Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Not sure why the author is so negative on Yubikey. His only reason is that an attacker can steal his laptop with the key plugged in. That’s a user error.

I much rather have Yubikey over all other forms of security because it simply forces the attacker to be physically present. Why is that important? Because even if your laptop is stolen with your Yubikey at a local Starbucks, you’re more likely to catch that person versus a completely remote attack. Security isn’t just about attacks. You also need to think about mitigation and recovery following the attack.



Author here. I did provide a few other reasons - mostly around usability of YubiKeys. Try observing a non-techie set one up and tell me if you think it is as easy as it could be.

Realistically, you're probably not going to catch a mugger. Otherwise robberies like that wouldn't occur. Snatching a laptop with a key physically plugged in it is probably easier than snatching a laptop and a separate phone.

Regardless of my opinions on tech, if you think being mugged is "user error" then may I suggest spending a couple of days volunteering for a local Victim Support charity.


I have helped literally hundreds of people setup Yubikeys across several companies.

Your take is just not my experience at all. Tapping a blinking light it is much easier than fussing with a 2FA app and works when someone's phone is dead. Yubikeys in particular are near indestructible. They even work after you soak them in acetone overnight and melt the plastic off. I tried.

When it says "plug in your device" you plug it in. When it says tap you tap.

Also the mugger comment is not part of a typical threat profile. Yubikeys and similar devices are meant to protect you from remote attackers which is the class of attack 99.9999% of people need to defend against.

If a mugger points a gun at you, no form of 2FA is going to save you.

Also my Yubikey has a pin enabled and fingerprint enabled WebAuthn devices exist. I have several. If you are carrying things so valuable you are worried about being mugged, you can probably afford a higher end model with a fingerprint or pin.

Edit: yes I know random muggings happen, but a hit and run mugger that knows what a Yubikey is and already has your password is a hiiiiighly targeted attack. -That- pretty much never happens unless you are walking around with a $1,000,000 in Bitcoin in which case it has happened a total of 5 times that are public.


If it's so easy why did you have to help hundreds of people across several companies set it up?


You have to (well, I guess if it isn't your job you don't have to but it's polite) help people set up anything. Doesn't mean it isn't easy. Helped my mum set up Zoom (so she could attend virtual church apparently), is Zoom not easy?

Two (three?) jobs back I had to set a bunch of people up on one time passcodes. Those seem pretty easy right? Still had to go there in person and show them.


If my Yubikey gets stolen, how do I log in into my accounts?

Serious question; never understood how that works.


This is akin to asking how do you start your car if you lose your keys? Enter your house? You have backups or other recourse to get things rekeyed.


This was confusing to me until I realized a couple of things:

- you can still have TOTP enabled on the site as a backup 2FA method - you can configure multiple yubi keys for a single site - so I have one on my keychain that does NFC + USB-C for my MBP, and another “Nano” key that is left in my home imac - they are both registered with most of the sites I’ve configured

If my keychain is lost/stolen then I can still login from home or with my TOTP code as a fallback.


That’s how 2FA works. It’s a physical token.

You either have other 2FA devices or backup codes.


Depends. Some have a bunch of magic numbers you can use as alternative "second factor", basically another password for the special purpose of bypassing a real 2nd factor. That's of course stupid and dangerous.

Then there are those where you can register another 2nd factor, e.g. another Fido-Key, SMS-Codes or recovery email. Those might be better or might be worse, depending on the method and circumstances. E.g. SMS is vulnerable to all kinds of SIM-Cloning and redirection stuff, email is vulnerable to whatever your email might be vulnerable to.

The only thing I would accept as really idiot-proof and secure is "go someplace, show a government-issued hard-to-fake ID" (like a passport, not your drivers license...) like banks do. But that only works with physically present businesses and accounts that are strictly tied to one person. And even there, "Joe Smith" might impersonate "Joe Smith"...


I have a backup U2F device. You can register multiple with any account.

If I somehow manage to lose both, I assume I’ll have to talk to a customer support rep or something.


This depends on the service supporting it though, and not all of them do (e.g. AWS).


Second yubikey ;)


The last time I've used the configurators on Windows and Linux they provide the private key material for one to backup.


Some other responders have given you the answer as it currently exists. They are all either inconvenient, weaken security, or both. For that reason, I would only suggest using a security key for a small number of critical services, where it's worth the extra effort to deal with the backup mechanisms.

However, a good solution for this issue is finally in the works: https://www.yubico.com/blog/yubico-proposes-webauthn-protoco...


Having two keys, one of which you keep in a secure place, seems pretty simple and intuitive to me.


What does your workflow look like when you set up new credentials?


If you mean when registering for a new account, annoyingly you need to physically have each key with you to register it with a new service. Biggest flaw in the spec IMO.


You need both of the devices when you set it up. That is one thing they are working on fixing, and is easily the biggest hassle of the whole thing.


If creating new accounts only when you are at the secure location where your backup key lives works for you that's great, but I suspect that most people in that situation would do one or more of the following:

(1) Store their backup key in a more convenient, but less secure location (likely their home), putting them at risk of losing both the primary and backup key to the same event.

(2) Enroll only their primary key when an account is created, putting them at risk of locking themself out if they forget to add the backup at some point.

(3) Only use security keys for the highest value accounts, which tend to be a small enough number that you have a chance of actually remembering to add the backup key every time you set one up.

Of these, #3 is the only one that doesn't pose what I consider an unacceptable risk of lockout to the average person, so that's what I recommend.


"Secure" is a relative term. ;-)

The location doesn't need to be "secure" in the military sense of the term. Mainly you want it "secure" in the sense that if you lose the one key, you won't have lost the other key at the same time.

In the end, the two keys are equivalent from a risk profile if they are compromised, and for most people, the one they carry with them is going to be the weak link in the chain, so additional security on the other key isn't really accomplishing much.

In truth, if your home isn't secured, there's enough holes in most people's online security that someone in your home could find a way to compromise much of your online security (and from there, most of the rest).

Just keeping the other key tucked away in a drawer has some risk, but is pretty decent for most people. Keeping it locked in a fireproof safe in their home along with other important documents/keys/bits is a better choice and not terribly inconvenient.

If you want to be more thorough, you can always have a third key that you keep locked away in a bank vault, and you do "wing it" with just two keys for a period of time on new accounts.

What you don't want to do is "wing it" with one key (though AWS seems to think that's the way to do things). That can lead to disaster. What you also don't want to do is only use it for a subset of your accounts, because in practice most people are terrible at risk compartmentalization, so invariably a compromise of some of your accounts quickly becomes a compromise in all of them.

In my experience #1 is the right way for most people to go. There are disaster scenarios where you lose both keys, but usually that's a disaster severe enough that recovering your online access is the least of your worries, and it does a great job of mitigating the much larger risk of mismanaging the security of accounts that aren't secured with the key.


I agree with your definition of secure for this topic. I don't agree that a primary residence qualifies as secure under that definition. Fire, flood, earthquake, etc all put you at risk of losing both keys, as does a search by law enforcement.

I _really_ don't agree that if one of those things happen I will no longer care about accessing my digital possessions/accounts. If anything I need that access more than I did before it happened.

And home isn't really convenient enough for many people: I, for one, frequently create accounts at work and when traveling. This subset of people are going to be doing either #2 or #3.

For the folks that are still using the same password everywhere I think a password manager is a better recommendation than a security key. For one it helps them everywhere, not just the small number of sites that currently support U2F/Webauthn. For another, such a person is probably at high risk of making mistake #2.


"I _really_ don't agree that if one of those things happen I will no longer care about accessing my digital possessions/accounts. If anything I need that access more than I did before it happened."

You might care, but most people would have bigger problems at that point.

> I, for one, frequently create accounts at work and when traveling. This subset of people are going to be doing either #2 or #3.

Yes, that's the use case where they are working to extend the protocol for using backup keys: https://www.yubico.com/blog/yubico-proposes-webauthn-protoco...

Again, most people aren't on the road a lot, and most of those that do already follow so many other bad security practices when they do so that creating new accounts in that context will already be fraught with peril regardless of the mechanism you use... and they'd probably be increasing their exposure if they used a password manager. I'd advise them to not do it, or to create a temporary account using some low-security, low-tech compartmentalized mechanism (like writing the passwords on a piece of paper ;-) and then delete the whole thing and create a new one from scratch when they get home, because that's probably less likely to be a problem. ;-)

"For the folks that are still using the same password everywhere I think a password manager is a better recommendation than a security key. For one it helps them everywhere, not just the small number of sites that currently support U2F/Webauthn. For another, such a person is probably at high risk of making mistake #2."

I do use a YubiKey secured password manager for services that do not currently support U2F/Webauthn, so I agree that is really the only practical solution for certain cases. There's an in between space where you can use the SmartCard protocol or hardware based OTP, but... My observation has been that for "most people" the non Webauthn cases are a) not necessary and b) actually far more difficult for them to manage, leading to them simply not using the password manager for a lot of cases.

It turns out the typical person's needs are surprisingly limited, but the risk is enormous as is the number of "pathways to failure".


> If a mugger points a gun at you, no form of 2FA is going to save you.

https://xkcd.com/538/


Hey I understand but didn’t think other reasons were valid. I apologize if my comment came out curt. I know how that feels. However, I think you should reconsider your opinions on Yubikey. They’re significantly better than all other commercially available security solutions at the moment.

Edit: your comment also gave me an idea. Perhaps there should be a phone-based service that you can dial that locks out your account for a predetermined time period? Or it could even be tied to someone else that you can trust.


Your opinion is in this case based on your ignorance and misunderstandings. The main threat model U2F key protects against is phishing, and phishing is the largest threat currently. The password is sufficient to protect you for opportunistic offline attacks like theft or loss.


> may I suggest spending a couple of days volunteering for a local Victim Support charity.

Please try being less condescending.

Losing the keys, due to whatever reason, means losing one factor. If the user loses the key, the "mugger" still needs to get the users' passwords.

2FA = something you know + something you own. Having one factor compromised should not compromise your accounts if the service you are using is configured correctly.


> 2FA = something you know + something you own.

That's not exactly correct. Another factor is something you are, such as a fingerprint or eye. There are three classes of factors from which drawing any two is called 2FA.

There is also a 1.5 factor auth, used for example by many banks, in which there is a server challenge for the very vulnerability stated in the article.


What’s the second factor with yubikey? The site seems to say it’s passwordless.


A yubikey doesn't replace a password.


Oh, it seemed like that was what this site was saying:

https://www.yubico.com/solutions/passwordless/


Speaking as an author of a webauthn library who helps users set up their security keys as part of their training, it's about as easy as it can be. We give each of our customers 2 yubikeys for each user when they sign up, tell them to keep one on their keychain and the other in a safe location only accessible to them. If you lose/destroy your main key revoke its access use your backup and buy/setup a new one. No one has had difficulty understanding the process for our site since we show them all the steps up front and describe what to do in common scenarios. If your customers have a problem setting it up, it's a reflection of poor user experience not protocol design.


If your laptop get stolen (with Yubikey in it) you only loose one of your TWO factors. So the thief does not have access to your account since they don't know your passwords.

Also, if a user can't learn how to operate a Yubikey after 10 minutes I don't think there is anything that can keep them safe online.


I've spent a lot of my life around Toxteth and Moss Side, and that doesn't affect my threat model relevant to phishing and FIDO. Mugging is probably less of a threat than break-in anyway, as far as compromised hardware goes. You separate the token when it's at risk, and the setup procedure claimed for FIDO, to the extent it exists, seems about as easy as it could be. It's a key. People can understand physical security to a reasonable degree, and typically not abstract computer security.


I agree on the idea around usability of YubiKeys. I have them also and believe they are great, but I never seem to have them when I need them. Of course, maybe its on another floor or another room and I am being lazy not walking over there, but it is an added inconvenience on a process that needs to be balanced between security and convenience.


Adding a rotating 2FA to a password database, for one.


Being mugged isn't "user error", and the good part about YubiKeys is that the consequences of being mugged are much more intuitive (it's just like I had my keys stolen).

The "I left my keys in my coat" problem you have seems like it has a pretty obvious solution: don't keep your YubiKey on your key chain. Do you have a wallet or cell phone that you carry with you at all times? Put it in the wallet or cell phone case.


Fully agree that a physical attack is much less likely.

Also, the use of a PIN or fingerprint[1] to authenticate the yubikey itself and not sent over the network, mitigates the stolen key scenario. [2]

[1] https://www.yubico.com/blog/getting-a-biometric-security-key... [2] https://developers.yubico.com/WebAuthn/WebAuthn_Developer_Gu...


Another issue not mentioned by the author is what happens if the Yubikey is lost or breaks. The story around this type of event is sort of ignored and not understood properly. AFAIK it's not possible to duplicate a key (by design), meaning that the user will have to update all their websites' 2FA (hopefully there is a recovery method available).


Yes. You must have at least two keys registered. However it’s worth noting that most services do not offer priority. Meaning you can use either one. I think it makes sense to designate back up keys and only to be used when user reports lost/stolen primary key.


But what is the story there? You have a backup key, hopefully stored "off site", now you want to enroll in another website. You have to get that backup key before you do that? Or bookkeep which sites you have on the backup key and which you don't?


Actually, this is one area where pgp's use in pass works really well. You use your public key to encrypt passwords. So, adding a new one doesn't need the physical key.


This is a very good point and perhaps something Yubikey and similar services should consider: paired keys. Once paired the backup can always replace original if user reports it missing or lost regardless of when they were paired.


While it's not possible to duplicate an existing key, it is possible to create duplicate keys in the first place - you can't get the secrets out, but you can write identical secrets to two or more keys if you want to.

This adds some convenience, though it also does add some risks e.g. in case of breach you can't tell which token was misused, you can't invalidate a lost key without invalidating others at the same time.


Also, Bluetooth based keys exist that don’t have to be plugged in.




Consider applying for YC's Fall 2026 batch! Applications are open till July 27.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: