How are you handling multiple Yubikeys? I'm doing it personally and it's so annoying that I can't imagine recommending this to anyone else. Since I'd hate to lose access to everything if my house burns down, I keep a key outside of the home. Of course, for that key to be useful, I need to update it whenever I use my key on a new site/service. Dropping everything to go fetch my key is inconvenient, so I keep multiple keys in the house. That way I can add two keys to a service and have a local backup in case one breaks. But, then I need to remember to actually add the off-site key to the account as well.
Maybe I should just round-robin the off-site key. It's just tedious to keep track of what's been registered with which key and making sure they're all in sync. I really wish there were a secure way to simply have a key backup.
Not to mention, this is kind of expensive and also non-obvious as Yubikey primarily sells single keys. I'd love to see wider adoption, but can't see the general population putting up with this.
This has been what stops me from going full webauthn, instead right now I use 3 yubikeys with pass (password store) and encrypt with 3 separate gpg keys (one private key stored on each yubikey), I haven't touched one of the yubikeys in a year but I know that if I lose the other two it can still decrypt my passwords.
The disadvantage here is obviously it's just another password manager instead of taking full advantage of hardware tokens, but I want to be able to enroll passwords or tokens without the key present all the time. (Also, yubikeys have limited slots for keys)
> this is kind of expensive and also non-obvious as Yubikey primarily sells single keys
Unless you need the GnuPG or SSH applets, I just use the $14 FIDO keys from Identiv. They are also NFC capable for my mobile devices also. I keep one at my office, one at home and carry one in my pack.
I too wish there were a way to keep them in sync or back them up.
Fireproof safe, and living in an area where the fire department would be able to get the fire under control fast enough that I would hopefully not need 1/10th of the capability of that safe.
Edit: also, if your house burns down, won’t you probably have your keys on you if you’re not home?
Although these keys are intended to be stored on a keychain, I don't know of anyone that actually uses them that way. If you work remotely, there's just no need to have your keys on you most of the time. One of my keys is a 5C Nano and it just sits in the laptop all day long. So, if my house burns, I'm losing any keys in the house along with it.
As for a fireproof safe, I do have one, but they're rated for X hours and degrade over time. I should probably get a new one.
Maybe? I really don't know. I dual-boot a Linux & Windows workstation and have a macOS laptop, so I haven't looked too deeply into platform-specific solutions. For now, I stick with Yubikeys. Complicating things further is for some accounts I'd like to give my wife access and she has her own keys and own devices. I've hit the key registration limit on some sites.
Maybe I should just round-robin the off-site key. It's just tedious to keep track of what's been registered with which key and making sure they're all in sync. I really wish there were a secure way to simply have a key backup.
Not to mention, this is kind of expensive and also non-obvious as Yubikey primarily sells single keys. I'd love to see wider adoption, but can't see the general population putting up with this.