[timothy-quinn]

It depends on the context really - I love the push-driven MFA products, but they specifically require you as a user to be carrying a phone with you at all times, and are usually considered "low" assurance of the user's identity.

If your business is seeking "higher" assurance (yes, assurance levels are very subjective) then certificate-based MFA can meet the needs better. Or, if your business is working with sensitive data/systems, phones may be banned from the office (e.g. military, intelligence, banks, etc.).

[toomuchtodo]

If you can’t use a phone as a factor, it’s likely you’ll be issued a smart card (such as a CAC in the case of the military).

It feels like Yubikeys are a shim until the phone UX as a factor improves (and there’s more server side support) and/or smart card adoption for identity improves. If Touch ID and Face ID are good enough for most secure transactions in the Apple ecosystem (including Apple Pay), seems like a reasonably high assurance.

[closeparen]

Some of the U2F-only tokens are their own thing, but the flagship Yubikey is literally a smart card bundled with a reader. The USB token form factor makes a little more sense for an individually assigned laptop.

[toomuchtodo]

I have found Yubikey evangelism terribly difficult in both my enterprise and defense industry engagements, hence my smart card statements. For whatever reason, Yubico still has some perception challenges.