I was an early, enthusiastic adopter of Yubikeys at my work. Above and beyond the other issues people have mentioned, though, the one that kills the product for me is the frankly stupid OS integration. The key behaves like “just” a special kind of keyboard which types a long string of gibberish and then hits enter any time you touch the trigger.
I can’t tell you how many times I have accidentally bumped the thing and thereby entered my secret key in:
- text editors
- the URL bar of my browser (!)
- Slack chats (!!)
The solution seems obvious to me: make a new type of input field at the browser and OS level which accepts U2F input, then reject that input in any text field that doesn’t opt in.
This one issue has made the key way more of a liability than a simple authenticator app for me.
You can disable this OTP mode of the YubiKey with either the "Yubikey Manager" or more advanced "Yubikey Personalization Tool" software. It's unrelated to FIDO U2F. It's the first thing I do with any new key as I find it similarly annoying.. I accidentally tapped it once while working in Adobe Lightroom and it triggered a sequence of actions that went on for 30 seconds that I couldn't undo..
I can’t tell you how many times I have accidentally bumped the thing and thereby entered my secret key in:
- text editors - the URL bar of my browser (!) - Slack chats (!!)
The solution seems obvious to me: make a new type of input field at the browser and OS level which accepts U2F input, then reject that input in any text field that doesn’t opt in.
This one issue has made the key way more of a liability than a simple authenticator app for me.