[Brajeshwar]

What would be the ideal suggestion for a Yubikey setup -- where I’m not hounded by authorities, don’t want to act out the James Bond lifestyle, and am just an ordinary person interested in extra security for him and his family?

I want to be able to have Yubikeys for (i) my primary desktop at home, (ii) my travel Laptop & other devices (iii) backup (at least two) if any of the primary ones fail. Rinse and repeat for each family member.

[hot_gril]

My suggestion for a regular person is to not deal with Yubikeys. The risk of me somehow shooting myself in the foot trying to use them is much higher than the risk of getting hacked. My most important thing by far is my bank account, which has 2FA via the Chase app on my phone. Doesn't even support Yubikeys. A few other things are like this.

That's good enough for my personal life. I only use a key at work, where they manage all that for us.

[bigDinosaur]

If you travel overseas a Yubikey (or equivalent) is apparently a good way of escaping the account lockouts that Google applies when it detects suspicious behaviour. While TOTPs and regular passwords can travel a continent in a few milliseconds, a hardware key cannot, so anyone using it overseas is much more likely to be you.

I've yet to test this but adding a hardware key is the advice I've found online around this particular issue.

(Yes, I also have my own domain in the case I get fully locked out, I am paranoid)

[michaelt]

For purposes of Fido/U2F, almost every service that lets you use U2F will also let you set up TOTP, and with TOTP you can save/print the QR codes. And TOTP is good enough to let you enrol a new U2F key.

So you don't need the expense of buying multiple yubikeys if most of them will end up in safety deposit boxes. Just put a printout of a TOTP QR code in the safety deposit box.

(This doesn't apply if you want to use the non-U2F features of the yubikey, like PGP, but who needs that?)

[waynesonfire]

Use the "FIDO (both U2F and FIDO2 flavors)" capability to protect your Gmail account. You don't want your email compromised.. it's the most important.

Next, use 1password with the family. It too has FIDO support.

[graton]

You could buy "nano" keys for each computer and just leave them installed all the time. And the backup would be one on your keychain. This is how I do it.

I'm not really that concerned about someone gaining physical access to my system compared to how concerned I am about someone on the Internet gaining access to my passwords somehow. Of course I look the doors to my house and don't leave my laptop just lying around :)

[Share6323]

I need such a guide as well. If I want to sign up for a new service and use the yubikey as a factor is it required that I have all of them including the backup keys at hand to register them or can I keep them outside the house ?