(no title)
ccmcarey | 2 years ago
> Nowadays, newly-onboarded Discord corporate users receive a laptop and at least one Yubikey alongside that laptop. IT onboards users to Okta and instructs them to register at least two WebAuthn authenticators; typically, this is their Macbook’s TouchID/Windows Hello sensor and also their Security Key C NFC.
> We also instruct corporate users to set up Okta Verify for use only as a fallback MFA in the event that all their authenticators fail at once. This way, we never have user accounts lacking at least one strong form of multi-factor authentication.
So OS level keys, a yubikey for roaming, and Okta Verify for fallback
hnbear|2 years ago
When we deployed we banned Verify (didn't want any OTP), but encouraged TouchID, and the Yubi. If someone was locked out we could temporarily enable Verify, or reset their Macbook or Okta access so they could reregister into either.
But,in deploying 1500 or so yubikeys over a 5+ year period we never saw one actually break. Employees would often say they'd broken, but troubleshooting normally was user error.
The worst we saw were a few cases where Yubis needed unplugging and replugging (sometimes being left out for an hour or so).