I have had yubikeys for a while. Not sure if PP always accepted them and I just didn't know, or if I just found out. Either way I was really happy, as a massive amount of my financial transactions go through PP and I would like to make it as sure as possible. And only allowing 20 character passwords (seriously? wtf PP come on) really rubbed me the wrong way when I changed passwords recently.
Anyway, as I was setting up my security key I realized I wasn't seeing an option to register a second key (or third, forth, etc.). I shouldn't have to explain why this is problematic. You have a single point of failure. Everyone I know that uses YubiKeys has at least 2, if not more. I use 3 myself.
Especially when you consider that 2 of Yubikey's products are 'nano' keys. AKA, semi-permanent USB keys that are tiny and create a little 'button' that you can always press when you need your security key. There are some things they are not good at though. Such as being removed from the device they are plugged in at. So say you have a Yubikey Nano in your desktop, laptop, and a mobile key for your keychain that has NFC. Well.. if you set up your security key to use the Nano in your desktop (which would be reasonable, to be using your desktop by default at home) - then .. I guess you just can't use PayPal anywhere but that device. Cool. I can already here some people saying 'Well use your portable Yubikey, that way you can use it on any device you need!'. Yeah, that's nice and all. Except it's also the key that has a 10-20x higher chance of getting lost than the other two keys. Leading to **bleep** that I really don't want to deal with.
Hopefully I just missed a setting somewhere. If I didn't, then seriously PP, wtf? Between this and the 20 max character passwords - it's like you're trying to implement policies that actively harm our security. On a platform for many that is the most important save maybe their email. It's flat out unacceptable.
