Yeah, YubiKeys are great.

I have been using mine for about a year now and I also use a YubiKey PAM module to log in into my Ubuntu workstation.

If you search google a bit I am pretty sure you will find a discount code to get it even cheaper :)

I got mine for free from a user of my software who wanted me to add support :)

In fact I finished that just this week, I'm considering using it full-time for some of my machines now.

The nice thing as far as I'm concerned is that unlike some other similar devices, all the specs for the OTP generation and all the software components are open-source.

The price point was right for me; I just ordered one. They mention a coupon on their site for the "VIP" token: http://www.yubico.com/january-2011-newsletter It looks like the VIP version is exactly the same as the regular, but it comes with a Symantec identity that can be removed.

Now to get two-factor auth working on my boxes... It seems there is a Python PAM module: https://github.com/Kami/advanced-yubico-pam-module

What if you lose your YubiKey?

You need to have a recovery process similar to if you lose your phone.

You can actually achieve the same with any USB thumbdrive: http://pamusb.org/

If someone "borrows" your thumb drive they could extract the secrets and return it without you knowing, but AFAIK secrets cannot be extracted from a real token such as a Yubikey.

It doesn't just work by reading a passkey.

From the webpage:

* Non-intrusive. pam_usb doesn’t require any modifications of the USB storage device to work (no additional partitions required).

* USB Serial number, model and vendor verification.

So is it only for local console authentication? There's no way to read that stuff remotely.

Come on mate, just use a bit of imagination. You use the pam_usb module to login locally and an encrypted passkey stored on the same usb thumbdrive for remote SSH connections.

$20/seat.

$20 per physical token; Not an annual 'seat' thing.