undefined | Better HN

0 pointstialaramex5y ago0 comments

Most sites which offer U2F (or WebAuthn, which is what they ought to be doing for new sites) have a last ditch "Write down this huge random string" way back in. If you're the sort of person who'd hate to lose an account (seems like you are) then you should definitely write that down, and keep it somewhere damn safe.

But, as I wrote elsewhere in this thread, the only site I'm aware of that forbids multiple Authenticators (Security Keys) is AWS. And to be fair, AWS accounts are multi-user. If Bob loses his Security Key and Bob was your only admin, the biggest mistake wasn't AWS forbidding Bob from having two keys (though I agree that's bad) it's you not assigning another admin. Jim, the company secretary, may not know a t2.nano from m4.xlarge but he can keep a Security Key in his desk drawer and never give it to anybody unless the Big Boss authorises it.

0 comments

Xylakant5y ago

There’s one special account though and that’s the AWS root account. It’s needed for certain special things and tying it to a yubikey means that you cannot easily give those a creds to 2 people.

j / k navigate · click thread line to collapse

0 comments

Xylakant5y ago

There’s one special account though and that’s the AWS root account. It’s needed for certain special things and tying it to a yubikey means that you cannot easily give those a creds to 2 people.

j / k navigate · click thread line to collapse