by tjwds on 8/6/23, 1:36 PM with 89 comments
by hinata08 on 8/6/23, 4:34 PM
It's ironic, as users have been requesting that feature for years, and discord has been pushing back the whole time.
https://support.discord.com/hc/en-us/community/posts/3600313...
Instead, they did the infamous qr code, the new font, the new id that's often similar to the old one but without the #, and the like.
The overly popular support page isn't even cited or mentioned in the article !
I can't understand the disconnect between the teams at discord and the users.
For me, the teams are doing this blog post like they had the idea first because they're the best (when they have actually pushed back for so long).
And not even acknowledging users is just disrespectful. It shows that Discord only involves them in the payment process, and ignore their suggestions whether they're good or bad (because they come from the users).
At the same time, for any change, they post they're visionaries. And I'm sure their CVs go on about how they disrupted their workplace. (while they really did push back on this feature)
by xvector on 8/6/23, 2:05 PM
Might as well not use a YubiKey at all. This just eliminates the benefits a YubiKey would provide. This reminds me of the banks that offer TOTP with fallback to SMS - just turns the "security improvement" into a waste of time and effort.
> We chose [Yubikey C NFC] for a few reasons: [...] 3. It doesn’t support OTP mode, so there’s no “Yubispam” to deal with
I think it does support OTP mode? Using one of these right now and it definitely supports OTP. You can turn it off, but that's not particular to the C NFC.
An aside: YubiKeys are great, I love them... but they need to have a display to show what, precisely, you're authenticating with, or signing, etc. You can never trust your computer's display - Ledger/Trezor's hardware wallets have the right idea. IMO current standards fall short in not providing this information to the hardware authenticator.
by pipe_connector on 8/6/23, 3:10 PM
by alexwasserman on 8/6/23, 9:52 PM
We deployed Yubikeys to every employee (5 Nanos), which went into a USB port on their MBPs and were told never to remove them. We rolled out Okta as well (similarly moving from GSuite).
Definitely took some training initially, but after that employees are used to Okta + a Yubikey touch to authenticate to all the systems we used.
Internal SSH as well used certs deployed onto the Yubis, to ensure SSH was physically backed.
With hardware devices all remote managed through MDM, and enforcing access policies, and full disk encryption, along with the Yubis, you can end up with an incredible amount of protection again phishing and other remote attacks. Even lost hardware is protected, and can be remote wiped.
After building all that infra, now I wish I had more Yubi support at home. So few serious services (eg. banking) that I care about support it. I can lock my Github with 2FA supporting Yubi keys,but not my bank, broker, mortgage, etc.
by throwaway1777 on 8/6/23, 1:59 PM
by kwanbix on 8/6/23, 2:39 PM
by birdyrooster on 8/6/23, 2:41 PM
by say_it_as_it_is on 8/6/23, 2:20 PM
You don't need to spend millions of dollars tethering your organization to a security identity provider to accomplish no more than what you already are doing without them. WebAuthn is not curing cancer. It's just another marketing scheme for authentication.