undefined | Better HN

0 pointsartdigital3y ago0 comments

I have a question - do you disable regular OTP 2FA on services you use the Yubikey? I have one too and religiously added it to all kinds of things, but each service allowed me to just skip the yubikey when a regular OTP code was entered, effectively making me not use the yubikey

0 comments

rgoulter3y ago

If you have only one Yubikey, and use it as the only factor of authentication to a website, you'll need to ensure you store the 2FA recovery codes safely. Whereas, if you have both Yubikey and TOTP as factors of authentication, if you lose the Yubikey, you'll still be able to login.

I view that as "Yubikey more convenient than TOTP". You can either use TOTP, or the Yubikey, and it's easier to tap a button than to enter a code.

cuu5083y ago

WebAuthn is more convenient but also more secure. You don't have to be as vigilant when checking what URL your browser is pointing at.

Xylakant3y ago

Not the GP, but I also use YK as a primary auth mechanism and TOTO as fallback.

Since I only use TOTP as fallback, I am much more vigilant if I suddenly get a TOTP prompt. I should never get one, only in circumstances where I explicitly want one. Every other instance is a big red flag. Is that perfect? No. Is it better than TOTP: yes.

j / k navigate · click thread line to collapse