Why exactly are hardware keys considered more secure compared to Authenticator apps?
Assuming a hacker has my username and password for an account, it seems like an Authenticator app holds one extra layer of security over the Yubikey.
If someone finds my yubikey, they’ve got it. But if someone finds my phone, they’d still need to break through my phone’s password/Face ID to utilize the Authenticator app.
What am I missing? Can a 2FA Authenticator app be spoofed or something? Thanks.