It's now been a full two weeks since I purchased my Yubikey and have been using it. The goal was to have a security token that I could use as a form of two-factor authentication for most if not all of my accounts. After two weeks of use, I figured I would write about it, and let you know my impressions.
First off, as mentioned in my previous post about the Yubikey, it sends physical keypresses to the host computer, rather than static characters. As a result, for those of us that type in the Simplified Dvorak layout, this turns out to be problematic for Yubikey authentication servers, as the server software expects certain characters from the modhex. This can be modified in the server software to account for the Dvorak layout, but it's not default.
Second is the ability to keep the key with you at all times. This actually has turned out to be a bit of a chore, as is to be expected. In the early morning, while still waking up, I might get on the computer, and check my mail, or login to a site or two. If the cookie is saved, and I'm already logged in, then no big deal. If not, and I need to login, then this means chasing down my key. Same can be said when at work, or at a friends/parents house etc. It actually has become a bit of a pain to make sure that they key is always on my person, and that there is a convenient USB port to plug the key into.
Third, and this is the most frustrating of all, is that many authentication forms on sites have limitations on their password lengths or valid characters. My bank, for example, has a limit of 12 characters max. This is too short for the Yubikey, even for static passwords. Yet, Google does not have an upper limit. So, while my BANK PASSWORD IS 12 CHARACTERS, my Google password is 82. FUrther, Google supports two factor authentication with my phone, while my bank does not. Is it just me, or is it a tad silly that my Google account is more secure than my bank? It should be the other way around, IMO. And this isn't just unique with my bank. My mobile service provider, the university, and many other sites.
As a result, because every site is different on what they will allow for passwords, not only do I need to remember the location of the password on my passord card, but I also need to remember whether or not I can use my Yubikey static password, and which one to use (I've programmed both slots differently). It's all over the place, and it is REALLY frustrating. I've begun sending emails to webmasters to let them know why the limitations they are imposing on their login forms is not doing anything for security.
Obviously, the easy way out is to have the same password for all my accounts, and not use any physical authentication tokens. Just keep it in my head, never change it, and everything will be grand. That's the lazy way of handling passwords. The way I am managing my passwords is a lot of work. I won't lie. I frequently forget which password is for what account, so I've begun keeping them in an encrypted database with KeePass. I copy and paste out of that more often than not. It's a chore always pulling out my Yubikey when needed, and it's usually a chore finding an acceptable USB slot to stick it into that is within reach to easily touch it.
Would I recommend it? Absolutely. I would just put in a word of warning that you're in for a bit of work managing your passwords.