There are major benefits to using a physical security key rather than relying on a smartphone for 2FA. As users move between different platforms and computing devices, having what we call a “portable root of trust” is essential. For example, an external security key that is not tied to a multi-purpose computing device lowers the attack vector, easily moves between devices or be can be used to log into accounts on a new device, works in mobile-restricted environments like call centers or hospitals, and offers a trusted, high level of security assurance for sensitive operations like transferring large sums of money on a banking app.
For enterprises, a second advantage is that with a YubiKey there is a common authentication solution that works identically, and has the same security properties for all employees. If employees use their own phones, there are a variety of vendors, operating systems and operating system versions that may or may not be patched with all security fixes. Last year, we saw more than 100 vulnerabilities for both iOS and Android. It is very hard to achieve a high degree of security in such an environment.
This is the future Yubico envisioned when we helped to create the new FIDO2 and WebAuthn open standards. We intended for there to be a growing list of strong authentication choices for users, and for some of these authentication options to be built directly into devices. Improved choice and accessibility is important to drive widespread support for FIDO2 and WebAuthn. However, security keys will always serve an important role in this growing authentication landscape.