[jen729w]

Not unless your attacker has physical access to the machine. You still have to touch the device to activate it each time.

This still mitigates the most common MITM-type attacks:

1. Attacker instigates login via fake portal.

2. Attacker fools you in to entering your 6-digit OTP.

3. Attacker intercepts your valid OTP, combines with your stolen password, logs in to real site.

This doesn’t work with a YubiKey or the equivalent because of the back-and-forward cryptographic signing. The request has to come from the website you’re logging in to, which it doesn’t in this scenario. It’s the weakness of part 2 above which we avoid here.

[jwr]

Well, yes, that is exactly what I'm talking about. The biggest advantage of a physical second factor is that I can see if it has been stolen: I either have it with me, or I don't.

By using multiple keys, you are effectively removing that advantage: someone could have one of your devices (e.g. your laptop while you're out for lunch) and would be able to make use of your second factor without you knowing.

[jen729w]

Well if your primary concern is a local threat - which it absolutely is not for the vast majority of people - then you just have to be more careful with your keys. If you suspect someone might be actively trying to break in to your home, you wouldn’t leave your keys on your desk while you went to lunch.

[hirsin]

Yep. Use FIDO2 keys to require a PIN or fingerprint to activate the key. This is why android/ios as a FIDO key is great - easy to lock, so built in two factors.

[GoMonad]

You can also add PINs to Yubikeys to mitigate the local threat.

[notatoad]

They also need to know your password though. Unless you've got your passwords written on a sticky note below your keyboard, stealing your laptop doesn't really get the attacker any further along.

[ithkuil]

That's true. But if the alternative is that people have to setup weaker fallback mechanisms (such as SMS verification) then I'm happy to pay that price.