It appears via the screenshot that you can have multiple 2FA devices, which is great. I love my Yubikey in theory, but in practice I'm only using it for services where I can have a TOTP or SMS 2FA backup method, because I'm not convinced it will always work or be available. Even if having SMS 2FA enabled negates any security benefits of the Yubikey.
Thus far it's just Dropbox and Gitlab that I use it for, since they're among the few services that allow multiple 2FA methods to be used at the same time.
I believe SMS 2FA does not _completely_ negates it, in the sense that if you use your Yubikey all the time (except when you lose it) you still get for instance all the phising protection.
Of couse if someone targets you directly, then yes, you lose most of the advantages since SMS 2FA is pretty easy to break.
All the services that I have used with U2F support have supported multiple keys. Google, Gitlab, Github, and some others which I forget.
They have all worked with Yubico U2F keys and with the Google Titan keys. Pretty convenient way to have two factor authentication. I like the Yubikey 5 Nano as you can leave it plugged into a port in your laptop all the time.
> All the services that I have used with U2F support have supported multiple keys. Google, Gitlab, Github, and some others which I forget.
I've run into a number of services that only allow a single U2F key (it's been a while, so I don't remember the exact ones). Even if they do support multiple U2F keys, how do you handle enrolling both? I keep my backup key offsite, so ideally I could enroll it without physically possessing the device. If I have both in my possession at all times (or even sometimes), I'm at risk of losing both of them.
Correct, you can add several devices. You can have TOTP + U2F devices or just U2F devices or just TOTP.
It's as simple as clicking the button to add another, and walking through the steps. Just be sure to name them in such a way that you can tell them apart. I typically use the identifier on the key itself. It's usually printed somewhere opposite the USB contacts.
How do you manage keeping all the keys "synced" in terms of which services they are registered with.
I keep keys in separate locations for safety, but that makes adding all keys to a new account a big pain.
This hasn't been a big problem yet because there are so few services that support the keys, but I wonder how people would manage it if it became widespread.
This has become a pretty big problem for me. I keep the backup key offsite, and retrieve it every few months to enroll as a backup device with new services. I try to keep a list of services I need to enroll it in, but I've definitely forgotten to do so at times.
Ideally there would be a way to enroll the second device without possessing it, but I'm not sure that's technically possible.
What I'm going to do personally is only use U2F on my most secure services (email, 1Password itself, GitHub). 1Password with the TOTP stored inside of it should be good enough for the others.
For U2F there's nothing to be in sync: each key is added individually, and you don't have to add all of them at once. I.e. if you register the key on your keychain at work, you could later add the backup key in your home vault.
For storing TOTP keys on your YubiKeys, those must be the same, so you probably have to add them at the same time, or take a picture of the QR-code before you complete the registration.
> For U2F there's nothing to be in sync: each key is added individually, and you don't have to add all of them at once. I.e. if you register the key on your keychain at work, you could later add the backup key in your home vault.
The challenge is remembering to enroll using your backup device. Also, ideally your 2 devices would never be in the same room as each other, otherwise you are at risk of something like a fire destroying both.
Last I checked, Twitter supports U2F, but only allows enrolling one key.
edit: I guess the thread is referring to multiple fallbacks that aren't U2F, but even still, if you're relying solely on U2F it's good practice to have more than one key lest you lose it and get locked out.
I haven't kept a running list, but just checking a few services I use at work, and Terraform Enterprise doesn't appear to support more than one 2FA method being enabled at a time.
Thus far it's just Dropbox and Gitlab that I use it for, since they're among the few services that allow multiple 2FA methods to be used at the same time.