2-Pack Yubico YubiKeys Series 5/5C NFCs Authenticator Bundle Keys Expired

I typed out a whole security spiel, but I'll keep it brief:

1. Get a password manager (Bitwarden, or 1Password, LastPass, KeyVault). Use a strong master password like "My mother grew up at 123 Main St down by the river in a van." (Something that isn't able to be googled, Wikipedia'd or in a holy text)

2. Apply a second factor of authentication to that password vault. Yubikey is great here because you need the physical key to open the vault, but authenticator apps (Microsoft, Authy, Duo) are OK here if you're frugal.

3. Moving forward, let the password manager generate and remember your passwords. Stop reusing the same two passwords with slight variations (if that 😳) — let it generate un-memorizable ones. As long as you have the master and a key (+ a backup), you'll be golden. On most sites, it can auto fill the password form or be one keyboard shortcut away

4. See if your credit card company has virtual account numbers (a CC# tied to your acct but you can set a separate spending limit. Privacy.com offers this for free, but I haven't used it. ). Add that new CC# to the password manager and only use it when you have to type in a value. Set a daily spending limit somewhere low; That way, if your CC# is ever comprised, you've limited the damage one can do — protecting you from a big headache later. Plus, by using the vault, you don't have to memorize the number or go find your wallet to make slickdeal purchases.

Today I only know two passwords: my personal vault and my work vault. Within them, there might be 500 accounts, but that brainpower I no longer have to waste. It's a whole new world.

You're supposed to own two for that very reason. I keep one on my keys and one in a safe at home as a backup.

The fundamental purpose of these is to make your password alone useless (if not replace your password entirely). The vast majority would be well served using a soft token on their phone, Twilio's Authy, Google or Lastpass or Microsoft's Authenticator will all serve the purpose. Authy being my personal favorite.

As has been stated, you could get/register two of these and keep one locked up. Most sites also provide you a set of single use recovery codes, which you can/should print and lock up as well.

Personally, where I do use a hard token like this, I also have authy registered and switch back and forth. And of course the vast majority of sites still offer sms as a method (not ideal due to attackers potentially taking over your phone account, but the likelihood of this is still relatively low).

Unfortunately Azure MFA still doesn't support fido2 tokens on mobile, hoping that gets resolved soon. It had to do with proper webauthn/ctap support on ios I know, which I believe Apple resolved.