[Pneumaticat]

Author of the post here - you have a good point with regard to SSH/GPG. (I do have a PIN on my keys.) I was targeting more the U2F standpoint - as in if you're using it for 2FA, it's obviously no better than a password if someone else can just press the little yellow button :)

Thanks for reading, though, and for commenting!

[munchbunny]

it's obviously no better than a password if someone else can just press the little yellow button :)

If you're using it as a second factor via U2F, the point isn't to be better than a password or to replace a password. The point is to be different. Specifically, the point is to be proof of physical possession. If they steal it, then you still have a memorized password as an authentication barrier.

The problem you raise in your blog post is a good one. People do tend to forget their security keys in their computers. However, making the security key the only required factor seems counterproductive. As an alternative, how about a background daemon that enumerates attached U2F/FIDO devices and reminds you to remove anything that's left in for more than a couple minutes?

[traceroute66]

No hard feelings @Pneumaticat. ;)

Most places where I use the FIDO feature of Yubi (e.g. Github), you still need to provide username and password. So an abandoned Yubi is still of limited use assuming your password is stored securely.

[Pneumaticat]

Yeah - here, I'll add a slight edit to the post to explain it in more detail and clear up any confusion.