What's the deal with lost yubikey user workflow? Rely on individual websites to give you a one-time recovery passcode that you then have to input into every website? I can't believe I'm taking UX cues from cryptocurrencies, but what about providing the user with a seed for the yubikey private key they can back-up offline then reinstall in a new yubikey?

P.S. just ordered a yubikey security key, excited to add this additional layer to my own personal byzantine security labyrinth. Or maybe simplify it, who knows!

> A: It could mean single- or two-factor. FIDO2 and the new YubiKeys support an on-device PIN that isn't shared with the server, like conventional smart cards. This allows the key to act as both "something you have" (the key itself) and "something you know" (the PIN for the key). The PIN is optional, though, so both the single factor and two factor use cases are possible.

No, since passwordless login is available, the lowest denominator applies: single factor. Despite all your efforts it will most likely be possible to perform a passwordless login even when password is required in a few years (as these things get broken). The something you know is useless, as it can be ignored. And because it can, it will. Either by force, by negligence or by laziness.

A PIN is really a numeric password. It has all the same flaws - compromise risk (say via social engineering) and the risk of forgetting and needing it reset.

So the ‘passwordless’ option here is either rename the password to PIN or eliminate it to provide single-factor login. The latter is a dream for smart attackers, since there is always some social engineering route they can use to acquire a legit token.

Does it identity you as the same person to two different websites? I.e. Is it for building up advertising profiles like google oor facebook logins?

I wasted so much time and energy on implementing U2F for a web application, writing server side lib and making the javascript framework compatible with the horrible js-hack that's available for U2F support.

It was all in vein; the browser support is still horrible, no one want to use it and it's not possible to use on mobile. How can you make a security solution that doesn't work on mobile?

Making a new "Web Auth" standard is a huge mistake, and I will not fall into that trap again.

Do you have any information when any major websites will (may?) support U2F in Firefox? Google, FB etc. Is there some issue with Firefox U2F implementation maybe? Thanks.

Do you have any plans to release server code (I'm mainly concerned about PHP) for CTAP2/WebAuthn support? I really appreciated having access to a reference implementation to handle the data from the client for U2F. CTAP2 looks significantly more complex, and I'm somewhat worried about complexity of implementing it correctly based on the spec.

> Q: Doesn't passwordless mean single factor? Isn't that insecure?

> A: It could mean single- or two-factor. FIDO2 and the new YubiKeys support an on-device PIN that isn't shared with the server, like conventional smart cards. This allows the key to act as both "something you have" (the key itself) and "something you know"

If "something you know" is physically stored on "something you have", doesn't this make "something you know" completely moot?. Please explain how this doesn't simply reduce to "something you have". In other words, if someone steals your Yubikey, can they login as you without knowing anything additional?

Is there word on whether Yubikey 4 models will support FIDO 2? Or do we have to wait for a new model?

> he new YubiKeys support an on-device PIN that isn't shared with the server

Doesn't this PIN become a master password for all the websites at that point?