Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

> If you work in tech, you probably have a YubiKey

That is a gross overstatement. As someone who works for a pre-IPO startup and been in the bay in various startups for a number of years, I'd hazard that only 5-10% of the engineers had YubiKey, let alone "work in tech".

Whether or not we _should_ is another question.



As an software engineer in a bank (i'm gonna call that tech) my password has to be 8 characters and capital letters don't matter. I still use a Yubikey personally.


How do you have case-insensitive passwords? Does it all get smooshed to lowercase before it's salted and hashed?


I think he means the password complexity policy is only measuring length, and doesn’t distinguish between upper and lower case. Not that the case doesn’t matter in the password. Just in the policy.


Don't know about employee passwords, but for Wells Fargo the online login passwords are case insensitive. I assume this is due to some legacy system somewhere, but for their system password = PASSWORD = PaSsWoRd. One of the many reasons I no longer bank with them.


Sounds like the easiest way to handle it to me.


I've never had a YubiKey, but lots of other places use smart cards (ISO 7816) for secure authentication. I suspect they are far more common than YubiKeys or newer tech, especially in the financial industries.


YubiKeys can pretend to be PIV of OpenPGP smartcard ;=)

But yes in e.g. banking the security systems had been created long before there where really good USB based security keys so it's probably most times actual smartcards.

But then it also turned out that many smartcatd drivers are just REALY bad and complex potentially making your system more vulnerable so I can totally see companies switching away from them.


Not all of them, particularly the cheap U2F ones don't have PIV or PGP.

I would link to a feature matrix, but Yubico makes it impossible to find one (although I know it exists).

Edit: found one https://www.yubico.com/products/compare-products-series/


This seemed odd to me as well - anecdata, but I have yet to work at any company that uses YubiKeys, I have only heard that FB does.


FWIW Amazon / AWS also use YubiKeys.


Google as well. (Physical security keys, at least - I make no specific statement about branding)


I think they would be Titans.


google doesn't use google authenticator? How odd.


Google and Amazon are both well known to use hardware that is similar to a Yubikey, but not exactly the same.


I previously worked at AWS. I definitely used a company issued actual YubiKey while there.


Amazon may use keys from a variety of sources, but the ones I’ve seen were packaged differently from anything I’ve seen from an actual Yubikey.

If only people were allowed to bring their own Yubikey for U2F and OTP, then they wouldn’t have to wait on whatever official procurement processes are in place from their approved suppliers.


I've got a couple branded ones from amazon IT -- a big one and a tiny one. Currently they're giving out some other one, but I think you can bring your own too


Google open sourced FIDO2 firmware to make a 2fa device. May not be related to Titan keys.

https://github.com/google/OpenSK


Agreed. That turned me off to the article. Made it sound like an ad.




Consider applying for YC's Fall 2026 batch! Applications are open till July 27.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: