| So, the "something you have" element of security is to primarily avoid remote compromise. And even make local compromise require an additional theft step. If the hacker gets your key, and your password it's game over. But hacking the password will take some time hopefully, and systems usually have retry limits etc. so if you discover your lost key, you hopefully have some time to revoke the lost key. I personally would not use it for password-less login, as it is only good as a second factor. If your threat model includes any real likelihood of people capable of stealing your keys and cracking your passwords, then 2FA is only a small part of the opsec you need. Things like NSA's Zero Trust Security model comes to mind https://news.ycombinator.com/item?id=26549363 If you're at that level, you probably need specialist infra. But potential compromises don't mean you're not less secure than before, Yubikey would still make you more difficult to hack. |