[ashtonkem]

A permanently attached Yubikey is not worse than a password alone, and is still superior to SMS 2FA. It still requires that an attacker know both your password and have physical possession of your machine. For the vast majority of users, this is sufficient protection from the threats that they face. The chance that someone both knows your password and is close enough to steal your yubikey is incredibly unlikely.

If you’re the kind of person liable to get personally targeted for nation state level attacks, then you definitely are going to want to unplug your yubikey and keep it on your person. For the rest of us, a hardware 2FA token is enough to protect against a sim swap attack, which is probably enough.

[Legogris]

> liable to get personally targeted for nation state level attacks

Groups also potentially at risk:

* Targets for industrial espionage (you might not be interesting but your employer is)

* Those believed to hold larger amounts of cryptocurrency

[stingraycharles]

Yeah I have this setup for quite a few years by now, and occasionally I question whether this practice makes sense.

What does make it incredibly dangerous is that it also applies for eg “sudo”: if you don’t have any additional protection, it effectively means that any exploit in any app can be immediately extended to a local privilege escalation, as there is no additional protection in place.

In other words, be careful what you wish for. :)

[solatic]

> If you’re the kind of person liable to get personally targeted for nation state level attacks, then you definitely are going to want to unplug your yubikey and keep it on your person.

Maybe yes, maybe no. Do you have a backup YubiKey? If so, then you need to keep it in a separate location (i.e. don't defend against losing your keys by putting both your primary and your backup on the same physical keychain). Are you putting it in a safe? What safe can you buy that is sufficient protection against nation-state level attacks? How often do you check your safe to make sure that your backup hasn't been stolen? What process do you have in place to revoke and replace your backup YubiKey in case you do discover that the backup has been stolen (do you have a list of every website at which you ever enrolled the backup, and how do you safeguard the list)?

IMO unless you are very seriously paranoid, you buy a "nano" in-slot YubiKey if your usage pattern targets a single machine, and a keychain YubiKey (with NFC) if you need portability between, say, your work laptop, your home desktop, and your phone. It's not a question of security but of your usage pattern.

[tuananh]

i dont get why it's better password and 2FA? leaving yubikey unattended, it will only require attacker to know the password (PIN).