[BrandoElFollito]

Making a decision on what to use for authentication should rely on a risk assessment. Of course normal people will not do it, but at least what we provide them should meet their needs.

99.7% of people will get their password stolen because they use only one on each service. It will get stolen on some shady site, and then checked against the same email on gmail.com.

The remaining 0.3% of the users will have their laptop stolen, together with the key. The thief will the re-image the laptop to sell it and throw the key away.

Finally, 1723 geeks in the world need to make sure they use 8 FA so they will be fine.

There are also enterprise users (35.8%) who will get something from their company which marry a PIN to an OTP and they will be fine.

In other words: yay yubikey! instead of password.

Note: the percentages not only are invented but do not add up to 100%. The first one is probably very, very underestimated.