Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

You register multiple keys on a handful of critically important websites.

Password manager. Primary e-mail account. DNS provider.

Other than that, it's rarely supported and rarely worth the hassle when it is.



It is really annoying that more sites don't support multiple security keys, though. As far as I can tell, it's not encouraged by the FIDO Alliance and I can't think of a good technical reason for it.


I forget which financial institution I was using at the time, but they explicitly only supported one key. That is, you add a new one and the old one is expunged.

Banks are so slow with this sort of thing, and still require SMS as a fallback option.


The vast majority of sites I've used Yubikeys for have supported multiple. About the only one that I use which still doesn't to my knowledge is Paypal.


Maybe I'm out of date, then! I don't enroll new keys very often. Paypal is a great example of a service that I would like to support multiple keys, though, so it's disappointing that they still only support one.


How often do you check to see that those other/backup keys are still secure? This attack becomes easier if the attacker knows of the secondary key(s) location and because of disuse they aren't even necessary to replace.




Consider applying for YC's Summer 2026 batch! Applications are open till May 4

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: