I confess I haven’t investigated the implementation details, but is it possible for one to issue ubikeys
to an employee in a secure way with those features disabled?
Yes. And changing that setup either requires a separate admin pin or wiping the associated private key data to reconfigure. It depends on which application/mode. FIDO I believe is most inflexible here as it can only be short touch to activate.
I don’t use the HID keyboard mode OTP keying app/feature so I’m not terribly familiar with that. It might be that it can be configured limited such that N in X seconds or a replug is required (to circumvent the timer) but I really do not know. If people are really curious I can grab a spare key and check. I use the CCID/smart card type modes. I do know that the touch OTP key feature requires wiping the associated private key data, or having it available to reprogram and change options. They’re a shared secret mode so the yubikey authentication server has those private keys.
It’s the allowing the employee to make a poor choice not necessarily desired by the employer thing
that seems to me is the issue in this case.
I agree that this abuse of the UBI Key is more an issue of implementation than the inherent nature of the
UBIKEY, but the UBIKEY does allow this kind of abuse in ways that other tokens don’t facilitate.
That's like saying that cars are worse than bicycles, because carsallow you drive into things are a more dangerous speed. I mean, yes,but ….
Cars are more dangerous than bicycles, but everything is a matter of balancing tradeoffs.
In this case, I’m not sure the ubikey offers anything over the Secur-ID to balance that increased
hazard.