Hi, > I played around with yubikey but found it unhelpful. Maybe the newer > ones can store lots of keys, but the old ones didn't. And of course > you need at least two keys in case one breaks and of course you have > to keep them in sync. And you probably still want a software backup > in case a key wears out. It isn't an easy problem.
Well, there are two ways to use a yubikey: Use it as additional factor via U2F. Which works even with the old yubikeys4 and there is no limit on the number of websites supported. Bonus is that ssh can use U2F too. The other one is FIDO2 aka PassKey, which needs to store a bit of information on the key. Supported by the newer yubikey5 only, and there is a limit, somewhere near 25 I think. There are FIDO2 hardware tokens from other vendors which support more. Usually websites support registering multiple second factors, and in most cases I have three: one old usb-a yubikey4, one newer usb-c yubikey5, and a TOTP via freeotp app on the phone. In everyday use I typically work with password (from password manager) + a yubikey as second factor. Which yubikey depends on the machine and the kind of usb ports it has. Convenient and secure. The TOTP is backup and for the rare cases where I need to login somewhere and don't have a yubikey at hand. Unfortunately this does not work with fedora as TOTP is the only option for a second factor. Which is inconvenient and it is also not possible to register another second factor as backup. Thanks to kerberos this isn't too much of a problem as the TOTP is needed for kerberos login only, which should be needed too often. But I suspect kerberos in the mix also makes it hard to support other second factor options. take care, Gerd -- _______________________________________________ devel mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/[email protected] Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new
