I just think allowing multiple Yubikeys on a single account goes against the security that a Yubikey provides, and as you pointed out, even if this was added.How many is enough? 2? 3? 5? Whatever limit they set isn't going to be enough for someone. I dont want to hijack this thread any more. Most products with 2FA have some form of recovery built in also, like a PIN code that should be secured. With some discovery, we determined an old employee (CFO) had made himself a domain admin and they were able to reach out to him, AND he remembered his password, and we were able to at least get things sort of functional again (before starting over from scratch). I walked into a really bad AD environment once where the Administrator account was corrupted somehow and you couldn't login. An account can become corrupted or broken, or a poorly designed policy or setting can lock you out (O365 actually warns you about this when making Conditional Access changes) etc. ![]() ![]() This actually provides you with redundancy in access, but having two yubikeys on a single account does not. There should always be a backup administrative account to everything and yes it should be secured as well.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |