Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

few providers support enrolling multiple yubikeys into your account.



Which don't? For all the big major ones I've used U2F with, they've supported multiple keys for a while (or since introduction). It's practically a requirement in case you lose a key..

To name a few off the top of my head: Google, GitHub, Gitlab, Facebook, 1Password, etc.


Vanguard (where my company has their 401k plan) is one I have encountered that only supports a single Yubikey.


Not sure when you last checked, Vanguard supports up to 4 security keys.


Oh, great news, thanks for letting me know!


I just think Vanguard doesn't let you fully disable SMS though right? (but I only checked like a year ago..)


AWS only supports a single U2F key at the moment.


Before this, both LastPass and 1Password said they supported U2F via Duo, but Duo only supported one key, so I could never use it.


If that's the case, it must have changed at some point. Lastpass and Duo both support multiple U2F keys, and have for at least a couple of years. I have two keys registered with Duo for login at my school and also through Lastpass's non-Duo U2F support.


My college uses Duo and it has no such restriction, if you tried this recently and couldn't add more than 1, it is probably set by LastPass/1Password.


Duo Free used to have a restriction of one device, but it seems for U2F they now require one of their paid plans: https://duo.com/product/trusted-users/two-factor-authenticat...


I didn't even realize they had a free tier, makes sense.


This is true, and it is dangerous (once the key fails, folks get locked out). I don't use security keys with such providers.

It would be nice if someone made a library that made incorporating Webauthn login into an app as simple as using django or Ruby on Rails or React to create a login form, so folks don't end up rolling their own and assuming that a user will have at most one yubikey.

Failing that, you could do what Zeit does and rely on email providers' support for Security Keys (login by email link only).


Usually you can use a TOTP backup method (Google Authenticator or similar). But don't actually use it. Just save the key to initialize it to a secure backup which can be accessed of your Yubikey is lost.




Consider applying for YC's Fall 2025 batch! Applications are open till Aug 4

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: