This isn’t strictly a privacy question as a security one, so I’m asking this in the context of individuals, not organizations.
I currently use OTP 2FA everywhere I can, though some services I use support hardware security keys like the Yubikey. Getting a hardware key may be slightly more convenient since I wouldn’t need to type anything in but could just press a button, but there’s added risk with losing the key (I can easily backup OTP configs).
Do any of you use hardware security keys? If so, do you have a good argument in favor or against specific keys? (e.g. Yubikey, Nitrokey, etc)
I think the best use case will be to use a yubikey with a password manager. That way it doesn’t matter what sites support the security key directly. You could also set up passkeys with the sites so that once you authenticate with your password manager, the login process is transparent. Once more sites support passkeys, anyway.
I suggest having a threat model about what attack(s) your security is protecting against.
I’d suggest this probably isn’t giving much extra security over a long unique password for your password manager:
That said, it might be able to give you more convenience at the expense of slightly less security - particularly if your threat model is entirely around remote attackers - on the convenience/security trade-off. You would touch a button to decrypt instead of entering a long passphrase.