[GekkePrutser]

Sounds good, but I'd really want to use a PIN with that. Otherwise anyone can take my key and walk up to the computer and unlock it.

I wonder if there is something like pam_piv? I use PIV already for Mac & Windows... Suppose I should look for it myself :)

[aborsy]

You need a pin for GPG. Note that, that would protect only the gpg keys.

Don’t forget to set a password also for the YubiKey Authenticator app. Otherwise I believe anyone who has your key would see the websites with which you have Fido U2F and use it.

[tialaramex]

> Don’t forget to set a password also for the YubiKey Authenticator app. Otherwise I believe anyone who has your key would see the websites with which you have Fido U2F and use it.

From what I can see YubiKey Authenticator is a TOTP authenticator. So that's completely orthogonal to U2F (and less safe, although more familiar to users who have things like Google Authenticator)

With U2F non-resident credentials don't leave any trace. If somebody has stolen a working authenticator they'd need to guess sites at which its non-resident credentials would be valid and then try it.