Hi,

> I played around with yubikey but found it unhelpful.  Maybe the newer
> ones can store lots of keys, but the old ones didn't.  And of course
> you need at least two keys in case one breaks and of course you have
> to keep them in sync.  And you probably still want a software backup
> in case a key wears out.  It isn't an easy problem.

Well, there are two ways to use a yubikey:   Use it as additional factor
via U2F.  Which works even with the old yubikeys4 and there is no limit
on the number of websites supported.  Bonus is that ssh can use U2F too.

The other one is FIDO2 aka PassKey, which needs to store a bit of
information on the key.  Supported by the newer yubikey5 only, and there
is a limit, somewhere near 25 I think.  There are FIDO2 hardware tokens
from other vendors which support more.

Usually websites support registering multiple second factors, and in
most cases I have three: one old usb-a yubikey4, one newer usb-c
yubikey5, and a TOTP via freeotp app on the phone.  In everyday use I
typically work with password (from password manager) + a yubikey as
second factor.  Which yubikey depends on the machine and the kind of usb
ports it has.  Convenient and secure.  The TOTP is backup and for the
rare cases where I need to login somewhere and don't have a yubikey at
hand.

Unfortunately this does not work with fedora as TOTP is the only option
for a second factor.  Which is inconvenient and it is also not possible
to register another second factor as backup.  Thanks to kerberos this
isn't too much of a problem as the TOTP is needed for kerberos login
only, which should be needed too often.  But I suspect kerberos in the
mix also makes it hard to support other second factor options.

take care,
  Gerd

-- 
_______________________________________________
devel mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/[email protected]
Do not reply to spam, report it: 
https://forge.fedoraproject.org/infra/tickets/issues/new

Reply via email to