I've been using his guide forever as well, except that nowadays you can just use the native OpenSSH support for deriving Ed25519 or ECDSA keys from FIDO. The main advantage is that you do not have to deal with the very subpar GPG Agent anymore... https://www.maths.tcd.ie/~fionn/misc/fido_ssh/

Besides, 1Password now has a very convenient agent, which prompts users permission for an application to use a key - which is added security https://developer.1password.com/docs/ssh/get-started/#step-4...

And yes, Yubikeys do break - My keychain'd 5Ci is missing a huge chunk of plastic, exposing the PCB, and among the two new C Bio I received last week, one has already fried after just a few days.

It’s super good!

I love my Yubikey - it’s way less friction to use than other forms of 2fa, and I get to use it for stuff like storing my PGP keys. I don’t feel like it use it to its full potential (mostly signing commits and ssh) but it’s super satisfying seeing that little “Verified” badge next to my signed commits :)

I do generate them on device, I just have multiple Yubikeys. Of course there's a significant cost there, but OpenPGP cards are a good backup and cheaper.

Yep, thats the same guide I used a few years ago as well!

I use it daily for Github/ssh in general - and the 2 slots are used for part of passwords for a couple of other things.

I have a couple that are used daily, one in a safety deposit box (which is the "master" key), and a stack of new ones on my desk in case anything breaks. (I used that Cloudflare offer to get a hefty discount on them).

I also have a paperkey copy that lives elsewhere.