For those looking to switch over to hardware keys for MFA, what are your biggest blockers and challenges?
Sort by:
Cost to purchase, cost of replacement.
Below could be potential challenges that an organization may face when switching to hardware keys for multi-factor authentication :
Cost: Hardware keys can be expensive, especially if an organization needs to purchase them for a large number of users.
User adoption: Some users may be resistant to using hardware keys, especially if they are not familiar with them or if they find them inconvenient to use.
Management and deployment: Organizations will need to manage and distribute hardware keys to users, which can be a logistical challenge for large enterprise.
Replacement: If a hardware key is lost or damaged, it will need to be replaced, which can be time-consuming and costly.
Overall, the decision to switch to hardware keys for MFA should be carefully evaluated, considering the costs and benefits, as well as the specific needs and capabilities of the organization.
We just did a fairly big roll out of Yubikeys for truck
. It was way easier than it used to be with RSA tokens (the ones with the little screens that show a rotating code) which were a logistical nightmare. However, we did run into a bunch of unexpected issues due to the fact that support for WebAuthn/FIDO2 is still not as widespread as we would like, and the rationale for this or that combination of features working or not working on a given platform is not entirely clear. This applies particularly to mobile support, where we had to tweak quite a few options, and degrade our UX to some extent, to make it work.
Another gotcha that I was somewhat surprised at is that none of the major cloud providers' CIAM components (AWS Cognito, Azure AD B2C...) come with built-in support for FIDO2 keys and WebAuthn in general, so you end up having to roll your own and call into it through an API. I would rather not have to improvise those kinds of things...
Users integration