[bostik]

The main idea with a security token is that you can not get the keys out of them.[ß]

So for a truly secure and reliable setup, get three. Enroll them all as parallel 2FA tokens. Keep one with you, one in a relatively easily accessible but non-obvious place, and one in a safe or bank deposit box. That way when the one you have with you breaks or you lose it, promote the secondary to your primary and order a new one to replace the promoted one.

The third is your emergency backup, for when both normally needed keys are destroyed or lost.

Now of course, this only works when the accounts you want to secure allow to enroll more than one FIDO2 token. Which is, sadly, not the most common setup still. For instance AWS only allows to enroll one 2FA token per account.

ß: Some functionality modes allow to extract private keys by design.

[sedatk]

I keep one always plugged into my computer (like a Nano model), and one on my keychain. You don't usually need more than that as there are ideally other ways to recover your account (printed recovery keys etc).

If your laptop gets stolen with key inserted, and you didn't have time to invalidate the key, one still has to access your local account, and find out saved login information in order to leverage that key, and that's until you notice that your computer's stolen and invalidated your key everywhere. Otherwise, it's just another random key for the thief.

I don't find that part of my threat model, and I've got my laptop stolen before with key plugged in.

[centimeter]

I have a similar setup - Nano 5C on laptop, 5C NFC on keychain (for use with iPad or iPhone), and a third one in a safe deposit box.

I use them for services like Google, but also for SSH keys. (Since 8.2, OpenSSH has built-in U2F support.)

[bostik]

The SSH setup with a Nano and a laptop is pretty neat, in fact. Once you get it going. For a desktop it wouldn't work as smoothly thanks to the touch-for-every-auth requirement.

Even with the well-known document (by HN regular StavrosK) at hand, you can have a confusing experience getting the resident keys going at first. So I put together something to hopefully help people out: https://bostik.iki.fi/aivoituksia/projects/yubikey-ssh.html

FWIW, when I was working on the draft version, searching for the special error code brought up only three pages in Google, and only one of them was actually helpful. At least in my filter bubble.

PS. I am aware of Filippo's yubikey-agent, which AFAIU uses PIV instead of FIDO2. Looking into that will be for the future.

[uep]

Is it considered a no-no to use it with a password manager for other accounts that I consider less critical? I was thinking that for most accounts, I would use the password manager, but use 2FA for the password manager. My primary email account that everything links to, would just be 2FA.

Meaning, I would only really have to remember two strong passwords. The rest would be strong passwords, but without 2FA, and easily changeable without forcing myself to remember yet-another password and which account it belongs to.

[AlexCoventry]

Why not use 2fa on all sites which allow it?

[lukeschlather]

Can you create two dummy accounts that you give full admin access to the first account? It's kind of a dumb hack but seems straightforward?