This prompted me to re-review Yubikey and U2F authentication. The key (sorry) advantages of a U2F key, like Yubikey, are that it saves you typing and does not require your phone, it is a bit easier to carry, and it can’t be fooled by bogus websites. There are a few things to think about.
Losing It
If you use a two-factor app on your phone, like Google Authenticator, and you lose your phone you have to jump through hoops on each website to set up two-factor authentication again. This usually involves a lot of e-mails, proving that you at least own your e-mail account. The same goes for losing a Yubikey, so no real disadvantage or advantage there. Yubikey suggests that the way to get around this is to purchase two Yubikeys (of course they do) and register both of them with each site. You would keep the second key as a backup, somewhere safe. When you lose your primary key (the one you use all of the time), simply log in with the secondary key to each site and remove the original key from your security settings. I am assuming that you would also then purchase another Yubikey as a backup and add it to all of your sites. So, really, you still have to jump through hoops to restore your security landscape to its’ original beauty, but you do it with less typing.
Alternatively, some sites will allow you to setup multiple two-factor authentication methods so you could setup both a Yubikey and then setup the Google Authenticator app as your backup. You would have to lose your Yubikey and your phone to be locked out.
Browser Support
You must be running Google Chrome version 38 or later, or Opera version 40 or later to use a U2F key like Yubikey. Both browsers include support for the U2F protocol. Mozilla is currently building support for U2F (although there are open source solutions available) and Microsoft is working within the FIDO Alliance to eventually bring support to the Edge browser in Windows 10. Funny enough, you can install a U2F add-on to Firefox, but you also have to install an add-on that makes Firefox look like a Chrome browser before the Yubikey works properly with the U2F add-on and Firefox.
Website Forgery
Google Authenticator works with many sites, including Google’s sites, but even Google knew that there was a problem with using the Google Authenticator app – impersonators. So picture this, you setup the Google Authenticator app to work with Facebook. Every time you log into Facebook you enter your e-mail address and your password and then Facebook shows you a screen that prompts you to enter the current code from your Google Authenticator app. You read the current code from your phone and then enter it in the browser screen and then you are allowed to get into your Facebook account. The Google Authenticator app code changes every 30 seconds so it’s pretty safe, right? Mostly.
Now let’s say you go to an Internet café, you open a browser tab for Facebook and you see what looks like the Facebook login screen. The URL says Facebook.com in the browser and the page looks like Facebook, but actually it is some server in the middle acting just like Facebook. You enter your username and password, the bogus site passes this on to the REAL Facebook which then asks for your Google Authenticator code, so the bogus site pops up a screen asking for your code. You enter your code into the bogus site which immediately passes the code to the real Facebook site, you get logged in, and then the bogus site redirects your browser to the real Facebook page. It looks like you just logged in, which you did, but meanwhile the bogus site has launched its’ own Facebook session using your credentials and your Google Authenticator code. This is called a “time-of-use phishing attack”. Attackers really can, and do, capture second-factor responses sent to a phishing site and then immediately play them on the real login page. Once logged in as you, the attacker can then steal your account, or simply use it to do nefarious things in your name.
Google foresaw this and so helped Yubico to develop the Yubikey. When you register a site, like Facebook, with your Yubikey a private/public key pair for that site is generated. The public key is stored on the website and the private key is stored on the Yubikey. When you go to log into the site, the private/public key pair will only talk to the correct site and the browser enforces this, per the U2F protocol.
Lots more explanation on this in this nice little post: https://security.stackexchange.com/questions/71316/how-secure-are-the-fido-u2f-tokens