I have a Yubikey 5, I can store a PGP key inside, it has OTP abilities, FIDO, NFC, etc… Which is great for a device like this.
First of all, I understand how a smart card is more secured than an app/sms based OTP for instance, but seeing how the market is doing, I don’t get why it’s still considered more secured.
2FA means adding a second factor, which can be your mobile for SMS OTP, an OTP device (like RSA tokens), a USB key, and so on. Currently, almost all these solutions relies only on the fact that you own this object and nothing else (this is the case for Yubikeys and SMS OTPs), and app based OTPs now include an authentication to be launched, which makes it more secured. But without this authentication layer, a mobile is still less easy to lose than a tiny USB key. And why would a tiny USB key, advertised as being made to stay plugged in your computer forever makes it more secured at all?
I mean, if your laptop is stolen, and your thief happens to have your credentials, well, your smart card doesn’t authenticate you so it adds no security at all then, but so will be the app OTP as a thief could also have your pin code.
Anyway, seeing I find app based OTP more secured than key based today, which are more secured than portable always on tokens like RSA’s, not because of their design but because of how they’re used today. Am I right?