I’m not going to hang my whole security on a single key, if I’m afraid of a state actor, is what I’m personally getting at.
But let’s be real, like you just said, most compromise is human. Social engineering. Passwords and SMS (and even non SMS) 2FA is just too easy to talk someone out of. A strong hardware key stops 99.9% of breeches in their tracks.
But yeah, I’m sure the state has a way to break a Yubi. Let’s be real, a pair of pliers and some sodium pentathol will break me much cheaper.
The state has a way to break anything they target at the end of the day. That's why I place no trust in centralised services owned by registered corporations, usually in the US, increasingly Switzerland too, they might not show ads but no centralised platform run by a company accountable to shareholders (public or private) will ever be decentralised in any real way.
Like that old expression goes: if the NSA is part of your threat model, you're already fucked.
But yeah when you consider the threat model of the average person they are worried more about "hackers stopping me from logging into Insta I can't get my influencer money."
As for loss, that's why you have at least one backup key.
