I am a big time Yubikey user. If my key where to disappear, my only life would pretty much disappear with it. Many would find that to be scary, but I believe that without such vulnerability many would instead be very vulnerable online. The Yubikey allows you to match the convenience and features of online with the security of something you have in the pocket.

The Yubikey is a security device. It takes the form similar to a USB drive, but instead of storing files, it stores the most valuable keys in the most secure manner. While the key can store many things, such a FIDO-2 credentials for login, static passwords, OTP, OATH-HOTP and much more, I use two features: PGP and HMAC-SHA1 challenge response.

PGP is a technology that was well known in the past, but have slowly turned more and more out of fashion. I believe that is because many attributed PGP to be a feature of email. Since many used PGP only to sign and encrypt email messages, it went out of fashion with it. While PGP is great for mail, its features can be used for much more independently of email. At it's core, PGP is a specification for encrypting and signing data. By knowing someone's public key, one can encrypt the data so that only the person with the corresponding private key can decrypt it. By sharing ones public key and signing some data, anyone knowing the public key know who signed the data. I often use PGP to encrypt my own data, so that only I later can decrypt it using my Yubikey. I use it to sign my git commits, so that I, and anyone with a trusted copy of my public key, know that I made the commit. By having the key on my Yubikey, I know that there is only two copies of my Yubikey: the one on my keychain and my backup, both created in an air-gaped Tails OS environment for stupid amount of security. Of course the keys are also password protected, but since it is on my Yubikey, the password can be weak. After three incorrect attempts, the key get locked, and after three attempts to unlock it (with a different password), the keys are gone for good.

Challenge response (CR) is the concept of sending a challenge, knowing what the response should be. If the response is correct, you know the thing responding is correct. HMAC is a specification for this and SHA1 is the specific hashing algorithm that HMAC happens to use in this instance. While SHA1 generally is considered an insecure hashing algorithm, it is actually perfectly fine for usage with HMAC, especially on a slow device like the Yubikey. I use CR for two purposes: unlocking my luks encrypt root partition on my PC, and unlocking my keepass database. This improves security by requiring the Yubikey to unlock the drive, while allowing me to have a weaker password than would be required without the CR.

I believe my usage of the yubikey provides a great deal of security while not being too harsh on usability. My most used feature by far is CR for unlocking my keepass database. I do not use features such as TOTP and FIDO-2 since I prefer to have all login credentials in keepass, and CR, among other things, makes me very confident in the security of that data. While security keys are not vital for ones online integrity, I believe locking ones online identity behind the physical world is the only way to be really sure it is secured.