Nice job on authentication. A question arises for me, though. I can understand the cost of Yubikey and email authentication falls to the user. But how much do you estimate the SMS will cost you as a fixed cost? Back-of-the-envelope calculation would say that the cost shouldn't be onerous, but I don't know how frequently your userbase logs in anew. Have you arranged a bundle or do you pay per message still? Pardon the questions and feel free to ignore them if I am prying. Thanks.

I found the part about yubikey to be the most interesting. I was not previously aware of it. What a fantastic alternative to the standard RSA LCD display key. The implementation as a keyboard is pure genius.

Random thing not mentioned in the blog post: If you use the dvorak layout, you don't need to change to qwerty before hitting the button on your yubikey. It gets automatically parsed and converted.

I went to their store, and it appears to be an USB stick (yeah like I have a spare USB port), so I don't get your comment - why _wouldn't_ it work the same way all other programs do?

Because it works by emulating an USB keyboard and keystrokes (which is pretty ingenious idea imo).

"The Key generates and sends unique time-variant authentication codes by emulating keystrokes through the standard keyboard interface. "

The yubikey pretends to be a USB keyboard to input the auth token, so if you have the keyboard re-mapped in software it will mess up the auth token.