The Yubikey authentication mechanism we were trialling on on our beta server has now been released to production.

There's been a few small changes since we first rolled it out on beta.

  1. After feedback from Yubico, we've made a few extra internal security
    improvements. In two-factor mode, the Yubikey one-time value is
    checked before the password, so a one-time value can't be reused
    with the wrong password
  2. On the login screen, you can click the "+ More" link to display the
    Yubikey login box. Currently the password box will continue to work
    if you put the Yubikey one-time value in there, but we recommend
    using the specific Yubikey login box, because the browser won't
    prompt you to save the one-time value as a password, which obviously
    won't work a second time

We've also added some help documentation about Yubikey so people can learn about how it works and how to get one.