> But what happens when you lose that security token?
Pretty simple: you use your backup key to revoke the lost key. This is possible with e.g. Lastpass and Google. Of course, if the attacker logs in before you revoke the key, you are hosed, but the same would be true in your car analogy.
> i.e. "Honey! I can't find the car keys, have you seen them?"
With car keys, too, you have a backup key. Arguably, the physical car keys are easier to copy.
> I would be in favor of an implantable RFID chip or whatever 'better' tech comes around.
Nothing new, see this article from 2004 [1]. As you can read in the article, its first headline was even in 2001 (to put in perspective this is 15 to 16 years ago). Company's name is VeriChip.
The problem is that the signal can be intercepted (AFAIK it doesn't use a form of OTP), and the key cannot be easily replaced/revoked. A YubiKey doesn't suffer from this issue. The issue a YubiKey has is that it can be easier lost than an implant.
The YubiKey Neo ('large' version, not the 'laptop' version) supports NFC.
I'd love something like a Yubikey Neo (NFC) with a fitness band type form factor (that I can shower/swim with), and an intention indicator (button of some sort) before the NFC would respond.
Right now I use a Pebble smartwatch (which I use for fitness, too) with Bluetooth 4 to unlock my Android phone. Not very secure since (as you put as well) I don't verify the unlock via my smartwatch, and I'm not sure about impersonating Bluetooth 4. Then again, I'm not sure if NFC (RFID) can be impersonated, either. And, if yes, how feasible it is.
That begs the question, what if you lose your backup key too (it's far less frequently used, adding to the possibility) or don't have one because it would decrease security? Here is where car analogy stops working.
> That begs the question, what if you lose your backup key too (it's far less frequently used, adding to the possibility) or don't have one because it would decrease security? Here is where car analogy stops working.
What if you lose the backup key to your car? You're can break a window to enter, but a modern car won't start easily because of the lock on the steering wheel.
Make sure you don't store both keys at the same place. Make sure one is stored at a secure place, while the other one is securely attached with you. A secure place to store a key is a fireproof safe, or a notary.
If you're afraid you lose both your main key as well as your backup key at the same time before you were able to reinstall another backup key you can ensure you have more than 1 backup key, and/or (re)consider where you store your backup key(s).
Also, it depends on where you are using the YubiKey. If its an online service you may be able to identify yourself via alternative ways. If its your FDE, you're hosed. Or you have backups. Either way, the above still applies.
Pretty simple: you use your backup key to revoke the lost key. This is possible with e.g. Lastpass and Google. Of course, if the attacker logs in before you revoke the key, you are hosed, but the same would be true in your car analogy.
> i.e. "Honey! I can't find the car keys, have you seen them?"
With car keys, too, you have a backup key. Arguably, the physical car keys are easier to copy.
> I would be in favor of an implantable RFID chip or whatever 'better' tech comes around.
Nothing new, see this article from 2004 [1]. As you can read in the article, its first headline was even in 2001 (to put in perspective this is 15 to 16 years ago). Company's name is VeriChip.
The problem is that the signal can be intercepted (AFAIK it doesn't use a form of OTP), and the key cannot be easily replaced/revoked. A YubiKey doesn't suffer from this issue. The issue a YubiKey has is that it can be easier lost than an implant.
The YubiKey Neo ('large' version, not the 'laptop' version) supports NFC.
> We desperately need _BETTER_ 2FA.
Why? How?
[1] http://www.wnd.com/2004/04/24179/