[artdigital]

I have a question - do you disable regular OTP 2FA on services you use the Yubikey? I have one too and religiously added it to all kinds of things, but each service allowed me to just skip the yubikey when a regular OTP code was entered, effectively making me not use the yubikey

[rgoulter]

If you have only one Yubikey, and use it as the only factor of authentication to a website, you'll need to ensure you store the 2FA recovery codes safely. Whereas, if you have both Yubikey and TOTP as factors of authentication, if you lose the Yubikey, you'll still be able to login.

I view that as "Yubikey more convenient than TOTP". You can either use TOTP, or the Yubikey, and it's easier to tap a button than to enter a code.

[cuu508]

WebAuthn is more convenient but also more secure. You don't have to be as vigilant when checking what URL your browser is pointing at.

[Xylakant]

Not the GP, but I also use YK as a primary auth mechanism and TOTO as fallback.

Since I only use TOTP as fallback, I am much more vigilant if I suddenly get a TOTP prompt. I should never get one, only in circumstances where I explicitly want one. Every other instance is a big red flag. Is that perfect? No. Is it better than TOTP: yes.