
Ask HN: How is a Yubikey “always-in” 2fa key a true 2fa? - throwaway2352
I know the Yubikey 4 Nano is very popular and is designed to always stay in a USB port: https:&#x2F;&#x2F;www.yubico.com&#x2F;product&#x2F;yubikey-4-series&#x2F;#yubikey-4-nano<p>Google, who is considered to have good internal IT security practices, gives these to employees.<p>They provide an app which lets your 2fa codes be shown on the computer as long as the USB device is in place: https:&#x2F;&#x2F;developers.yubico.com&#x2F;yubioath-desktop&#x2F;<p>Your 2fa codes are effectively always available on your computer this way. Is this considered a secure practice? Especially if you&#x27;re using a password manager, this puts the password and 2fa device on the same device.
======
guiambros
> _Your 2fa codes are effectively always available on your computer this way._

No, they're not. They're available on the hardware key, which is more secure
than software (malware, keylogger, etc), and requires a physical touch to be
activated.

If your computer is lost or stolen, you simply revoke your lost key and use
your backup one. If your password is compromised (say, by a keylogger), they
won't be able to do much without your hardware key.

It's not perfect, but it's a good balance between security and convenience.

------
msoad
Read this: [https://github.com/github/SoftU2F#security-
considerations](https://github.com/github/SoftU2F#security-considerations)

