@halcy practically, what happens if you *don't* unenroll it?
There's nothing on there to say who the last user was and there's no way to find out which sites it has been registered on. Even if an adversary did know those things, they'd presumably also need your username before it would be any use, right?
But, still, I say melt it into slag & turn it into art.
@Edent I mean, besides that, security team might autodisable it from their side once the new one is active (I don't know if they do, but they might, or might at least prompt me if I want to), and failing that, it'll expire a year from now
I'll just wipe it, might keep it for personal use, 5.4 firmware key might have the potential for sidechannel private key leakage if you have physical access, but it feels safe enough for me outside of work prod access
@halcy can it be disabled remotely? I didn't realise that they expired.
I might have some sysadmining to do!
@Edent no just as far as I understand there's two things
1) all the yubikey does is identify itself to a server using public key crypto (with a key that cannot leave the yubikey, by design, and requires a PIN and physical touch at time of identification), so if on the server the public key associated with the private key stored on the yubikey is disabled, then it can't be used to access anything, really
2) the certificates stored have (or can have? but mine all have. if optional, then presumably it is policy here that they do) expiry dates. Maybe that's also a "it's disabled after such and such time on the server side" thing, rather than part of what the yubikey itself does, no idea
