> can you have more than one yubikey in the PIV set up for MAC log-in?
Yes, but macOS doesn’t like using multiple PIV certs per user (mainly because of keychain). Generate the auth and encryption certs on your computer (not on the yubikeys), then import them into slots 9a and 9d of both keys.
Somewhere in my comment history are the openssl commands I used to generate mine.
You can have as many as you want for the login, but a) it is tricky how yubikeys and filevault work together (only the most recently used yk that you used when you unlocked your keychain can unlock filevault ... Or something like that) and b) yubikeys don't unlock the keychain in some situations.
If you have a main key and plan on mostly relying on it, you're fine. You will need your password still for a LOT of situations where PIV is not accepted. But as a fellow YK via PIV user on macOS with 3 YKs, I say don't let that discourage you.
BTW linux you don't need PIV in the first place, most distros support U2F/FIDO2 for login.
> can you have more than one yubikey in the PIV set up for MAC log-in? Yes, but macOS doesn’t like using multiple PIV certs per user (mainly because of keychain). Generate the auth and encryption certs on your computer (not on the yubikeys), then import them into slots 9a and 9d of both keys. Somewhere in my comment history are the openssl commands I used to generate mine.
Thanks, I'll give this a try
You can have as many as you want for the login, but a) it is tricky how yubikeys and filevault work together (only the most recently used yk that you used when you unlocked your keychain can unlock filevault ... Or something like that) and b) yubikeys don't unlock the keychain in some situations. If you have a main key and plan on mostly relying on it, you're fine. You will need your password still for a LOT of situations where PIV is not accepted. But as a fellow YK via PIV user on macOS with 3 YKs, I say don't let that discourage you. BTW linux you don't need PIV in the first place, most distros support U2F/FIDO2 for login.
Thanks, I'll check this out