Every hardware based key I ever used also required PIN, but as far as expense and backups, yes, for personal use the cost generally may not be justified. I got all my personal ones as a bundle that was on sale. For work I would argue that some businesses can easily justify the cost to create a rotating stock of hardware keys to deal with lost keys. Generally in that environment you have centralized PKI, where you can revoke the certificate on the lost key and then issue a new certificate on a new hardware key. This doesn’t help for all sign in methods tied to hardware keys, but can be very practical when implemented right.
I also agree on TOTP as the ultimate generic 2FA method, with several worsening options until the despised email or sms 2FA. I will also add that you can setup TOTP on modern hardware keys, where you must insert and complete PIN entry. The inconvenience is that you must have all your keys and password manager available at setup time for places that don’t support multiple TOTP codes.
I didn’t invested too much time into hardware keys but requiring additional software on other PCs, still is a no-go for me. With my current setup, I only need my smartphone and I always carry it around.
For business use, this is a whole different topic. With a proper setup, all machines would require the software and you shouldn’t access these accounts outside from company devices. Its also an expense which the company must carry and its easier for them to handle backups.
Also in that Setup, you can have SSO/LDAP, where you can physically proof that you are you and requesting resetting the MFA. With an online service, they usually require a weak proof, like just the access to an email account.
I just needed to think of the scene from the Simpsons, where Mr. Burns and Smithers go all through the security checks and in the end, there is a flimsy open backdoor, where a stray dog entered the room. All security in the front doesn’t matter, if the backdoor is not secure at all and until the backdoor is that unsecure, I’m not willing to add money and time, to make the front door more secure.
Every hardware based key I ever used also required PIN, but as far as expense and backups, yes, for personal use the cost generally may not be justified. I got all my personal ones as a bundle that was on sale. For work I would argue that some businesses can easily justify the cost to create a rotating stock of hardware keys to deal with lost keys. Generally in that environment you have centralized PKI, where you can revoke the certificate on the lost key and then issue a new certificate on a new hardware key. This doesn’t help for all sign in methods tied to hardware keys, but can be very practical when implemented right.
I also agree on TOTP as the ultimate generic 2FA method, with several worsening options until the despised email or sms 2FA. I will also add that you can setup TOTP on modern hardware keys, where you must insert and complete PIN entry. The inconvenience is that you must have all your keys and password manager available at setup time for places that don’t support multiple TOTP codes.
I didn’t invested too much time into hardware keys but requiring additional software on other PCs, still is a no-go for me. With my current setup, I only need my smartphone and I always carry it around.
For business use, this is a whole different topic. With a proper setup, all machines would require the software and you shouldn’t access these accounts outside from company devices. Its also an expense which the company must carry and its easier for them to handle backups. Also in that Setup, you can have SSO/LDAP, where you can physically proof that you are you and requesting resetting the MFA. With an online service, they usually require a weak proof, like just the access to an email account.
I just needed to think of the scene from the Simpsons, where Mr. Burns and Smithers go all through the security checks and in the end, there is a flimsy open backdoor, where a stray dog entered the room. All security in the front doesn’t matter, if the backdoor is not secure at all and until the backdoor is that unsecure, I’m not willing to add money and time, to make the front door more secure.