>Convenience. My YubiKey is on my keyring. My keys are in my coat...
That's can't be serious too. I won't even elaborate on this.
>Risk. YubiKeys have no password lock of their own. At least my crumby Android has a fingerprint lock to prevent people getting my 2FA tokens. But if you’ve stolen my laptop and the YubiKey is plugged in, then you’ve got the keys to my kingdom.
That's actually the only valid point I somewhat agree with. Again, this is largely mitigated by developing the right habits. You don't leave your car keys hanging in your car's lock after leaving the car in a parking lot, right? Then why do it with Yubikey? If developing a new minor habit represents a problem, then either you underestimate the risks, or undervalue your information.
An additional password/fingerprint protection would be nice though. I agree on that.
>Support. WebAuthn is a great standard – but only a few sites support it...
Again, this is not a Yubikey's problem. It's a website problem.
I mean, you say all this, but more or less these are the same complaints I hear from even seasoned IT professionals every single day when it comes to security.
Even the "the key is in my coat" is not a joke at all -- I've had clients who got compromised by a malicious insider because some admin wrote passwords on a sticky note simply because "password managers are cumbersome".
I get what you're saying on each point, but understand that security is as much about discipline as the actual security you implement. You can have the best of the best, but it doesn't mean anything without the discipline to use it, and I suppose that's what the author is trying to convey.
You even touch on it in your response about developing the right habits, and that's the author's port -- without discipline, the Yubikey means nothing.
>Again, this is not a Yubikey's problem. It's a website problem.
On this point I can't really agree at all; Yubikey might have a solid solution for a problem, but if no one is implementing it, then it's a solution looking for a problem. The mythical "average user" won't be persuaded to drop any amount of money on a dongle that does nothing; if it doesn't work for a large majority of their most common sites, then it's just a waste of money.
I'd suggest it __is__ Yubikey's problem as they're not promoting their value to sites in a way that implementation is a no-brainer. Checking on their compatibility list fo common chat-applications, common forums, common message boards/imageboards, and common shops world-wide, the adoption is very limited. Surely the admins of popular sites are aware of Yubikey, but at some point there was a decision not to add functionality -- Yubikey needs to make the efforts to promote adoption and figure out where there resistance comes from.
Of my daily sites that I might expect to be aware of/implement some hardware security, only reddit is on the list of "works with Yubikey", and I pretty rarely use reddit. Listing sites my friends and family use on a day to day basis, only Google Accounts comes up.
That's what the post is talking about. Yubikey does not have the penetration to be viable to "average users", and even for tech persons, the device is useless without the discipline to adjust habits in the first place, which most people just don't have.
>security is as much about discipline as the actual security you implement
Totally agree on that. The author's main ranting about Yubikey is that it requires developing new habits, but that's exactly the point.
>they're not promoting their value to sites in a way that implementation is a no-brainer.
That's a good point. Although, poor adoption of hardware tokens even by banks (e.g. no bank in Canada supports Yubikey) is surely not because it's hard to implement. It's a "chicken-or-egg" problem. Organizations don't support hardware tokens because few people use them, and few people use tokens because many organizations don't support them anyway. Yubikey and other hardware token vendors could've done a better job promoting and simplifying using hardware tokens.
I don't know if the author of the blog post means something else but if you're using 2FA tokens (i.e. Yubikey Authenticator) you can put password protection for additional security.
Yubikeys have PIN for FIDO2 passwordless auth, see `ykman fido set-pin` command (IIRC, there a GUI for this as well but I don't have a single passwordless login - to best of my awareness, no single website on the web that I use seem to support this).
This is different from typical U2F operations, though, where website asks for a password ("know") and a hardware token ("have"). For those, password is the secret part already.
If someone phished someone's password AND stole one's Yubikey - well, this is a very peculiar situation, where, indeed, the scenario fails. If someone steals a laptop with Yubikey plugged in - they (hopefully) don't have passwords. Unless someone had set it up to login and open their password manager with just a touch of the said Yubikey, without anything extra. Which is, again, quite a peculiar situation.
>Cost. The average YubiKey is £50...
If that's too expensive for ensuring your internet security, then either you underestimate the risks, or undervalue your information. If a Yubikey cost 10 times more it would still be a bargain.
>Usability. Buy a device, register it, install the app, configure it, find the setting in the website, enable it, hope your machine has the right sort of USB ports, press the button at the right time.
Pressing the button at the right tight was a joke, right? Although, I admit it may be challenging for people with disabilities. Websites making it hard to find 2FA settings is not a Yubikey's problem, it's a website problem. Setting up a Yubikey is rather straight forward too. The main issue is the inability to clone a Yubikey programmatically, but that's the price of security.
>Convenience. My YubiKey is on my keyring. My keys are in my coat...
That's can't be serious too. I won't even elaborate on this.
>Risk. YubiKeys have no password lock of their own. At least my crumby Android has a fingerprint lock to prevent people getting my 2FA tokens. But if you’ve stolen my laptop and the YubiKey is plugged in, then you’ve got the keys to my kingdom.
That's actually the only valid point I somewhat agree with. Again, this is largely mitigated by developing the right habits. You don't leave your car keys hanging in your car's lock after leaving the car in a parking lot, right? Then why do it with Yubikey? If developing a new minor habit represents a problem, then either you underestimate the risks, or undervalue your information.
An additional password/fingerprint protection would be nice though. I agree on that.
>Support. WebAuthn is a great standard – but only a few sites support it...
Again, this is not a Yubikey's problem. It's a website problem.