Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

The criticism of YubiKey seems kind of unfair. For one thing, it doesn't actually explicitly state that they totally address the major issues in the article.

Instead it's "in theory" and "can help". No, it totally addresses the issue of phishing your 2FA token and it does so in practice.

The pricepoint mentioned is over twice what the cheapest Yubikey is - $24.99 [0]. The author states the "average" cost is £50 and "there are a few around £30". Again, 24.99USD for USB + NFC yubikeys that support U2F/webauthn.

'usability' and 'convenience' are the same thing but split into two points, which give the impression that there's a whole other issue, but it's really the same thing.

> Buy a device, register it, install the app, configure it, find the setting in the website, enable it, hope your machine has the right sort of USB ports, press the button at the right time

So for TOTP it's install the app, configure it, find the setting on the website, enable it. So Yubikey adds the one additional step of "buy it", all of the others are the same for all other forms of 2FA. "Press the button at the right time" come on... as opposed to "find the TOTP and type it in on time" ?

The 24.99 USB Yubikey also supports NFC, so like, "has USB or NFC" is the requirement - I'm seriously struggling to think of a device that doesn't meet this requirement.

The author states that leaving the yubikey in the laptop increases risk. I find this to be a mixing of threat models personally - we've solved credential phishing with the 2FA token, but now you're talking about a threat where the attacker has unfettered physical access? I just don't see why that's relevant, sorry.

And for support, I think it's important to note that most sites are not sensitive. But a couple of important sites are. The most important is probably email, since email is effectively an auth mechanism for most other sites via account recovery. So just by protecting email you're protecting every other site. That's really important.

IMO,

Yes, Yubikeys should get cheaper. I certainly hope they do. At my company I give every employee 2 Yubikeys and they are theirs to keep - they're free to use them for personal accounts. I hope more companies do this in the future, essentially distributed U2F to the workforce.

But, otherwise, I really think that the benefits are being drastically undersold and I think that the criticisms are really not particularly fair.

[0] https://www.yubico.com/product/security-key-nfc-by-yubico/



Consider applying for YC's Fall 2026 batch! Applications are open till July 27.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: