The Yubikey authentication mechanism we were trialling on on our beta server has now been released to production.
There’s been a few small changes since we first rolled it out on beta.
- After feedback from Yubico, we’ve made a few extra internal security improvements. In two-factor mode, the Yubikey one-time value is checked before the password, so a one-time value can’t be reused with the wrong password
- On the login screen, you can click the “+ More” link to display the Yubikey login box. Currently the password box will continue to work if you put the Yubikey one-time value in there, but we recommend using the specific Yubikey login box, because the browser won’t prompt you to save the one-time value as a password, which obviously won’t work a second time
We’ve also added some help documentation about Yubikey so people can learn about how it works and how to get one.