This seems less convenient to me than 2FA using Google authenticator. I always have my phone with me. I don't want to bother bringing a USB key between home and work.
The user experience is also better with U2F than previous 2FA systems. When GitHub prompts you for U2F, you press the yubikey and are instantly logged in. No typing random numbers with n seconds, no fake keyboard.
YMMV of course, but if you've tried U2F, it feels incredibly slick.
I think the issue is that I have a laptop at home and iMac at work so I don't bring my computer on my commute. Also, I like the extra security of the fingerprint scanner on my iPhone.
Your iPhone is completely covered with your fingerprints. Also, if your phone gets hacked/compromised the attacker could steal the secret used to generate your TOTPs. This is not possible with the Yubikey, it is absolutely impossible to extract the private key.
I have a Yubikey on my keychain (it can easily withstand this), and it takes very little effort to plug it into the USB port when I require it. Less than it would be to take my phone out.
As a side-note, some time ago the Yubikey had a vulnerability with its GPG module so they shipped out new ones for free. I now have the old key (with no GPG keys loaded on it) permanently plugged into my USB hub at my desktop. It is amazingly convenient.
It's probably a lot easier to steal your keys than it is to dust his phone for fingerprints and go through all the trouble of then faking the print on the sensor.
Heck, all someone needs to do is grab the one permanently plugged into your USB hub on your work desktop after you've left for the day.
It's my desktop in my home. If someone breaks in (or steals the other yubikey from my keychain, and thus has the keys to my home) I have bigger issues. And they still won't know my password.
In that case, I might prefer an authenticator to a keyfob that requires insertion too. The yubikey is slightly more secure since it's actually signing a message from the server rather than sending a password that can be (briefly) intercepted and replayed. But it's probably not 'better enough' to encourage someone not to use 2FA at all if U2F isn't convenient.
If user security has taught us anything in the last 20 years, it's that security features have to be convenient or may as well not exist. I think we'll be seeing a lot more 2FA options in the next few years. In this segment, user choice is a huge improvement in and of itself. I've also been testing Duo push for some internal stuff, which is a phone-based experience that's as smooth as silk. To each their own!
OTP based 2FA is susceptible to phishing and MITM attacks. U2F is phish-proof and makes MITM more difficult.
For computers you frequently use, you can get multiple keys and leave them in the port (Yubico makes a small one that stays in the port and only sticks out enough for you to be able to touch it, but it's a bit pricey).
I've used a YubiKey for 2FA for a year or so now. It just sits in my USB port and it feels too convenient - steal my laptop and you get my key. At least my phone has a PIN.
Mine is on my keychain, plus you need my username, password and yubikey to authenticate, so if someone steals my laptop (oh noes!) they still have hurdles to jump.
U2F is protection against someone phishing/stealing your credentials online. Your password is your protection against someone stealing your laptop. The likelihood that a person who steals your laptop also managed to phish/steal your credentials is minute.
For me that key is the emergency key. I have it on my keychain. I use Google Authenticator normally. I don't yet have U2F key always inserted the computer in my home but I think it would be convenient. I have a regular Yubikey inserted in the USB slot in my monitor to unlock Password Safe with a 25 char password. I don't think I would like it permanently inserted on a device I carry outside of my home.
Most of the USB keys are in a form factor that fits well on an existing key ring. If you are like most people, you presumably also already have a pile of keys connected to a key ring on you at all times.
You don't have to unlock your phone device and launch the appropriate app, you just need to plug into an open USB slot on the machine you are using.
This is actually more convenient sometimes. I already have one of these FOBs permanently attached to my computer. It's a tiny pieces that fit into usb and only protrudes a couple of milimiters. Since I have this always connected all I have to do is touch it and I'm in. Takes me less than once second while taking my phone, opening the app and typing the code by hand takes 10-20 seconds.
The downside is that it takes a USB port, which is one of the reasons I hated this years MacBook so much.
Dumb question... what does the yubikey then do that a normal computer can't do? If you keep it plugged in, what security benefit does it have over storing (strong) passwords?
One thing to consider is the possibility of your phone itself being compromised (stagefright et al.). Note how Duo issued a security advisory to limit access for Android devices [1].
A fully isolated component like a Yubikey has a smaller attack surface area for these kinds of things (easier to audit smaller code, no sustained Internet or cellular connectivity).
The user experience is also better with U2F than previous 2FA systems. When GitHub prompts you for U2F, you press the yubikey and are instantly logged in. No typing random numbers with n seconds, no fake keyboard.
YMMV of course, but if you've tried U2F, it feels incredibly slick.