I do use a Yubikey too.
Le 6/14/21 à 11:27 PM, Tim Peters a écrit :
If I buy one and plug it in, and that's the end of it, fine by me
That's almost as simple as you want:
In Github settings 2FA tab you'll have to hit a "Register a new security key" button, it make your key "blink" (blinking mean: please touch the key to allow this action).
Then every time you login your key blinks and you have to touch it to allow this action.
And that's it. It uses an open standard called U2F 1 which works on a variety of setups (it works with Firefox on Debian for example). It also works on pypi.org \o/.
If the PSF is willing to help financially, I'd recommend everyone to buy (and register) two keys: a primary key and a backup key in case you loose or break the first one.
I personally have a USB-C key and a USB-A key, so I can choose my key according to the USB port I need to use.
Then optionally you can setup a PIV application on the key to store your private ssh key, and use PKCS11 to forward ssh connexions challenges to be resolved by the key. The big advantage is: your private key never leave the key (which is write-only). It's way more complicated than U2F though!