Discord Rolled Out Yubikeys for All Employees

&gt; And, if you’re somebody who has a product that could support WebAuthn and&#x2F;or passkeys better: please do! (we might even be building&#x2F;planning this ourselves )!<p>It&#x27;s ironic, as users have been requesting that feature for years, and discord has been pushing back the whole time.<p><a href="https:&#x2F;&#x2F;support.discord.com&#x2F;hc&#x2F;en-us&#x2F;community&#x2F;posts&#x2F;360031304832-Add-support-for-webauthn-authentication-Yubikeys-and-the-like" rel="nofollow noreferrer">https:&#x2F;&#x2F;support.discord.com&#x2F;hc&#x2F;en-us&#x2F;community&#x2F;posts&#x2F;3600313...</a><p>Instead, they did the infamous qr code, the new font, the new id that&#x27;s often similar to the old one but without the #, and the like.<p>The overly popular support page isn&#x27;t even cited or mentioned in the article !<p>I can&#x27;t understand the disconnect between the teams at discord and the users.<p>For me, the teams are doing this blog post like they had the idea first because they&#x27;re the best (when they have actually pushed back for so long).<p>And not even acknowledging users is just disrespectful. It shows that Discord only involves them in the payment process, and ignore their suggestions whether they&#x27;re good or bad (because they come from the users).<p>At the same time, for any change, they post they&#x27;re visionaries. And I&#x27;m sure their CVs go on about how they disrupted their workplace. (while they really did push back on this feature)

&gt; We also instruct corporate users to set up Okta Verify for use only as a fallback MFA in the event that all their authenticators fail at once. This way, we never have user accounts lacking at least one strong form of multi-factor authentication.<p>Might as well not use a YubiKey at all. This just eliminates the benefits a YubiKey would provide. This reminds me of the banks that offer TOTP with fallback to SMS - just turns the &quot;security improvement&quot; into a waste of time and effort.<p>&gt; We chose [Yubikey C NFC] for a few reasons: [...] 3. It doesn’t support OTP mode, so there’s no “Yubispam” to deal with<p>I think it does support OTP mode? Using one of these right now and it definitely supports OTP. You can turn it off, but that&#x27;s not particular to the C NFC.<p>An aside: YubiKeys are great, I love them... but they need to have a display to show what, precisely, you&#x27;re authenticating with, or signing, etc. You can never trust your computer&#x27;s display - Ledger&#x2F;Trezor&#x27;s hardware wallets have the right idea. IMO current standards fall short in not providing this information to the hardware authenticator.

How do you authenticate from a machine that isn&#x27;t local to you? I don&#x27;t do any work on my work-issued laptop, I use a powerful remote machine instead.

Did exactly this at my previous employer as part of a large plan to become effectively unphishable. With all auth requiring something physical, and no OTP anywhere.<p>We deployed Yubikeys to every employee (5 Nanos), which went into a USB port on their MBPs and were told never to remove them. We rolled out Okta as well (similarly moving from GSuite).<p>Definitely took some training initially, but after that employees are used to Okta + a Yubikey touch to authenticate to all the systems we used.<p>Internal SSH as well used certs deployed onto the Yubis, to ensure SSH was physically backed.<p>With hardware devices all remote managed through MDM, and enforcing access policies, and full disk encryption, along with the Yubis, you can end up with an incredible amount of protection again phishing and other remote attacks. Even lost hardware is protected, and can be remote wiped.<p>After building all that infra, now I wish I had more Yubi support at home. So few serious services (eg. banking) that I care about support it. I can lock my Github with 2FA supporting Yubi keys,but not my bank, broker, mortgage, etc.

Ok… Thought they would’ve already done this by now.

What happens if a Yubikey breaks?

Why not just use Touch-ID? I’m sure all of their employees use Macs anyways.

&gt; Step 1: get everyone and every app* (it’s never every app) into Okta<p>You don&#x27;t need to spend millions of dollars tethering your organization to a security identity provider to accomplish no more than what you already are doing without them. WebAuthn is not curing cancer. It&#x27;s just another marketing scheme for authentication.