Surely an authenticator app like Authy is more secure than a hardware key like Yubikey.
To access my account with the former an attacker needs my phone and me to log in to it for them.
To access my account with the latter an attacker just needs to hardware key.
I usually have my phone on me whereas I don't want to have to keep track of a tiny USB device and am likely to just leave it plugged into my laptop. My laptop is the most valuable item in my home and so most likely to be stolen, along with the attached key.
> Surely an authenticator app like Authy is more secure than a hardware key like Yubikey.
It is difficult to assess one choices as "more" or "less" secure without a threat model.
You've focused on the threat from attackers willing to use a mixture of a physical attack (stealing the phone or laptop, perhaps mugging you for it) and a digital attack (accessing online accounts using credentials they stole) but those are very rare.
On the other hand Phishing and other purely online attacks are extremely common. I probably see two or three attempts per week. Most of them are crude but not all, and they work.
Authy emits TOTP codes, so those can be phished. The phishing site gets you to enter your TOTP code, which it passes over to the genuine site, signing in the attacker with your 100% authentic working codes.
But a Yubikey (and dozens of cheaper alternatives including Yubico's own Security Key) can also be used with WebAuthn, which cannot be phished.
I'd like 3FA(!), which would be password plus OTP (e.g. a code from Authy) plus a hardware key like Yubikey. Wouldn't increase the work for me to log in since the Yubikey would always be in my laptop, but would avoid the phishing problem.
Depends... Your phone runs millions of lines of code and you likely browse the web on it which means that any moment an exploit could take over your phone. (or the regularly scheduled bluetooth vulnerabilities).
Bam, someone now have the ability to authenticate as you without even needing physical contact and without you ever noticing - this could run for years without any trace. With yubikey you will notice that it is missing.
There is a yubikey with fingerprint sensor that is supposed to come soon as well.
In my case, the biggest case against a phone app is that the most likely disruption would be either that my phone was stolen (though not specifically to get my credentials) or just break from a fall or something.
And until there is a decent fallback from that passwords are the better choice for me. (Yubikeys aren't that much better in that regard either)
To access my account with the former an attacker needs my phone and me to log in to it for them.
To access my account with the latter an attacker just needs to hardware key.
I usually have my phone on me whereas I don't want to have to keep track of a tiny USB device and am likely to just leave it plugged into my laptop. My laptop is the most valuable item in my home and so most likely to be stolen, along with the attached key.