Yubikeys for admins

Implementing YubiKeys 

Google allows users to set up a security key for their account on their own, or for a Google admin to set it up for them. Therefore, you can either provide the keys to staff with instructions on how to set them up for their accounts or set the keys up from the admin side and then provide them to staff. You can also use a combination of both methods - just make sure to carefully track that all applicable staff get covered and no one slips through the cracks.
If you are going to set up a key yourself, you should be physically in the same place as the person whose key you are setting up, since they will need it to access their account as soon as you enable it. Depending on how your library system works, you could make scheduled visits to different locations to set up keys for all staff at each location at once, or you could arrange appointments for staff to come to you over a period of time.

If you are going to provide any keys to staff to set up on their own, you should communicate a deadline by which they need to have the key enabled. From the admin side, you can see on an account whether or not a security key has been set up, so all you need to do is check back at the deadline and follow up individually with any staff who have not yet set up their keys. 

What if a staff member loses their YubiKey?

In addition to adding security keys to an account, Google admins are also able to remove security keys for users. Therefore, if a key was reported lost, you could disable that key, set up a new key for the account, and provide that key to the user. If the user needed to access the account more quickly than a new physical key could be provided, you could also generate a one-time verification code for the account and provide that to the user.

Additionally, users can also set up other methods of authentication as a backup, such as receiving a code via text message. In this case, if a user were to lose their key, they would be able to get back into their account on their own.

Can YubiKeys be used for other services besides Google accounts?

Yes, you are able to use the same key as an authenticator for multiple services. However, whether or not each individual service/program actually supports security keys as a two-factor authentication option may vary depending on its security settings.

Services that currently support YubiKeys include, but are not limited to: Google Accounts, Microsoft, Duo Security, LastPass, Instagram, Facebook, Twitter, Apple Cloud, Yahoo, Youtube, ID.me, Reddit, Twitch, Epic Games, Nintendo, Electronic Arts (EA), Microsoft Edge Browser, Dropbox, Kickstarter, Blogger, AOL, Login.gov, GoDaddy, Shopify, Opera, GitLab, GitHub, FineFriends, Binance, Keeper Unlimited & Family, and Linux. 

Addressing Potential Staff Concerns
Some staff members may have concerns about the potential time/hassle associated with this additional log-in step, worry about the consequences if they misplace their key, or simply feel like their account isn’t at any risk or doesn’t have anything worth protecting. Setting up their security key with them in person, including a demonstration of how quick it is to use, can help; at the same time, you can also go over the process of dealing with a lost key to show that (while not ideal) it’s not the end of the world either. Sharing some news stories about consequences and prevalence of account takeover as well as stats about how effective security keys are at preventing it is a good way to make the corresponding point of how much additional security this provides at minimal cost.