Now I have had my yubikey for about a week, and I have put it on my keychain. It really works extremely well! The only small issue is that I tend not to have my keys immediately within reach while at home in the house or on travel, so there is a step of “go retrieve the keys” before I can use it for login.
However, that small inconvenience is not really something to be bothered by. Any hardware-based login solution will have that, and the yubikey’s fitting into something you have anyway for getting in to places (you keys) makes it very logical. What could have made it even better had been if you would have activated it using a key-like turn rather than the somewhat bland keypress that does not produce any kind of haptic feedback. But I can understand that a twisting design like that would be an order of magnitude more expensive to produce, and probably another order of magnitude less durable…
It is also striking how well this system works compared the incredibly clunky login and signing facilities used by ICA Banken. There, you have a piece of hardware which is way larger than a key, into which you slide your credit card. Then, to log into the bank and effect a payment of a bill, you do:
- Type in customer number
- Type in PIN code
- Put your card into the signing device
- Press “login”
- Copy 8 digit code from web page to device
- Type card PIN code into device
- Copy 9 digit code from device to web page
- … enter data for bills …
- Bring out the signing device again
- Insert card
- Press “sign”
- Copy 8 digit code from web page to device
- Type card PIN code into device
- Copy 9 digit code from device to web page
I really think the “sign” step adds no security in practice, and most other bank systems I use seem to agree with this: once past login, no need for additional confirmation. I think that makes sense, and that the sign stage is here more as a warm fuzzy feeling kind of thing.
If it wasn’t for the possible constraint that the ICA solution has to work on public computers where you have no access to USB ports, I think a yubikey-based solution would make all of the above so much easier. The genius of the yubikey is really that it removes the “type in numbers from hardware device” from the login steps, which really is something that there is little value to having each user do every time they effect some kind of secure operation. If all banks used a yubikey, I think the world would save many thousands of people hours that could be used to have fun, be with the family, and other more beneficial uses.