24 Mar 2023
I won’t buy a YubiKeyby Garrit Franke
In this interesting post, Garrit talks about why he wouldn’t buy a YubiKey and I get where he’s coming from.
I own 3 YubiKeys that I have for personal use. There’s one that I keep connected to the USB hub on the desk in my study, another that I keep in my work bag, and a third that I keep in the safe at my mum’s house.
That third one is registered with both mine and my wife’s Bitwarden accounts. So I know that no matter what, we can always get into our password vault’s. Two of the YubiKeys (including the backup one at my mum’s) are the NFC version, so we can use them with our phones.
Like Garrit, I use Bitwarden’s built in TOTP multi-factor tokens for most things, as I think it’s a good balance between security and convenience. Yes, it can probably be compromised, but it would have to be an extremely knowledgeable and motivated threat actor. So the risk is worth it for me.
Aside from Bitwarden, I also use my YubiKeys for certain important accounts where I don’t think the risk of having the MFA token in Bitwarden is worth it.
So, for me at least, there’s a use for owning a YubiKey (or 3), but I totally get where Garrit is coming from, and I think it’s a fair conclusion that he’s drawn.