I'm not going to provide a better response than geocar, but I have two things to say:
1) I really wanted to give out the free advice that people should plug their yubikeys into their monitors. Get two so you can have one in the monitor and one in the laptop (or laptop bag). Also, you don't need a USB c key for the monitor.
2) there's the specific question of "what is the surface area of attack?"
With a yubikey, you limit that surface to "people who have physical access to your device"
I didn't make the case that security is binary. I simply pointed out that they are severely compromising their security posture by re adding remote users as a surface of attack.
If someone compromises their machine and watches what steps they take to access eg a production network, the attacker will trivially see the yubikey being triggered. They don't need to know what it is or why it's being run. They'll just know that after you ssh you run this script.
1) I really wanted to give out the free advice that people should plug their yubikeys into their monitors. Get two so you can have one in the monitor and one in the laptop (or laptop bag). Also, you don't need a USB c key for the monitor.
2) there's the specific question of "what is the surface area of attack?" With a yubikey, you limit that surface to "people who have physical access to your device"
I didn't make the case that security is binary. I simply pointed out that they are severely compromising their security posture by re adding remote users as a surface of attack.
If someone compromises their machine and watches what steps they take to access eg a production network, the attacker will trivially see the yubikey being triggered. They don't need to know what it is or why it's being run. They'll just know that after you ssh you run this script.