Lately I've been working at a company that uses YubiKeys for 2FA. You can use a traditional YubiKey, but the YubiKey Nano is especially popular because you can put it in your laptop and leave it there. It barely sticks out at all, just enough that you can touch it and activate the touch sensor. [1]
I started noticing people in meetings with their new MacBook Pros and six inch cords sticking out the side, and on closer inspection, there was a YubiKey Nano plugged in at the end of the cord.
Meanwhile, the folks with ThinkPads or older MacBooks just had a Nano tucked into one of their USB-A ports like it was no big deal.
I bought myself the full sized Yubikey instead of the nano because I'm very much of the opinion that the inconvenience is a feature, not a bug — do you _really_ want to leave your Yubikey attached to the device that holds your password manager too?
That's a great point about not leaving the YubiKey plugged into the laptop all the time. But the company actually suggests that people get a Nano and leave it plugged in for convenience. Maybe that isn't the best security advice!
Thanks for the pointer to the USB-C YubiKey Nano - it looks like a fine solution for the dongle problem.
That's even more funny, because the MBP's touch-bar is essentially the same type of device as the YubiKey—an isolated offboard CPU with its own TPM that can be unlocked with a fingerprint and then asked to encrypt secrets for the host/parent PC. The touch-bar just has more screen.
I'm surprised nobody's hacked the YubiKey app into making use of the touch-bar as the YubiKey "device."
Doesn't that kind of defeat the point of the Yubikey? I would think you would want to separate the key and the computer when you yourself are separated from your computer.
The copy on the Yubikey Nano's website says, "designed to remain in port." Removing it is still an option, but it doesn't sound like it's the point of having it.
You can also use the fingerprint sensor as a replacement for the ubikey. Which works arguably as well - at least it satisfies the criteria that you separate the key and the computer when you yourself are separated from the computer.
It's not just a cosmetic issue. The people with the six inch cords are leaving them plugged into the laptop all the time as they walk around the building, just like the people with the USB-A ports are leaving their YubiKeys plugged in all the time.
The difference is that if they bump into somebody or something, that dongle is likely to get broken, and it could even damage the USB-C port in the MacBook. That's not going to happen with a Nano plugged directly into a USB-A port.
I started noticing people in meetings with their new MacBook Pros and six inch cords sticking out the side, and on closer inspection, there was a YubiKey Nano plugged in at the end of the cord.
Meanwhile, the folks with ThinkPads or older MacBooks just had a Nano tucked into one of their USB-A ports like it was no big deal.
I know which I would pick.
[1] https://www.amazon.com/dp/B018Y1XXT6/