On Wed, 16 Jun 2021 at 06:15, Julien Palard via python-committers <python-committers@python.org> wrote:
I do use a Yubikey too.
I'm not particularly bothered by the debate over 2FA (I have a 2FA app on my phone that I use and that's sufficient) but I'd like to offer a counter argument to everyone saying Yubikeys are a straightforward solution (not particularly picking on you, Julien, a few people have suggested this option). Maybe they are for a lot of people, but I have 3 PCs, a tablet and a phone that I routinely use for github access. At least one is critically short of USB ports from all of the other junk I have plugged in.
I checked the Yubikey website and their recommendation (based on my answers to their questions about how I would use them) was to buy *three* keys, each of which was priced at about €40-50. That's a lot of money¹. And there was some comment about not working completely seamlessly with my iPad, which worried me, as well. And even with 3 keys, that's still going to mean swapping keys as I have more than 3 devices...
So while I support the idea of having 2FA (I spotted a suspicious attempt to log into my account that failed, like Brett, so there's definitely a need) I don't think we should assume any particular solution will work universally - and finding a working solution might be hard for some people (for a long time, I didn't use a smartphone regularly, and none of the available 2FA solutions really worked for me). It sounds like a Yubikey might be a reasonable solution for Tim, but only he can say that for sure, and we should avoid letting our enthusiasm for our own preferred solution blind us to the fact that it might not suit everyone.
(Sorry - some battle scars showing there, I've had rather too many people tell me to get a Yubikey when it really doesn't work for me. It soured me on 2FA for quite some time, until I found a solution that suited me...)
Paul
¹ Yes, I know it's way less than I spent on all those PCs!!!