[32032141]

I personally don't see the point in them at all, in implementation and reality you get basically zero use out of the things.

Services that support them either have them locked down so hard that if you lose a single Yubikey (there's often no backup second key option), you're very screwed. Others go the other option, and have too easy to reset systems, SMS fallbacks, or other total bypasses of the security tokens.

For SSH and GPG, authentication keys are generally the least of your concern. The content you're controlling are much more valuable than the authentication itself. Can an attacker just wait until you SSH somewhere, and leverage that access? Can they wait until you'd press the button for another benign purpose and use that authentication in a malicious way? The answer is almost always yes, which reduces the value of these sort of devices substantially. They don't protect against local compromise, in which case a keyfile sitting on your local host is just as secure and a lot more convenient.

[peterwwillis]

Well their main use is to mitigate remote compromise. But I suppose if for some reason someone compromises a private key remotely (???), they don't have your physical 2nd key to complete auth. Or if you want encryption at rest with something stronger than a passphrase. For weird cases like "disk backup was compromised" it also helps, because most people don't encrypt backups at the client. But in general, actual protection seems vanishingly small past remote attacks.

So I think in general private keys aren't improved with a token, since a compromised private key is supposed to be a local compromise.

[32032141]

I don't really see a situation in which someone has local file read access on your machine, but doesn't otherwise have you completely owned.

[dcbadacd]

A regular keylogger won't no longer work with a hardware token for example. Yes, having your PC compromised is bad but it would be even worse if the keys can be stolen and used elsewhere, it just rises the bar significantly for getting persistent access (re-establishment without the token is really hard) in my opinion.

[nijave]

I think they can be pretty beneficial in corporate environments where you can exert some control over the IDP and turning it on/off isn't super difficult (like visiting a physical help desk)

In addition, these places tend to have less technical users and "plug it in and press during login" isn't terribly difficult

[32032141]

I genuinely don't understand downvoting a series of very realistic comments about what using a Yubikey is actually achieving in these situations.

[WordyMcWordface]

I agree, I bought a yubi key ages ago and have tried to set it up for ssh, windows auth and various online services but I find it either just doesnt work, or works poorly enough that I don't use it and instead rely on classic TOTP instead.