Given that I use 2FA with Yubikey I find confusing to enter :
- a user/password (first in-brain secret)
- a Yubikey (out-of-brain single-use code)
- passphrase (second in-brain secret)
I do understand the logic. But...
I find it difficult to explain to people. They tend to confuse the steps. they forget their password. In the end, when I help them set up their account I tell them "at this step [password] put something simple because you'll add the Yubikey". They tend to not log into Passpcak, finding it difficult, making them forget their credentials even more (passphrase especially). In the end they don't use it, and revert to old fashion alternatives, notoriously post-its.
My request is to have the option (in the 2FA menu) to choose between
- traditionnal : user+password AND Yubikey (safest)
- simplified : Yubikey only
In the second case, if Passpack receives a correct Yubikey token, it is considered as if the correct user+password had also been entered.
My rationale in this, is that without the passphrase you can't do much anyway. So the passphrase plays the role of "in-brain secret" and I'd rather insist on one very strong one (passphrase), unpolluted by a short one (password).
Technically, the sign-in form could either recognize a yubikey string in any of the two fields, or there could be a specific form field "Yubikey", or there could be a "Yubikey" tab or icon to switch to a single-field form...
Consequently, there has to be a way to indicate a "primary" Yubikey in the list of registered keys. Indeed, we register the Yubikey of one-another (or at least one backup-yubikey for the company, that I keep in a safe) for situations of hardware failure or loss. Not all registered keys should grant access. The backup ones should only work in the "traditional" way, after email+password was successfull. Note that forgotten passwords is already an existing process that would typically be of use here.
Maybe the correct UI could be to have a radiobutton or dropdown facing each registered Yubikey, to choose between the above-mentionned "traditionnal" or "simplified". Correct wordings could be "re-inforce user/password" vs "replace user/password". Simplified can only be set if given Yubikey is not associated as simplified for any other account on Passpack.
Please sign in to leave a comment.