|
The use of a PIN number is equivalent to just having two consecutive passwords (two things you "know") which a keylogger would likely make no more secure than a single password. The idea of a Yubikey or SMS or biometric factor is that it tries to require you to show one thing you "know" and one thing you "have".
Those choosing to use a Yubikey as the second factor do need to understand the consequences. I would be much happier with Yubikey and SMS fallback when you cannot use a Yubikey, if you could set a timeout delay before the fallback was used, i.e. if there was a successful login using the Yubikey during, say, the last 24 hours, no fallback was available. If you were aware of the need for non Yubikey access in advance, you could choose to set this timeout delay very small, say 10 minutes. This would avoid the possibility of being permanently locked out with no way of recovering your account, while preventing most attempts to hack your account by misappropriating your phone or phone number.
|