How do Yubikeys improve security if I am typically also forced to enable other, weaker 2FA methods?
It is typically recommended to enable 2FA wherever possible. Moreover, it is typically recommended to enable not just any 2FA method, but Yubikeys in particular.
Yubikeys are considered to be the strongest available 2FA method. They are nigh-unbreachable, perhaps with the sole exception of if the user's machine is already fully compromised. However, they are considered to be immune to phishing attacks (methods such as e-mail, MsAuthenticator or SMS are not immune to phishing, since if I wrongly believe I am on a legitimate site I will gladly retype the code). In addition, other methods of 2FA also come with a host of their own problems, for example SMS is vulnerable to SIM jacking (maybe also traffic sniffing? im not 100% certain here), and e-mail is itself protected by a password as well as a possible 2FA method such as SMS, so my e-mail account can also be compromised. None of this affects Yubikeys. Proffessional pentesters often say that whenever they see someone is protected by Yubikeys they simply give up; but if they have no 2FA enabled or are protected by some weaker 2FA method, then pentesters say they are often succesful in compromising them in this way or another.
However, Yubikeys come with the downside that the key may be lost or damaged, in which case I may be locked out of all accounts that were protected by this key. To remedy this online services typically require that if I add a Yubikey I must have simultaneously enabled another method of 2FA.
Does this requirement not defeat all security improvements Yubikeys are supposed to provide? The whole system can only be as secure as its weakest link. Therefore, if I have both Yubikeys and <some other, weaker 2FA method> enabled, then I, effectively, only get as much protection as <some other, weaker 2FA method> can give me; all additional security provided by Yubikeys is, effectively, lost, is it not?
Is it true that if I have both Yubikeys and some other method of 2FA enabled then Yubikeys give me no additional security and therefore the ubiquitous requirement that Yubikeys must not be the only 2FA method enabled defeats the whole purpose of using Yubikeys?
If not, then were is my error?
