A random pickpocket might not be able to reset my accounts without my password, but I can’t do anything either until I retrieve the Yubikey or a backup worse, it’ll cooperate fully with whoever happens to physically possess it, so if I forget it plugged into or near a logged-in terminal, the key won’t simply lock itself after some inactive period and I can’t send a remote lock command until I get to one of my other keys. I agree with most of that-and of course, we’re likely all screwed against really targeted attacks-but it just seems like the security gain from an hardware key is rather minimal in exchange for its inconvenience (true, good security doesn’t care about my whiny complaints there) and the additional, if rather inaccessible, attack surface that it does represent.
0 kommentar(er)
