[jwr]

That's why I prefer using Yubikeys (using this setup: https://github.com/drduh/YubiKey-Guide) — and this method times out immediately (just press esc when the "insert card" dialog comes up).

Plus you can have multiple keys. Plus you can use them for gpg and ssh. Plus you can back them up. Plus you can print them on paper.

[GekkePrutser]

Yes and you can forward the yubikey through an SSH agent. It's what I do. This way you can sudo with hardware auth both locally and remotely. Enable touch to sign so the yubikey can't be 'milked' for authentication while it's inserted and unlocked.

I don't know if you can do the same (forwarding over SSH) with Fido2 but I still use traditional SSH keys anyway (stored on the yubi with OpenPGP). And the pam_ssh_agent_auth module.

I'll only consider switching to Fido once everything supports it (eg my iLO devices too) and it can offer at least the same features like forwarding. For now the former is very far from being realised anyway.

[tirwander]

The biggest reason I haven't adopted Yubikey yet is that I'm super worried I'll lose that one little USB/NFC key

[_morgs_]

Always get 2...

[kelnos]

How does that work in practice, though? Do most websites (etc.) support enrolling more than one token?

[mwarkentin]

Almost every one .. the big one that only supports a single MFA token that I'm aware of is AWS...

[fragmede]

GitHub and Google/Gmail certainly do.