The Yubikey authentication mechanism we were trialling on on our beta server has now been released to production.
There's been a few small changes since we first rolled it out on beta.
- After feedback from Yubico, we've made a few extra internal security
improvements. In two-factor mode, the Yubikey one-time value is
checked before the password, so a one-time value can't be reused
with the wrong password
- On the login screen, you can click the "+ More" link to display the
Yubikey login box. Currently the password box will continue to work
if you put the Yubikey one-time value in there, but we recommend
using the specific Yubikey login box, because the browser won't
prompt you to save the one-time value as a password, which obviously
won't work a second time
We've also added some help documentation about Yubikey so people can learn about how it works and how to get one.