Yubikey cross-service security?

[No_2]

Some websites - e.g. MTGOX - only issues Yubikeys from themselves which are locked to one account only. They state this is done for security purposes as if a Yubikey is used on multiple accounts with different providers one of the providers can use your code to log into another account with another provider.

I am therefore wondering if it is best practice to have one key per provider or if it is ok to use one Yubikey with multiple different accounts and providers.

Can anyone clarify why this is?

[1715172240]

1715172240

[montdidier]

They are correct in their assertion, presuming an untrust worthy service provider. If I were them I would not allow my security to rely on the skill or goodwill of others.

It would be best practice. Especially if you are effectively only using it as a password i.e. single factor authentication.

The danger is that a site you are logging in to will reuse your login details to access another site you might also use. Effectively your classic man in the middle attack.