I am considering using a YubiKey. For example, 1Password recommends it:
However when reading that, it basically says I need to have an authenticator app and can use a YubiKey “on top” of that:
> **If you lose access to your security key**
> If you lose access to your security key, you can still sign in to your 1Password account:
> When you’re asked for your security key, click Cancel. Then click “Use your authenticator app instead” and enter a six-digit authentication code from your authenticator app.
Or, similarly, for Fastmail:
> **Why do I have to add a recovery phone number to set up two-step verification?**
> (…) Requiring a phone as a backup option balances security (no one else can read your data) and availability (you can read your data). For most users, the risk of losing their two-step verification device is far greater than the risk of someone hacking their SMS.
(to be fair, Fastmail allows you to remove your phone number and just use the YubiKey)
So, if I use these services as recommended, basically I can authenticate to them using the YubiKey, but *also using a code from the authenticator code or sms*.
So how does that improve my security? Any hacker who steals my credentials can just go to 1Password or Fastmail, use them, then select the authenticator app/sms option and completely bypass the YubiKey, right?