That is awesome. Despite some… theories otherwise, FIDO2 is a step in a good direction. I’m phasing my whole household to YubiKeys.
Discussion
FIDO2 is great. Passwords have been proven absolutely horseshit over the last decade or two. Ditto SMS 4FA. Using cryptography to solve it is good.
I'm guessing the concern is over the NIST curves? Certainly a valid concern. Hence this little experiment.
All the hardware, Yubikeys included, has the capacity to create and use Ed25519 but they choose not to.
After all, who is Yubi's top customer? The DoD.
I’m not going to hang my whole security on a single key, if I’m afraid of a state actor, is what I’m personally getting at.
But let’s be real, like you just said, most compromise is human. Social engineering. Passwords and SMS (and even non SMS) 2FA is just too easy to talk someone out of. A strong hardware key stops 99.9% of breeches in their tracks.
But yeah, I’m sure the state has a way to break a Yubi. Let’s be real, a pair of pliers and some sodium pentathol will break me much cheaper.
The state has a way to break anything they target at the end of the day. That's why I place no trust in centralised services owned by registered corporations, usually in the US, increasingly Switzerland too, they might not show ads but no centralised platform run by a company accountable to shareholders (public or private) will ever be decentralised in any real way.
Like that old expression goes: if the NSA is part of your threat model, you're already fucked.
But yeah when you consider the threat model of the average person they are worried more about "hackers stopping me from logging into Insta I can't get my influencer money."
As for loss, that's why you have at least one backup key.