How to Get Around a Google Hardware Security Key Bug

Attempting to allow users to use Hardware Security Keys without enabling Passwordless (skipping passwords)

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

⚙️ Check out my series on Automating Cybersecurity Metrics. The Code.

🔒 Related Stories: Google Security | Cloud Governance | DNS Security

💻 Free Content on Jobs in Cybersecurity | ✉️ Sign up for the Email List

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

I’ve written about a Google Hardware Security Key bug at the moment that is preventing me from using a hardware security key to log into my accounts without enabling passswordless. I also wrote about why I do not want to use the passwordless option — you can’t rotate your face. There’s also too much biometric information out there already getting stolen.

The number associated with a hardware security key is not the best kind of second factor. It’s short with a limited number of characters to guess in a brute force attack. Also, the number and the key are related rather than having two completely separate MFA factors.

So I want to use a hardware security key but when I logged into my accounts, even though I had set up a Yubikey on them, I was not getting the option to use my Yubikey as my second factor — I presume because Passwordless is not enabled…