[_8j50]

They offer more security so what you say is true,but there is always a cost-benefit calculation to be had. They solve the human user authentication problem really well,but they do have a cost of ownership significantly higher than just passwords or even software authenticators.

You have to keep in mind that attackers want passwords to get access to some resource,not to just collect your password. Evem with a yubikey, an attacker can still get access to session/auth cookies post authentication to get access to a desired resource.

If the cost makes sense to you, they are the best way to do it,but if not there is no shame in other sane factors of authentication like TOTP or software attested webauthn.

I would restate what you said and say FIDO2 and/or WebAuthn need to be ubiqutous. It should be easy for some random guy working on ASP.NET site or something to support them.

right now even if you have it ,you can login to a handful of sites and that's it. For companies,they need to do SSO for everything with a yubi if they go that route.

[dangerface]

A solokey is $20 I wouldn't call that significant especially in comparison to the cost of losing your email, bank, steam account etc.

[_8j50]

You're talking about purchasing cost, there is additional cost as well. Who supports it,how much more does it cost to support. How easily can you issue new yubikeys,what is the cost of that delay? Do you still keep passwords or hope people keep their yubi's in a secure place?

Business cost example: some important guy is making a business deal but he lost/forgot his credential and can't login to show a presentation. If that credential is a password or TOTP key, he calls helpdesk and gets it sorted out. But if it is a FIDO key and they are on the other side of the planet (or a city close by where you have no support staff) that can humiliate not just the person but your whole company. Are hackers a bigger risk than a guy losing his yubikey? Depends on who you are and what you do. There are even more subtle costs like people forgeting their yubi at work/home and losing man hours for when they have to retrieve it. Malicious insiders swiping a fido key to do harm because of how much trust a session authenticated with a fido key has,etc...