[foxyv]

Typically the way these codes are compromised is when they are stored in a non-HSM location like Google drive or transferred somehow. Then again, if you are just trying to keep people out of your Facebook account it's not a big deal. But if you are trying to keep people from financial accounts I wouldn't recommend transferring TOTP keys. Instead using a backup method like a printed out one time use sheet would be better.

Unfortunately most such websites use KBA or Text based authentication as a backup for TOTP so you may as well just stick it in Google drive.

[codalan]

It sucks Yubikey (or other hardware based auth) isn't more prevalent in the financial/banking world. It helps mitigate a lot of types of attacks:

- No tokens to exfiltrate off a computer

- Avoids keylogger style attacks

- More durable than cell phones

That said, for people that have high amounts of money in certain accounts (> 1m), it might also present physical dangers (e.g. kidnapping, home invasion) for thieves attempting to get access to the hardware key.

[foxyv]

The rubber hose attack is always the most reliable and most dangerous method of breaching high value targets like this.

https://xkcd.com/538/