[bhuga]

In that case, I might prefer an authenticator to a keyfob that requires insertion too. The yubikey is slightly more secure since it's actually signing a message from the server rather than sending a password that can be (briefly) intercepted and replayed. But it's probably not 'better enough' to encourage someone not to use 2FA at all if U2F isn't convenient.

If user security has taught us anything in the last 20 years, it's that security features have to be convenient or may as well not exist. I think we'll be seeing a lot more 2FA options in the next few years. In this segment, user choice is a huge improvement in and of itself. I've also been testing Duo push for some internal stuff, which is a phone-based experience that's as smooth as silk. To each their own!