[SahAssar]

I was just about to say that they still sell the neo which runs opensource firmware. Seems like they don't though and have discontinued that line.

Still the idea of hardware tokes, u2f, WebAuthN is not at all tied to yubikeys and there are implementations of it that are software-opensource like solokeys.

I think the security of a yubikey is likely better than most alternatives even if it is not open to scrutiny anymore.

I'm also guessing this is the point where it would be good to mention that WebUSB was a vulnerability for u2f hardware tokens (if you gave sites permission to interact with USB devices): https://www.wired.com/story/chrome-yubikey-phishing-webusb/