I'm curious about the best practices when it comes to using YubiKeys for both unprivileged and privileged accounts. Currently, I've got two YubiKeys on my keychain: a personal 5C and a company-issued 5 (USB-A). For convenience, I use the 5C for everything and have reserved the company one for my privileged account. Since they're both physically attached to my keychain, the only real defense against someone accessing them if my keys are stolen is the different PINs I use. Are there any best practices regarding this issue, or is it generally considered acceptable since I'm utilizing secure phishing-resistant authentication?
5 Answers
From a security perspective, it’s really about how you protect both keys. The key difference is in keeping your PINs secure. Just don't attach any notes with them to the keys! If you lose them, make sure to alert your admin right away to disable access. That way, even if someone gets your YubiKeys, they won't get into your accounts easily without the PIN.
It's a bit of a balancing act. There are advantages to using separate devices because it prevents accidental access at a higher security level unless you deliberately choose the right key. Clearly labeling or using different colors for your keys can help keep things organized. And when it comes to separating work from personal devices, that's a big deal too. You don’t want any overlap that could bring legal complications if something goes south with your job.
Definitely! Using distinct devices eliminates a ton of potential mishaps. Plus, if you ever leave your job, returning that company key means you're totally off the hook.
If you want the purest security approach, separate physical keys are definitely the way to go—especially in sensitive environments. Think of it like having different gates for different security levels; collapsing those can be risky.
Also keep in mind, if you use multiple MFA devices, losing the less frequently used one could slip under the radar for longer. Just something to think about!
I personally prefer keeping them separate myself. I have different YubiKeys for work, admin, and personal use, each with different PINs. This way, if someone gets a hold of one key, they won't have access to everything. It creates clear boundaries in security, which is super helpful.
Or you could just write a fake PIN on the key, making anyone trying to guess it lock the account! Plus, labeling the non-privileged one could help, so they start with the 'Admin' key first.