> If you work in tech, you probably have a YubiKey
That is a gross overstatement. As someone who works for a pre-IPO startup and been in the bay in various startups for a number of years, I'd hazard that only 5-10% of the engineers had YubiKey, let alone "work in tech".
As an software engineer in a bank (i'm gonna call that tech) my password has to be 8 characters and capital letters don't matter. I still use a Yubikey personally.
I think he means the password complexity policy is only measuring length, and doesn’t distinguish between upper and lower case. Not that the case doesn’t matter in the password. Just in the policy.
Don't know about employee passwords, but for Wells Fargo the online login passwords are case insensitive. I assume this is due to some legacy system somewhere, but for their system password = PASSWORD = PaSsWoRd. One of the many reasons I no longer bank with them.
I've never had a YubiKey, but lots of other places use smart cards (ISO 7816) for secure authentication. I suspect they are far more common than YubiKeys or newer tech, especially in the financial industries.
YubiKeys can pretend to be PIV of OpenPGP smartcard ;=)
But yes in e.g. banking the security systems had been created long before there where really good USB based security keys so it's probably most times actual smartcards.
But then it also turned out that many smartcatd drivers are just REALY bad and complex potentially making your system more vulnerable so I can totally see companies switching away from them.
Amazon may use keys from a variety of sources, but the ones I’ve seen were packaged differently from anything I’ve seen from an actual Yubikey.
If only people were allowed to bring their own Yubikey for U2F and OTP, then they wouldn’t have to wait on whatever official procurement processes are in place from their approved suppliers.
I've got a couple branded ones from amazon IT -- a big one and a tiny one. Currently they're giving out some other one, but I think you can bring your own too
That is a gross overstatement. As someone who works for a pre-IPO startup and been in the bay in various startups for a number of years, I'd hazard that only 5-10% of the engineers had YubiKey, let alone "work in tech".
Whether or not we _should_ is another question.