[tnbp]

But it's a key though. It goes on the keychain. Unless you don't carry around keys either, in which case yes, that would be very inconvenient indeed.

Also, your Yubikey is probably less likely to be stolen or break, but I figure it's much easier to lose it, which is why you might want to have two, just in case. And that's where it gets really inconvenient.

[filleokus]

The problem I've always had with the two yubikey-model (except for cost an inconvenience of course) is that you can't really keep the second key in cold storage, because you need to enroll it to new accounts. That doesn't happen every day, but probably regularly enough that you can't keep in a bank vault or something.

On the other hand, you know the second one works and haven't spontaneously bitrotted.

My nerdy preferred version would have been (pre-passkey) to have a hardware token where the root secret is generated out-of-device and exist on e.g a paper backup or something. Then I could just buy a new hardware token and inject the same token if the device dies.

[tnbp]

You can technically do this with TOTP if you save the secret instead of simply enrolling the account. You're not supposed to do that, though.

[ta1243]

> But it's a key though. It goes on the keychain. Unless you don't carry around keys either, in which case yes, that would be very inconvenient indeed.

Even if I do have keys, they are safe in my pocket, not sticking out the side of a fragile USB port.

There's then the whole mobile problem -- yubikeys are perhaps fine with my laptop, but how about when I'm using a mobile and my laptop is in my bag, or at home?

And OK, lets say I solve all that. How do I add a second key?

The beauty of SMS for 2FA is that my phone number sticks with me. If my phone is lost or stolen, a new sim card is sent to my home and I have access to all my 2FA authenticaitons. It also ties in well with my phone -- if I get an SMS with a number 123456, it appears as an automatic insert option on the form, no need to go to another app to copy a number and switch back to paste.

TOTP and Yubikeys do not match the usability of SMS.

[tnbp]

  Even if I do have keys, they are safe in my pocket, not sticking out the side of a fragile USB port.

It's difficult, though not impossible, to break your USB port with a Yubikey due to its shape. It's not a regular USB plug and will come out quite easily.

  but how about when I'm using a mobile and my laptop is in my bag, or at home?

USB-C and NFC variants are quite common.

  And OK, lets say I solve all that. How do I add a second key?

The same way you add the first--most of the time, you have to scan a QR code. You can scan it more than once.

  The beauty of SMS for 2FA is that my phone number sticks with me. If my phone is lost or stolen, a new sim card is sent to my home and I have access to all my 2FA authenticaitons.

I'm not giving you my phone number, and mobile providers are known to send replacement SIM cards to random strangers if they ask nicely.

[lannisterstark]

>But it's a key though. It goes on the keychain. Unless you don't carry around keys either, in which case yes, that would be very inconvenient indeed.

Half the time I choose for TOTP authentication over Yubikey because "Oh god it's in the living room I don't want to go get it."

I do have a backup key mind, but that's USB-C instead of A. Maybe I should make another USB A backup.

[hot_gril]

Two yubikeys sounds ok, but I don't 100% trust that the second one works forever. Anyway, my keychain got ran over by a bus, and luckily the yubikey survived.