Usually you just use multiple keys - one USB-C in the MacBook, one tiny USB-A in the laptop and the built-in Titan key in the Pixel phone. You don't remove them.
Not unless your attacker has physical access to the machine. You still have to touch the device to activate it each time.
This still mitigates the most common MITM-type attacks:
1. Attacker instigates login via fake portal.
2. Attacker fools you in to entering your 6-digit OTP.
3. Attacker intercepts your valid OTP, combines with your stolen password, logs in to real site.
This doesn’t work with a YubiKey or the equivalent because of the back-and-forward cryptographic signing. The request has to come from the website you’re logging in to, which it doesn’t in this scenario. It’s the weakness of part 2 above which we avoid here.
Well, yes, that is exactly what I'm talking about. The biggest advantage of a physical second factor is that I can see if it has been stolen: I either have it with me, or I don't.
By using multiple keys, you are effectively removing that advantage: someone could have one of your devices (e.g. your laptop while you're out for lunch) and would be able to make use of your second factor without you knowing.
Well if your primary concern is a local threat - which it absolutely is not for the vast majority of people - then you just have to be more careful with your keys. If you suspect someone might be actively trying to break in to your home, you wouldn’t leave your keys on your desk while you went to lunch.
Yep. Use FIDO2 keys to require a PIN or fingerprint to activate the key. This is why android/ios as a FIDO key is great - easy to lock, so built in two factors.
They also need to know your password though. Unless you've got your passwords written on a sticky note below your keyboard, stealing your laptop doesn't really get the attacker any further along.
That's true. But if the alternative is that people have to setup weaker fallback mechanisms (such as SMS verification) then I'm happy to pay that price.
Not really, because an attacker still needs physical access to the device. It still protects from someone with your password getting into the account (unless they have your laptop)
Which don't? For all the big major ones I've used U2F with, they've supported multiple keys for a while (or since introduction). It's practically a requirement in case you lose a key..
To name a few off the top of my head: Google, GitHub, Gitlab, Facebook, 1Password, etc.
If that's the case, it must have changed at some point. Lastpass and Duo both support multiple U2F keys, and have for at least a couple of years. I have two keys registered with Duo for login at my school and also through Lastpass's non-Duo U2F support.
This is true, and it is dangerous (once the key fails, folks get locked out). I don't use security keys with such providers.
It would be nice if someone made a library that made incorporating Webauthn login into an app as simple as using django or Ruby on Rails or React to create a login form, so folks don't end up rolling their own and assuming that a user will have at most one yubikey.
Failing that, you could do what Zeit does and rely on email providers' support for Security Keys (login by email link only).
Usually you can use a TOTP backup method (Google Authenticator or similar). But don't actually use it. Just save the key to initialize it to a secure backup which can be accessed of your Yubikey is lost.
