So the threat model is someone physically stealing your phone and guessing/seeing your password. The #1 proposed solution is a Yubikey. Can't they steal that too?
So the threat model is someone physically stealing your phone and guessing/seeing your password. The #1 proposed solution is a Yubikey. Can't they steal that too?
YK's FIDO2 action can be passphrase protected. Mine has passphrases for FIDO2 and gpg. So stealing it won't help anyone.
But the whole premise is that the attacker is able to guess/see your password.