How do your users carry a physical security key when not in use?
Posted by Here4TekSupport@reddit | sysadmin | View on Reddit | 217 comments
Hey all,
We are testing out deploying YubiKeys company wide. We have a pilot group of about 35 people in various departments, and the overwhelming complaint/note I receive is "How am I supposed to carry this key around?"
Most people that use their keychain dont like it because its bulky having their entire personal key set just plugged into their computer, which is fair, I dont like it either.
I am thinking of something like a Detachable Quick Release Keychain.
That would allow them to disconnect their security key from their key ring quickly.
This is the first company ive worked at that will be using security keys, so I am just curious how other companies have been handling this?
FartInTheLocker@reddit
We've got about 140+ people using them at our business, never really had this point bought up, but I think a majority of our guys just put them on key chains or lanyards.
The more common one is hybrid users forgetting them when they come on-site etc.
hyjnx@reddit
My coworker 3d printed lanyard access card holders that had a provision in the back for a token device. maybe one could be made for the ubikey
Here4TekSupport@reddit (OP)
Honestly every single one of the managers in our IT department is crazy about 3D printing so that's not a bad idea
azaz0080FF@reddit
have you considered smart cards?
Here4TekSupport@reddit (OP)
Yes we were looking at turning our work badges into smart cards but apparently the cost and work that would have to go into it was too much, so now we are moving forward with security keys
Butznet@reddit
Just leave it plugged in? We have the Yubikey nanos and most user just keep it in the laptop.
smb3something@reddit
Doesn't leaving them plugged in decrease some of the security?
aes_gcm@reddit
Yeah but it just ties the security model to physical possession of the laptop. It's still a "thing you have" MFA.
roll_for_initiative_@reddit
Security model for accessing remote resources like m365, sure. What about making sure people aren't sharing accounts/machines? Leaving the key plugged in means any coworker or person can walk up and put in the pin and access anything on that workstation/anything that workstation has access to - single simple factor only.
I prefer pin + fingerprint or whfb face scan. No sharing accounts that way, mfa no matter how you slice it.
BasicallyFake@reddit
they can also just throw their key at their buddy. You cant fix everything.
livinitup0@reddit
Honestly I don’t know why facial recognition like in iOS isn’t the standard in PCs yet for mfa
Sounds terrible from a privacy point of view to have to pop my laptop camera on to log into my CA account but it would sure be easier than fiddling with Authenticator
BasicallyFake@reddit
all modern pcs do and can support facial recognition via Hello for Business
JwCS8pjrh3QBWfL@reddit
It is a standard on PCs, Hello for Business (which is just FIDO2 in a trenchcoat). It's just that cheap companies won't spend the extra $100 for the Hello-compatible webcams.
MasterOfPuppetsMetal@reddit
I work in K-12 IT and I think our teachers would revolt if we had them setup fingerprint scanning. Some were already paranoid about IT collecting their fingerprints when they setup their Yubico key. They just tap the blinking green light to activate the key....
roll_for_initiative_@reddit
I mean, that's not an IT issue but i get it. My main thing with most places using some kind of key only or WHfB pin only is that it defeats some of the main issues we've been dealing with since the early 2000s: computers logged in shared and multiple people using them (usually to save on licensing somehow). Requiring TRUE mfa (meaning not just for remote attacker access, but any access, including walking into the managers office and sitting down), makes that issue go away AND lets you be honest when you check the mfa is required compliance checkbox.
If bob from sales can be out of the office and tom the warehouse guy can sit down and put a pin in that's taped on the monitor, that's just not mfa. But it seems like no one cares about local access mfa, just accessing like m365 from not-the-users-computer.
JwCS8pjrh3QBWfL@reddit
Because that is, and always has been, an HR issue (password sharing, violating the AUP), not a technical one.
thortgot@reddit
At which point it's better replaced with a device certificate.
CountGeoffrey@reddit
device certificate doesn't prove user presence (UV).
thortgot@reddit
WHFB (or equivalent) does.
JwCS8pjrh3QBWfL@reddit
That's not what you suggested though, you suggested a device certificate.
thortgot@reddit
On the basis that you are already handling user presence securely.
Physically leaving the yubikey in the device isnt a net security benefit.
0100000101101000@reddit
You can also set a PIN.
atribecalledjake@reddit
yeah, password + physical ownership of the key/laptop + pin is A-OK to me. I absolutely LOVE my Yubikey. As an Admin of many things that prompt me for MFA regularly, it saves me so much time typing in passwords and approving push notifications. I love love love it.
JwCS8pjrh3QBWfL@reddit
I was cool with passkeys via the MS Authenticator app until they removed the ability to remember phones so you had to scan the QR code EVERY. SINGLE. TIME. I had to swap to a yubikey because it was way too much when I was trying to log into multiple tenants in a short succession.
PhantomNomad@reddit
Something's not right. I only scanned the QR code once to set it up in my authenticator and that's it.
JwCS8pjrh3QBWfL@reddit
For the passkey? You don't scan a QR code to set that up.
PhantomNomad@reddit
Yes I see it exactly once and never again. The way you worded your comment makes it sounds like you need to scan the QR code every time you login.
JwCS8pjrh3QBWfL@reddit
Are you talking about passwordless? When you set up a passkey, you do it inside the app, and then when you want to use it on another device, you have to scan a QR code from the security dialog.
smb3something@reddit
You can do passkey and just use the username and password and approve mfa on authenticator still or no?
JwCS8pjrh3QBWfL@reddit
Yes you can choose to use password, but that's not phishing resistant, which is the point of passkeys.
geekonamotorcycle@reddit
I have not seen this?
genuineshock@reddit
I daily thank my coworker that did all the prep and setup for our Yubikeys. It's glorious.
hadrabap@reddit
I love the pure WebAuthn login. No user name, no password. Just the key, PIN, touch and you're in. It's so much faster and virtually unhackable as the server knows only the public key.
Exploding_Testicles@reddit
And yubikeys still also require a pin to use. At lease for our clients. We require a 6 digit pin to be paid with the yubikey.
So even if someone gets the laptop with the yubikey they need the pin.. PLUS we have MFA either either a 6 digit 30 sec rotating pin, or Microsoft's authenticator
on_spikes@reddit
not really, as you still have to touch them to activate them.
Knight_of_Tumblr@reddit
If their PIN is compromised and the attacker has physical access, yes. Yubikeys requiring physical touch is a huge factor in making them phishing-resistant.
Butznet@reddit
It does but it's better than not having a fido. Less likely to get hacked when you have to have the physical device with key and know the pin to authenticate.
Dabnician@reddit
Windows Hello can completely replace a YubiKey for most everyday authentication tasks.
I dont get why this sub wants to be all fuddy duddy all the time.
livinitup0@reddit
I’ve never been in a shop that uses it but I always wondered why this didn’t take off more. On the surface it seems to handle most mfa needs
Dabnician@reddit
System admins only tend to trust stuff that is old, WHfB is new so its not "trust worthy".
LowerAd830@reddit
Just leaving it plugged into the same laptop all the time, can kinda defeat one of the purposes. Odd that mine requires a Fingerprint, or pin code as well as just plugging it in.
Id never leave it plugged in. I authenticate, when it asks. Sessions from the same Network (Work or Home for me) expire in 8 hours, or if you switch locations to like a hotel or across the country, it will require the key and reauth.
BaconEatingChamp@reddit
You have a bio series yubikey? The common ones dont require "fingerprint", but just to be touched to verify proximity, but they do have the bio series which is nice too for those (possibly like yourself) requiring biometrics
Xzenor@reddit
That kinda ruins its purpose
Fistofpaper@reddit
the low profile design of the nanos is highly desirable.
Andrew-Powershell@reddit
The small size is good and bad. Good for leaving plugged in, but makes it very easy to lose if you ever take them out (and your users just might)
Speed-Tyr@reddit
I have seen a lot of them get broken off while plugged in. Because it was left in all the time.
fuzzentropy2@reddit
I tried one for myself and is great to leave in laptop when on the go, But I had to take it out too much, so I attached something to the little loop,,,,
Yesterday the wire broke through the loop on the nano.... so now have to try to get out using fingers again...
elpollodiablox@reddit
The nano adds an unexpected layer of security, because holy cow that thing is really hard to remove.
DefiantPenguin@reddit
And if you’re using the USBC version, when you remove it, it inevitably will end up slipping out of your fingers and it becomes a treasure hunt.
elpollodiablox@reddit
Yeah, I've had to chase mine down a couple of times.
TulkasDeTX@reddit
🔑🤏
phouchg0@reddit
Gotta be careful you don't inhale those
Butznet@reddit
There's a story here isn't there?
phouchg0@reddit
No story, more like a fear I always had, the same reason why elephants are afraid of mice. (Or so we were told)
Joe_Dalton42069@reddit
But that defeats the Purpose? Does it not?
Smith6612@reddit
This. Except make sure you have plenty of spares, and ways to recover from the loss of a FIDO token. In my experience, people beat the crap out of their tokens when left inside the PC constantly.
valar12@reddit
This is the way. They do NOT come out easily.
AbleDanger12@reddit
Work in big tech - most of us have them in the laptops 🤷 Many of us also keep a spare along with our badge holder as well.
davidm2232@reddit
We gave users the option. Either a physical key or an app on their phone. The majority took the app. A few people took both. It is convenient to have the key card on your desk and just push the button for a code. It is also nice to have access from anywhere using your phone
MarkOfTheDragon12@reddit
During onboarding IT orientation, I usually recommend they put it on their Keychains so they don't forget it somewhere. We do also provide USB extension cables that sit flat on the desk, though, as a measure to avoid breakage and snapping dongles off.
There are also the Nano form factor keys that can just be left in without protruding
blue_skive@reddit
I have mine on my lanyard and the extension cable on my desk is long enough that I pull it to me and plug it in while still on my lanyard.
MarkOfTheDragon12@reddit
NGL, I would absolutely forget that thing was plugged in and yank my laptop along with me or choke myself at some point :)
Witty_Formal7305@reddit
Most people I know either leave it plugged into their laptop / dock all the time or on the lanyard with their keycard.
stirnotshook@reddit
This is what I do as well as most (lanyard with yubi key). However, if I found unattended pcs with the yubi keys plugged in, I take them. They’d have to see me to get them back (Technology Director).
Opposite_Bag_7434@reddit
This is what we see happening as well.
Siphyre@reddit
Mine is attached to the ring that holds my keycard. Works really well because it means I don't leave it with the laptop if I step away since we need ouur key cards to access the building and I don't want to do the walk of shame to the front.
nv1t@reddit
i know companies where the key cards are the physical keys. when they leave the laptop, the laptop is locked automatically. and because they need their key card for access everything the laptop is locked by default. :)
Emotional-Event462@reddit
The United States military.
beaucoup_dinky_dau@reddit
I think anyone working for the fed has to do this
hkusp45css@reddit
I keep mine plugged into the dock until I leave then, I hook it onto my badge lanyard until the next day.
That way I have it with me if I need to access systems in the evening or after COB.
ninjascotsman@reddit
it's in my pocket attached to chain which goes to my belt loop
Expensive_Plant_9530@reddit
Your pocket? On a lanyard? Leave it at your desk in the drawer? Same place you carry your phone? Ok a keychain?
Honestly this seems like a weird thing for staff to complain about. The answer is going to be slightly different for each person and their personal preferences.
Quick detach keychain or quick detach lanyard seems like good options here.
cbtboss@reddit
For Microsoft Shops:
We opted for Windows Hello which is FIDO2 without needing to buy hardware. Alternatatively, you can also configure the microsoft Authenticator to do FIDO2/passkey authentication.
Nailtrail@reddit
I was experimenting with passkey authentication in Microsoft Authenticator on Android and found it to be a mess
Mister_Brevity@reddit
I’m going to hate myself for this later but right now it’s making me laugh
Stringsandattractors@reddit
I appreciate it
bbbbbthatsfivebees@reddit
That's the point.
You're supposed to treat a physical security key the same way as you'd treat any other physical key. If you don't like it... Too bad! It's supposed to offer a compromise between not requiring users to use a cellphone to enter TOTP keys and also requiring users to carry something around. If you have to plug your whole set of keys into your computer, GOOD!! They're designed to not be forgotten when you leave your desk/office, as leaving a security key plugged into a computer at all times should carry the exact same weight as leaving a house key in the deadbolt.
phr0ze@reddit
This is a short sighted attitude for many reasons.
But the biggest reason is OP is trying to find a way to actually physically carry the key but quick detach the key. He is not considering a bypass.
landwomble@reddit
I have a yubikey nano and I 3d printed a container for it with a keyring loop
highdiver_2000@reddit
A key for Dev, UAT, Staging and Production each. 4 keys
3 applications (conservatively), 12 keys.
Smart_Advice_1420@reddit
I have mina in a yubikey x keyport
Godbotly@reddit
I designed and 3d printed them in TPU for our small crew and even clients. Works amazing. Mine is in my pocket every day for about 18 months now, in great condition, key has never fallen out etc.
I suppose not practical for an enormous company.. but worked for us.
https://www.printables.com/model/1133675-tpu-holder-cover-for-security-key-nfc-by-yubico
tejanaqkilica@reddit
I don't know, how do you usually carry stuff around? This is kindergarten level training.
spidireen@reddit
We recommend our staff keep them on their work lanyard/keychain because they are used to carrying those around anyway. They generally don’t leave it plugged in because once they’ve signed into our SSO portal in their browser they’re good for the day.
stufforstuff@reddit
It's a key - how do people normally keep their keys? Keeping it plugged into the computer when unoccupied defeats a good part of the security of MFA.
IllIntroduction8499@reddit
Okay, confession time... I configured two Yubikeys left one at home and in the office.
Zerowig@reddit
That’s what I do. My keys have never left either desk in over 6 years, and thus never get lost, stolen or broken.
pixr99@reddit
Two?! In this economy?!
grahamgilbert1@reddit
Give them two - a nano they leave in their computer all the time and an nfc security key they use as a backup or on their phone.
reilogix@reddit
Little CaseLogic USB drive holder. On each of 3 keyrings…
BrilliantJob2759@reddit
On my keychain. Honestly, that's a them problem; it's not an actual problem that's up to IT to solve.
RobbyBurgers@reddit
When YubiKeys stop working because they break from being tossed around on a keychain 10x a day, that is 100% an IT problem.
BrilliantJob2759@reddit
That scenario falls under an electronics use & abuse policy made by HR. Think of company phones & laptops. IT isn't in charge of getting users carrying bags or OttorBoxes, or mandating they be used.
thortgot@reddit
So what are you advocating your users do?
fuzzentropy2@reddit
We let them figure out the best way for their lifestyle or use or whatever. Some use keychains, some got the little covers on AMZ, some in purse, some on lanyard with ID.
We basically told them they are responsible for figuring out the best way that works for them, OH, by the way if you lose it, that'll be $50.
RobbyBurgers@reddit
I guess my main point is that when a Yubikey is lost or broken, no matter what the electronic usage policy state, it becomes and IT issue - again. lol.
NEU_Throwaway1@reddit
Right lmao, I'm reading all these comments about "bill their cost center" and "their problem to pay for" and I'm just jealous about how all these people have the full backing to do this. Everywhere I've worked at - the policy is great until a manager complains up their reporting tree and HR balks at backing us.
BrilliantJob2759@reddit
That's fair. It seems a bunch of folks in the comments are mixing up a problem IT needs to solve, vs a problem IT will have to deal with at some point. This is the latter and not the former. The keys themselves are the solution to an actual IT problem.
thortgot@reddit
So if a user says "where should I put it", your reply is "anywhere you want"?
HighRelevancy@reddit
No, it's definitely an IT problem. Making your systems/workflows usable is important. Otherwise you're just messing with everyone's day and it gets very us vs them and everyone's unhappy.
blueblocker2000@reddit
But it would become IT's problem when the yubikeys get snapped off in the port or the ports damaged cause user have it supporting 5lbs of keys hanging off it.
Mostly__Relevant@reddit
Bill the users cost center. Just like any other respectable org does.
blueblocker2000@reddit
I'm referring to the labor/dealing with it aspect.
Master-IT-All@reddit
Well, we do need to have work occasionally to show that we're doign something.
blueblocker2000@reddit
That's the kind of work that gets me stopped while I'm heading to the restroom after that 2nd cup of morning coffee.
sgt_Berbatov@reddit
But what an easy way to earn that 3rd cup before 11am though.
blueblocker2000@reddit
I'm usually sleepy after the laborous restroom break 💩
IrquiM@reddit
Stop using them then.
In fact, stop giving users PCs and you'd have even less to do!
blueblocker2000@reddit
I'll email my boss tomorrow and attach your ok to it. Thanks a bunch!
Internet-of-cruft@reddit
No it's not.
IT can supply some basic guidance, but this is a people problem not an IT problem.
blueblocker2000@reddit
well you're going to have to replace the broken yubikeys or repair/schedule service for their damaged laptop/desktop. Not sure how that doesn't become an IT issue.
RobbyBurgers@reddit
This guy gets it
Internet-of-cruft@reddit
No, this is completely missing the point.
Stop making people problems an IT problem.
Equipment is broken? Yeah, that gets replaced by IT.
Repeated damage for the same reason, like someone is putting unnecessary wear and tear on IT equipment? The department heads need to talk to their staff about damaging company property.
Here4TekSupport@reddit (OP)
I mostly agree, but if I could do something to make it easier on them without a bunch of work on my end, I am happy to explore that option. If nothing comes up then thats fine, but figured I would at least reach out and try before telling them oh well.
BrilliantJob2759@reddit
There are plenty of times where I'll do some thinking & brainstorming to make things easier them while staying within the mandate. But this is a thinly disguised "I don't wanna". If it were a legitimate issue, yeah. Not this though.
I had similar when we instituted hardware tokens at a previous company (cheapskates). "But what if I leave it in my car?" Seriously? You need me to tell you to walk back to your car to get it? I had a great working relationship with all of the users at that time so when they'd ask I usually said something like "stick it in a drug baggie and swallow it every morning for all I care", which always got a laugh.
hkusp45css@reddit
This should really be the default posiution when IT says "We need to do this" and someone says "the users aren't going to like it, you need to design a process that takes the friction into account"
The line should be "This is what we're doing. We're not going to constrain the users by telling them how to deal with it. They'll figure it out, because that's what we pay them to do."
CantPullOutRightNow@reddit
Keep it in a the pocket of a the laptop bag. You can suggest a prison wallet to anyone that doesn’t accept that as a final answer.
npiasecki@reddit
We tried Yubikeys but the form factor was a problem. We switched to FIDO2 NFC credit card size things that double as their employee badge. Some people wear it on a lanyard, most keep it in a wallet. I wish Yubikey made one as they are harder to find. HID and Cryptnox make some
z0phi3l@reddit
That's a user problem, not IT or engineering
And that's exactly what users were told when we used Yubikeys too
MasterOfPuppetsMetal@reddit
I work in K-12. For the staff that use Yubico keys, they usually carry it on their keychains. Some staff just leave it plugged into their computer all day. And I've seen a few velcro it to the side of their interactive display.
strife2two2@reddit
I have my yubikey on one of these: Pull To Eject, Embroidered Key Chain https://www.amazon.com/dp/B015QOH8OU?ref=ppx_pop_mob_ap_share
And then a quick release: TISUR Titanium Quick Release... https://www.amazon.com/dp/B0BM45JSQH?ref=ppx_pop_mob_ap_share
rev_mojo@reddit
I'm weird and wear it on a chain around my neck.
_Do_The_Needful_@reddit
No different than carrying a laptop to and from work. Leave it plugged in, or put it in your laptop bag or wallet.
Makanly@reddit
Obviously you give them the micro key so they can just leave it in their workstation. Very convenient!
Madh2orat@reddit
We just permanently leave them in the devices. That said I prefer the CAC’s and stick it on a lanyard. It’s just easy to pop in and use it.
hells_cowbells@reddit
That's fine until you leave your full size Yubikey in your laptop and break it when you put your laptop in your backpack.
Madh2orat@reddit
True, that would be an issue with full size yubikeys. We have only the tiny ones that stick out less than a Logitech nub so leaving them in isn’t a problem.
hells_cowbells@reddit
And that's exactly the one I broke in my backpack.
malikto44@reddit
I have mine on a detachable keychain with my badge's lanyard. The second YubiKey is in my wallet, and the third is clipped in my backpack. Sounds like overkill, but I really don't want to have to reach for an Entra break glass account if my badge gets accidentally microwaved.
halodude423@reddit
We don't allow it. Either MFA on your phone or you're out and at this point we only have thin clients and tap n go.
jdanton14@reddit
I have my three on a chain. If I had an office I'd wear it on my wrist.
zer04ll@reddit
Been on my keychain for years, holds up great!
anonfreakazoid@reddit
Home desk Wallet Work desk
Are you issuing them one or several?
bullium@reddit
We use these Shieldcase Protective Case for... https://www.amazon.com/dp/B0FZD1WPY7?ref=ppx_pop_mob_ap_share
Speed-Tyr@reddit
Was part of doing this at a previous place. Mostly it was put on their lanyards. Some on keychains. The onus is mostly of the user to not break it or lose it. Much like everything else.
It is usually a real hard sell to older users. From what I saw at 50k+ users.
boondoggie42@reddit
On their lanyard with their door badge.
sengh71@reddit
Same here. I have mine on the lanyard that also has my keycard and server room key.
sryan2k1@reddit
Our badges are mostly electronic these days. No lanyards!
nickerbocker79@reddit
That's where I have mine. I don't have to leave it in the computer. Just for authentication to certain apps.
wvraven@reddit
My work one lives on a quick disconnect on my lanyard. My personal one lives on a quick disconnect on my keychain. Good discos are a must in my o.
Silly_Goose_369@reddit
I have a 3D printed case that attached to my car key ring. I always have my keys on me (mentally can’t not have them lol) so it works for me.
Unseen_Cereal@reddit
Yubikey Nano USB C, I don't even think it would ever bust the port if kept in a bag unlike longer ones
BasicallyFake@reddit
most have started using the nano and just leaving it in the device, which presents a slight problem, but users are going to user.
amateurwheels@reddit
About 300 5c nfc deployed. We recommend keychain. Some do some don’t. Some complain because of multiple vehicles. A few without company phones leave it in their pc. Over two years it hasn’t really been a big issue. 0 broken computers. We’ve replaced 6 lost keys in 2 years and 4 non responsive keys. Have not seen any physical key damage. 2 of the lost keys were later found by users and turned in. Private organization, multi state, multi-location. Construction industry.
SignificanceDue733@reddit
Do they not fit in your wallet? That is how I carry mine
CountGeoffrey@reddit
we built them into custom teardrop contoured plugs. either plain end or with a jewel medallion, user choice.
SpeechMuted@reddit
That's generally an issue for users to solve. The most common way I've seen is on the keyring of a lanyard, and I suspect most places using security keys already issue physical IDs and require them to be visible at all times.
Single-Virus4935@reddit
Branded Lanyards with a robust clip. They are cheap and can be used for branding etc
aguynamedbrand@reddit
Putting the name of the company on the key or lanyard is bad practice.
Single-Virus4935@reddit
Good point
LodanMax@reddit
I just carry it in the coinpocket of my pants.
Butznet@reddit
IT needs to issue compliant pants for the company.
Internet-of-cruft@reddit
Uh, what's the procedure if some pants are not compliant?
Coffchill@reddit
Like Renham’s electric pants?
Butznet@reddit
Those are compliant
Here4TekSupport@reddit (OP)
Writing an email to my boss, just got to figure out what jean wash to pick
BrokenSocialFilter@reddit
What about those Jordache embroidered pockets, hmm?
can-opener-in-a-can@reddit
First it was just computers, then it was anything that plugs in, now it’s anything that you put anything that plugs in into.
cbelt3@reddit
That’s for the Aldi quarter ! Or the pocket watch fob for the Steampunk sysops.
LowerAd830@reddit
Lol! Yes! Quarter goes in there, or in the car door armrest.. indentation compartment thing where you grab the door and shut it.
ecnarc@reddit
i can see myself easily running my yubikey through the wash this way.
LodanMax@reddit
They are IP68 rated :)
JwCS8pjrh3QBWfL@reddit
Well a yubikey is a solid block of thermoplastic, not a regular clamshell case, so that shouldn't be a problem... the first couple of times at least...
D3xbot@reddit
Quick release on my keychain
SereneInauguration@reddit
the quick release idea is overthinking it. We went through the same thing and most people just adapted once they realized leaving it plugged into their laptop dock the whole time was fine, or they threw it on their badge lanyard and stopped complaining after like two weeks. The bulky keychain thing sounds like user resistance to change more than an actual workflow problem. You could also just tell them to leave one at their desk and one at home if they're remote, costs way less than engineering a solution around their preferences. The real issue isn't the key itself, it's that you're trying to solve a comfort problem that'll resolve on its own once they get used to it. Save your energy for the people who actually need help with MFA setup or recovery codes.
collinsl02@reddit
Personally I have a fabric neck lanyard with two retractable wheel lanyards on - one has my ID badge for scanning on locked doors, the other has my Yubikey and my pedestal (under desk lockable drawers) key on it. That way the door systems aren't confused by the NFC token in the Yubikey.
CATDesign@reddit
I think Yubikeys are a more advanced version of Smart Cards, so you can just look up other companies did with Smart Cards to figure out how people are supposed to carry their "keys."
Like, when I worked at a company with Smart Cards it was literally just in my wallet all the time. I have a Yubikey that my current job has been toying around with, and it's small enough to fit into the same wallet.
Thinking back to what other people did in my old organization, some people used lanyards to hold their Smart Cards. You could probably use the lanyards as well for Yubikeys.
collinsl02@reddit
It depends how you use smart cards though - for example where I work we have two systems, one requires a daily Yubikey auth to M365 as 2fa, the other uses smart cards and if you remove the card the machine locks. So I only need my Yubikey daily but I need the smart card constantly.
spitecho@reddit
Everyone either has a USB hub, USB extender, or a keyboard with USB ports so their keys are on the desk and not just dangling out of the computer.
hops_on_hops@reddit
Remind users it is a Key - like opening a door. You only need the key to get in, then you can put the Keychain back in your pocket.
Individually-assigned laptops with windows hello pin have been much more easily adopted. Lean into that with as much of your workforce as possible.
collinsl02@reddit
I don't know but I think OP may be shooting for using the token as a form of smart card - lock the machine when it's not plugged in style. I could be wrong though.
Personally I prefer the idea of a daily auth with it as 2fa then from there use Hello or a password each time you lock your machine - making it as convenient as possible for the users means more people will follow the guidance.
itskdog@reddit
I'm surprised you're the first person to mention this. Using device-native storage such as WHfB, Google Password Manager, or whatever Apple's solution is called is the best solution for work devices, keeping the keys for personal devices.
ProperEye8285@reddit
There are certain inalienable truths in the life of technology.
"I don't like that I can't use Password1! as my password."
"Cool. You have to have a unique password and you have to remember it, use it, and change it regularly, like your toothbrush!."
"I don't like carrying around my Security Key."
"Cool. You have to have a Security Key and you have to keep it on your person when not in use. (per policy.)
"I don't like your answer, and I want to complain to your Manager."
"Cool. Here's his email, I'll let him know your coming!"
Of course, tact can go a long way but, at the end of the day, some facts are...Facts.
throwpoo@reddit
They leave it in front of their monitor thats next to their password on the sticky note.
Einaiden@reddit
I have one on a lanyard, one on my keychain and one in a secure location. Is that too much?
nix80908@reddit
My users usually clip it on with their badge. I have seen a few get a detachable keyring to use it
Pork_Bastard@reddit
we have ours on detachable keychains, similar to the link below. we do not keep them plugged in, they are put in to authenticate admin access (separate account for local and domain) and then are removed. PINs are required to access the certs on them. The number of folks in here that just have them permanently plugged in is pretty wild. let's go from a complex password + mfa to a 6 digit pin. or it sounds like some of these don't even have a PIN. wild shit
West_Acanthaceae5032@reddit
I have 5 different keys from thethis, token2 and yubikey. You need backup keys anyway so get a variety of them. The nano works great for laptop scenarios where the laptop is not apple, because there you use Touch ID most of the time. And yubikey bio for the really secure stuff. These things are fun, and I prefer the Aluminium thetis keys for their durability.
LowerAd830@reddit
This And Thetis comes with a keychain/Id badge/whatever clippable pouch. Amazingly durable.
paganig@reddit
Cheap tag to find it/remind me to unplug it when I leave, nfc emulator for my badge and a few more cards. The spare one at office is tied to the vending machine key, and a third is at home in a safe
Coffchill@reddit
Where did you get the nfc toolkit key from?
Eduardo_squidwardo@reddit
I just use these small key clips and clip it to my badge reel: https://www.amazon.com/dp/B0D5H62T9V/
What others have said about the nano just staying in the computer is likely the way to go for one-to-one users.
BlackV@reddit
How do they carry their phones?
Their wallet?
Their hankies?
Personally my work yubi keys are in my laptop bag, my personal ones are in my wallet
ApertureNext@reddit
I want to say 1/4 of people I know have a job where they carry around some kind of keys and I've never heard anyone complain about it.
Doublestack00@reddit
I can't remember the last time I carried a key around. The only "key" I have left if my car fob and I never touch it. My car auto unlocks/locks so I just have to have it with me. I do not even have a key ring on it, just the fob.
House/office and all computers my phone is my "key".
Here4TekSupport@reddit (OP)
This could very well be a non-issue once we deploy to more people, but its my first time deploying these keys, so I am trying to do the best job I can and cover all bases.
Doublestack00@reddit
Leave it at the office in their office?
Pure-Recover70@reddit
The answer is to have more than one. One bigger format NFC capable one on your keychain for emergency situations, one nano usb-a (if possible, usb-c if no usb-a port in laptop) one permanently plugged into laptop, one nano usb-a one plugged into workstation.
BCIT_Richard@reddit
Treat it like an access card, separate from your badge, on a retractable lanyard.
I found a badge and access card in a crosswalk yesterday(This is why my workplace very strongly suggest you don't keep them together), luckily for the end user I work in the building next door and was able to return it to them as I go into their building regularly for work.
We use DUO & most of our users who've opted for the OTC fob end up leaving it in their desk drawers though, you can only do so much until a breach exposes it.
SecondBestNameEver@reddit
I do some work for a FAANG company. My company laptop comes with a USBC nano key and I just leave it in the laptop the whole time. It's less bulky than having the key chain in the laptop, and it's just as bulky if I'm traveling somewhere and need to take the laptop with me anyway. The amount of times I'm using another computer with my account is 0.
LowerAd830@reddit
My Yubikey comes with a little pouch that attaches to the keychain. You unsnap the form fitting pounce, pull the key out and use it. no need for keys to go with it
ipreferanothername@reddit
i wfh and leave it plugged into my computer all day. on the very rare times i take it to work....i put it in my laptop pocket if i leave my laptop on the desk or something. its tiny.
che-che-chester@reddit
We recently started using yubikeys and when I asked Security if there are any usage policies, they looked at me like I had two heads. I said “you know, like it must be in your person if you walk away from your desk or stuff like that” and they didn’t comprehend what I was even asking.
TeamSylver@reddit
I’m not from a company that mandated Yubikeys, but I use them a lot and basically mandate it for myself and anything I do. I basically have mine on my lanyard, which I am usually wearing at all times. For a while, I did just leave the key plugged into my workstation throughout the day, but that’s not a good idea when my bosses kept inviting customers out back (I worked in a small local shop).
whetu@reddit
I gave my users the option to select from 3 models, they all went with one of the nano options.
I have a nano permanently in my laptop and a 5C-NFC for other uses.
I keep the 5C-NFC in a Jibbon key organiser with a 3d-printed boot
https://imgur.com/a/tkbof5d
VividGanache2613@reddit
Been carrying one for 5/6 years on my keys, it’s only required for auth once in a while.
It’s not like the old RSA LCD doofers we had in the glory days.
JJHall_ID@reddit
I just keep mine on my keyring. When I need it, usually just the first few minutes of the day, and a few minutes after lunch, I pull them out of my pocket, authenticate, and put them back in my pocket. It's not a huge deal unless you have some security program that requires it to remain plugged in at all times.
JustAnEngineer2025@reddit
Lots of options and no single option will please everyone.
Put it on your key chain. Put it on your lanyard. Put it on your badge reel. Keep it in your work backpack. Press and record 1000 tokens and save them in a Notepad file.
The options are endless just like user gripes.
Bomb-Number20@reddit
There’s a clip inside my laptop bag that has a clip for keys. I know some staff who keep it on their badge lanyard.
Here4TekSupport@reddit (OP)
We do have badges, but the idea of telling people to key their security key in the same place as their work badge just seemed sketchy to me.
statikuz@reddit
Why so? So they don't lose them both at the same time?
QuesoMeHungry@reddit
A lot of places issue yubikey nanos and they just keep them plugged in.
Unusual_Cattle_2198@reddit
Kinda defeats the purpose a bit
statikuz@reddit
But only the tiniest bit compared to the gain. Security <> convenience tradeoff and all of that.
attathomeguy@reddit
Do you use entry access badges at your offices?
kissmyash933@reddit
We use smartcards instead.
anonymouse589@reddit
I carry mine on my work key set, with a 3d printed flip cover to try to protect from damage of port clogging with rammed. Some others who have retractable ID tags (I wasn't issued one) have theirs on there, but it pulls when plugged in.
orev@reddit
The concept of security keys is doomed to fail for exactly this reason.
attathomeguy@reddit
oh yeah? You sure about that huh? Google requires all employees to use security keys and they and yubikey nano and they just stay plugged in so.....
Here4TekSupport@reddit (OP)
I just work here man
shikashika97@reddit
This is one place where the smartcard form factor is way better. People don't have as many qualms about carrying another card in their wallet. We tell people to put their YubiKeys on their lanyards/keyrings, but some people still hate that
QuasiTD@reddit
I have had yubikeys for a number of years, a personal and one for my work. I use the quick connects on my keychain, just make sure you get decent quality, I learned that the hard way when I had to buy myself a new yubikey because the quick connect became a quick disconnect.
Here4TekSupport@reddit (OP)
Thanks! We probably wont be able to justify spending the money to get every user one of them, but it would be nice to have something to link to in case they want to get it themselves or ask their manager to get one for them.
Fistofpaper@reddit
On their lanyard with a retractable clip is how I have deployed them in the past. We are constantly badge swiping for almost every doorway, so these are standard issue enough that we have boxes of them.
Japjer@reddit
Literally on a keychain. If you guys wear IDs: on the lanyard.
aCLTeng@reddit
A little overkill, but easy enough. Clip it to my bag.
jrwnetwork@reddit
When we did the RSA ones they got lost A LOT. Have spares on hand.