Comment by bsder
4 years ago
And how do I use my YubiKey to access mail if its not Gmail/Office365?
And how do I enroll all my employees into GitHub/GitLab?
And how do I recover when a YubiKey gets lost?
And how do I ...
Sure, I can do YubiKeys for myself with some amount of pain and a reasonable amount of money.
Once I start rolling secure access out to everybody in the company, suddenly it sucks. And someone spends all their time doing internal customer support for all the edge cases that nobody ever thinks about. This is fine if I have 10,000 employees and a huge IT staff--this is not so fine if I've got a couple dozen employees and no real IT staff.
That's what people like okta and auth0 (now bought by okta) charge so bloody much for. And why everybody basically defaults to Microsoft as an Identity Provider. etc.
Side note: Yes, I do hand YubiKeys out as trios--main use, backup use (you lost or destroyed your main one), and emergency use (oops--something is really wrong and the other two aren't working). And a non-trivial amount of services won't allow you to enroll multiple Yubikeys on the same account.
> And a non-trivial amount of services won't allow you to enroll multiple Yubikeys on the same account.
For WebAuthn (and its predecessor U2F) that "non-trivial" amount seems to be precisely AWS. The specification tells them to allow multiple devices to be enrolled but they don't do it.