Conclusion: they are good–get a couple.

I recently spent an afternoon enabling several of my online accounts to use U2F. I bought several Yubikeys and wanted to get some experience with using them day to day. I have previously used Duo and currently use RSA soft token for work. I currently use Google Authenticator for some of my personal accounts. I find the U2F experience fairly unobtrusive, as long as you use Chrome, which I recently switched to.

"Yubikey as part of pocket litter"

One side effect of setting up and going through this: it gives you the opportunity to review and consider the security posture of your various online accounts. Things to think about: are my recovery emails and phone numbers current? Are they the ones I’d prefer? Do I understand what I need to do to recover if I lost this account?

Some things to consider: Buy two keys at minimum–you want a backup. There’s a minor additional inconvenience (a separate download) if you don’t run Chrome, but they will still work. I haven’t gone through that process. You may need to consider your machine’s port configuration–USB-A is becoming scarcer, but Yubico has models that use USB-C. It’s just the cheapest one is USB-A only right now.

I don’t carry a lot of keys on my ring anymore, so adding this to Every Day Carry wasn’t a problem. They have a nano form factor, but that seems too easily lost for me. I expect the main failure mode to be losing the key.