In that case, can we do 2FA with something biometric? Or even 2 passwords?
A physical component has a lot of issues:
* It can be stolen or robbed at gunpoint. Torture, drugging, and hypnosis aside, your mind is much more secure.
* It can run out of batteries.
* It's one more thing you can lose. It's already annoying enough to have to remember to carry 7 or 8 things every day, including a phone, bike light, smart watch, tablet, battery pack, reusable utensils, and so on. I don't want to have to add more things to this list.
* It can be damaged by the elements.
* It can be difficult to give access to others who you want to give access to.
* It may have security holes of its own, both in hardware and in software.
* When damaged or robbed, the user is highly inconvenienced, to the point that they are unable to access their own money/accounts/etc. How do get food, water, and get home from the middle of nowhere after your wallet and phone have been taken from your person? With password-only methods, you could theoretically find a nearby public terminal, log in with a simple username and password, and get an ride/call a friend/file a report/do whatever you need to do.
* If it relies on cellular service, it may not work internationally if the user changes SIM cards or devices. For many that live near border towns and cross borders every day for work, this becomes a massive inconvenience.
Biometrics make great usernames but poor passwords since they can't be changed. Imagine a fingerprint system of some kind - someone images your fingerprint from, say, a leftover coffee cup (not hard or expensive to do), and you're pwned.
The Yubikey does not run on batteries. It requires no cellular service. It can be damaged by the elements but not easily. Most electronics would break before it does. Of course you can lose it, but you can lose anything. Attach it to something you care about, such as your regular keychain. If you want to give access to someone, register a second key and lend that key to them. Then revoke when they don't need it.
A physical component has a lot of issues:
* It can be stolen or robbed at gunpoint. Torture, drugging, and hypnosis aside, your mind is much more secure.
* It can run out of batteries.
* It's one more thing you can lose. It's already annoying enough to have to remember to carry 7 or 8 things every day, including a phone, bike light, smart watch, tablet, battery pack, reusable utensils, and so on. I don't want to have to add more things to this list.
* It can be damaged by the elements.
* It can be difficult to give access to others who you want to give access to.
* It may have security holes of its own, both in hardware and in software.
* When damaged or robbed, the user is highly inconvenienced, to the point that they are unable to access their own money/accounts/etc. How do get food, water, and get home from the middle of nowhere after your wallet and phone have been taken from your person? With password-only methods, you could theoretically find a nearby public terminal, log in with a simple username and password, and get an ride/call a friend/file a report/do whatever you need to do.
* If it relies on cellular service, it may not work internationally if the user changes SIM cards or devices. For many that live near border towns and cross borders every day for work, this becomes a massive inconvenience.