+14
Considering for Future Release

Multiple Yubikeys

Brian 8 years ago updated by Axel Taferner 3 years ago 17 1 duplicate

As previously requested 3 years ago which the same scenario applies directly to my situation.


"Can you please add the ability to store more than one Yubikey with each user account like LastPass does? You can store up to 5 keys with LastPass which is very useful. For example, I have three. One for work PC that is never removed, one for home PC also never removed and one on my keychain so that if I'm at a customer site (or anywhere besides home or work for that matter) I can use that one.

Thanks"

Duplicates 1
Considering for Future Release

I agree, we assign a YubiKey to a developer for off-site access. Then to require that they carry around the same YubiKey to be able have continued access is just asking for it to get lost. Not to mention our system admins who might need access at a moment's wherever they might be. Being able to assign one YubiKey for their home use and one for their work use would be extremely helpful. 

Considering for Future Release

Just adding another voice.  We too, would like to have multiple yubikeys attached to an account.

Agreed. LastPass allows several.  Many reasons this is needed, especially in event one key is damaged.  Also help as I float between two PCs that only I use, plus when I'm mobile with my laptop.

+1 Need this functionality.

This is also needed for those who use a backup Yubikey in case the main one is lost or malfunctions.
Has there been any progress on implementing this feature?

@Jeff We are working around this by creating multiple accounts for our admins. Each of them has "First.Last.1" and "First.Last.2" each paired with a different Yubikey. This also gives you a way to reset if you accidentally lock yourself out of one account.

Not the most elegant solution, but it works to provide redundancy.

@WJTech, thanks for the reply. I had actually tried that, and it worked. Like minds!  As you said, not very elegant.

I'm surprised that ConnectWise hasn't been able to implement that. I'm not getting my hopes up since it's been on the books for 6 years.

I think you all have missed the point of 2FA and Yubikey's.  

@CW

Not sure who your comment was directed at, me or ConnectWise.


Here is the best practice “from the horse’s mouth”:

“Best practice is to have multiple YubiKeys set up for your accounts. One on your keychain, or one in your wallet, or one in a safe place at home will help to make sure you’ve always got a backup YubiKey nearby”

https://www.yubico.com/blog/5-simple-ways-to-get-started-with-your-yubikey-2-2/




That's fair, but I'm looking at this from the perspective of security, not from the perspective of a company who's sole source of revenue is selling more Yubikeys.   To each their own I suppose.  

From a security perspective, if you are the account owner  and your sole Yubikey is Stolen/Destroyed, what now? Time for a fresh install? There has to be a “Glass Break” option to regain access. What is more secure than simply having a backup YubiKey?

There should always be a backup administrative account to everything; and yes it should be secured as well.  This actually provides you with redundancy in access, but having two yubikeys on a single account does not.  An account can become corrupted or broken, or a poorly designed policy or setting can lock you out (O365 actually warns you about this when making Conditional Access changes) etc.  


I walked into a really bad AD environment once where the Administrator account was corrupted somehow and you couldn't login.  With some discovery, we determined an old employee (CFO) had made himself a domain admin and they were able to reach out to him, AND he remembered his password, and we were able to at least get things sort of functional again (before starting over from scratch).  

Most products with 2FA have some form of recovery built in also, like a PIN code that should be secured. 

I dont want to hijack this thread any more... I just think allowing multiple Yubikeys on a single account goes against the security that a Yubikey provides, and as you pointed out, even if this was added...How many is enough?   2?   3?  5?  Whatever limit they set isn't going to be enough for someone.  

I think I get around most of your concerns by A) carrying my Yubikey so I dont need more than 1, and B) having a secondary admin with their own Yubikey (and if it's not something you want someone else to have access to, make a second admin account with a Yubikey that you keep in the fireproof safe).  

I understand that having a secondary admin with their own Yubikey provides some redundancy, not only with regards to the hardware key but also in case someone gets hit by a bus.

But ALSO having a backup Yubikey in a locked, safe location somewhere brings extra convenience and does not compromise security.

Having a second admin account for the same user with a backup Yubikey is a hacky workaround. Many other services (Google, GoDaddy, Lastpass, AOL) have this capability. There is no reason why Connectwise can't do this.