If the author hasn't figured out you can assign a PIN to the keys you store on the Yubi, then I don't see why I should waste my time reading their rambling blog post.
Good luck taking my Yubikey and trying to SSH to my kit. Won't do you much good without the PIN that is in my head. ;)
P.S. You can also configure the Yubi to lock and mandate a PUK after too many wrong PINs.
Try being a little nicer. If you feel that the blog post is a waste of your time, here's a revolutionary idea – don't say anything? There are 29 other posts on the front page, maybe one of those other ones will be worth your time.
As it is, the UX of the poster's solution is totally different from yours; it enables a one-time, contactless authentication during login. Yours requires a ton of manual input every time the Yubikey is used for SSH. There is some different in the security models here, but the author's solution is broadly different from yours, and to me, much more convenient (I use a Yubikey with a PIN for work and it's kind of a pain).
I'm making the claim that the OP's comment is both derogatory ("rambling", "waste of my time") and not relevant to the solution described in the article. Therefore, if anything, the comment is more deserving of being labeled spam than the article itself.
It's better to comment from a perspective of "I bet you didn't know this" than "Ha, you're an idiot"
That is a falsehood and deserves to be called out.
I don't mind "revolutionary ideas", but don't use your platform to spread FUD.
p.s. https://news.ycombinator.com/item?id=24190704 was much nicer - that's the spirit ;)
Thanks for reading, though, and for commenting!
If you're using it as a second factor via U2F, the point isn't to be better than a password or to replace a password. The point is to be different. Specifically, the point is to be proof of physical possession. If they steal it, then you still have a memorized password as an authentication barrier.
The problem you raise in your blog post is a good one. People do tend to forget their security keys in their computers. However, making the security key the only required factor seems counterproductive. As an alternative, how about a background daemon that enumerates attached U2F/FIDO devices and reminds you to remove anything that's left in for more than a couple minutes?
Most places where I use the FIDO feature of Yubi (e.g. Github), you still need to provide username and password. So an abandoned Yubi is still of limited use assuming your password is stored securely.