These are basically tiny hardware security modules. The premise of an HSM is that you have a hardened processor that contains the secrets and performs asymmetric crypto operations on request. Ideally, the device is designed such that the secrets never leave a crypto boundary. The big expensive ones will offer facilities to transfer keys, but only over an authenticated, encrypted connection to another device certified by the manufacturer[1].
Yubico has some FIPS certified devices[2], which means that they've presented a design that shows the device has mechanisms to prevent secrets from being extracted, and they're only using algorithms known by NIST not to leak secrets.
> Also pardon me if I confused two-factor as the Google Authenticator app.
Multi-factor authentication is about managing risk, and discussions about risk are naturally fuzzy and vague.
I'll try a concrete analogy; consider firearms safety.
Some typical rules[3]: 1. keep the weapon pointed down range at all times, 2. keep your finger out of the trigger well, 3. treat the weapon as loaded at all times.
Each rule is a factor, and to accidentally hurt someone you have to violate all the rules at once.
Multiple factors work best if they are orthogonal, that is, when a given action results in only breaching a single factor. That's why factors tend to be phrased as "something you know," "something you are," "something you have".
The authenticator app and a Yubikey are doing the exact same thing: they're establishing the "something you have" factor.
Since the two factors work when an attacker must both obtain the device and get your password, if your phone has both passwords and authenticator apps, the additional factors aren't minimizing that risk.
[1]: The automatic vendor lock-in makes it a great business model...
Yubico has some FIPS certified devices[2], which means that they've presented a design that shows the device has mechanisms to prevent secrets from being extracted, and they're only using algorithms known by NIST not to leak secrets.
> Also pardon me if I confused two-factor as the Google Authenticator app.
Multi-factor authentication is about managing risk, and discussions about risk are naturally fuzzy and vague.
I'll try a concrete analogy; consider firearms safety.
Some typical rules[3]: 1. keep the weapon pointed down range at all times, 2. keep your finger out of the trigger well, 3. treat the weapon as loaded at all times.
Each rule is a factor, and to accidentally hurt someone you have to violate all the rules at once.
Multiple factors work best if they are orthogonal, that is, when a given action results in only breaching a single factor. That's why factors tend to be phrased as "something you know," "something you are," "something you have".
The authenticator app and a Yubikey are doing the exact same thing: they're establishing the "something you have" factor.
Since the two factors work when an attacker must both obtain the device and get your password, if your phone has both passwords and authenticator apps, the additional factors aren't minimizing that risk.
[1]: The automatic vendor lock-in makes it a great business model...
[2]: https://www.yubico.com/business/product/yubikey-fips
[3]: There are many more, but take a class on it rather than depend on the Internet.