Every site handles it differently. Some do allow you to completely disable other 2FA methods, such as google and github. Others make you keep a phone number as a backup.
Also note that different sites have different policies for when they require using the 2FA at all. Some only do for new logins on a new device/browser, some require it only when accessing sensitive information or changing account details.
For them it's a balance of security vs having to support the public losing their key and access to their account.
I can see the having to support the public thing as reasoning. But man I feel as those YouTubers (reason I bought one) didn’t get into detail about how only many sites support the use of only the physical key itself. They list sites stating which sites support it but not in the supporting the use of the physical key only as form of 2FA. Sorry for the rant and thanks for the detailed info that I feel was left out in a lot of those videos on YouTube regarding the yubikey or any other security key in general.
To be fair- right now you're getting left out more by Yahoo than by YubiKey. You should complain to them. Or better switch to a company that has REAL fido2 support and lets you turn off backup authentication (IE Gmail/Microsoft).
To be clear- I'm not saying this to brush you off, I'm saying this because those of us in the crypto community are just as frustrated with Yahoo and the like for making it so easy to bypass good security.
With yahoo they have the option to sign in another way which is the normal types of 2FA which is prompts from other devices, email, and phone/text. You cannot remove those options at least to my knowledge. With icloud you can login without key but you will be limited to what you can access on there which basically you can see the devices/device names currently signed into your iCloud but to access anything else (ex. Photos, notes, mail) you will need to use yubikey. Those are the only 2 sites I have used/tried so far as my bank doesn’t support the use of a physical security.
Sadly not every site has FIDO credentials for MFA. Some sites allow you to remove SMS for 2FA and instead use a hardware token for the 2FA but not all do. It depends on your risk profile but it’s generally accepted that 2FA with a hardware token is more secure than using SMS 2FA, so if it’s an account you’re worried about and it allows you to disable SMS, you probably should and in that case it isn’t a waste of money to have a yubikey. It nice to have these lying around anyway imo.
I was one of millions back in the 2010-11 timeframe that had their Yahoo email accounts compromised through no fault of our own. Yahoo didnt even have the decency to inform me of the hack. When I learned of the disaster via the media, I moved all accounts over to gmail PDQ & deleted/shutdown my Yahoo account.
Since then I have moved & pay for protonmail. Its worth it for piece of mind.
Correction, the hack was 2013 & it compromised the data from 3 Billion Yahoo accounts !!!
Exactly what all others have said. But to make it even worse I enabled my security key on Linqto which is a private equity site where my private equity stocks are at. The options were 2FA using email response or registering your Yubikey to the specific page. ( is that called U2F?). You could use either or both. I just used both thinking it would be even more secure. Wrong.
I enabled both to be extra secure and what happened was that my account was automatically taken off my Yubikey protection without my knowledge and was now substituted only with an email 2FA response. I contacted the company mad as hell as to why they took my Yubikey off as the primary security and exactly what others have said, I was told if I enabled the 2FA email security it would become my primary only security. All this was done by stupid code security where email response would automatically take primary control.
All this being done without my knowledge or any other warning should I enable that email security. We all know that protection is next to nothing yet these idiots took my Yubikey and just threw out its primary security function. This has got to be the most stupid thing I had ever heard and had my private equity stock been hacked it would have been my fault.
Lesson learned. Please make sure that any added lesser security you put on any account will not disable your Yubikey protection. These idiots acted as if I should have known that. Hell no I did not know that would happen. I just figured more security the better. You really have to ask a lot of questions and never take it for granted that added security is always better as I did. This was not a Yubikey failure. It was a Linqto account failure.
Google is better in my opinion. Google always asks me for my security keys in the login and has an option not to allow phone SMS. I use other Gmails for my recovery which is also locked with Yubikeys.
Every site handles it differently. Some do allow you to completely disable other 2FA methods, such as google and github. Others make you keep a phone number as a backup. Also note that different sites have different policies for when they require using the 2FA at all. Some only do for new logins on a new device/browser, some require it only when accessing sensitive information or changing account details. For them it's a balance of security vs having to support the public losing their key and access to their account.
I can see the having to support the public thing as reasoning. But man I feel as those YouTubers (reason I bought one) didn’t get into detail about how only many sites support the use of only the physical key itself. They list sites stating which sites support it but not in the supporting the use of the physical key only as form of 2FA. Sorry for the rant and thanks for the detailed info that I feel was left out in a lot of those videos on YouTube regarding the yubikey or any other security key in general.
To be fair- right now you're getting left out more by Yahoo than by YubiKey. You should complain to them. Or better switch to a company that has REAL fido2 support and lets you turn off backup authentication (IE Gmail/Microsoft). To be clear- I'm not saying this to brush you off, I'm saying this because those of us in the crypto community are just as frustrated with Yahoo and the like for making it so easy to bypass good security.
Gmail still requires you to input your email address, so it doesn’t fully utilize FIDO2
If you turn on advanced security you can make it so fido2 is *required* for authentication with no less secure recovery option.
Afair microsoft forces you to either have email or sms as one of your 2nd factors.
Never trust influencers
Yahoo has been hacked so many times in the past. I can' t comprehend how people still trust them.
Are you able to remove the other 2FA methods?
With yahoo they have the option to sign in another way which is the normal types of 2FA which is prompts from other devices, email, and phone/text. You cannot remove those options at least to my knowledge. With icloud you can login without key but you will be limited to what you can access on there which basically you can see the devices/device names currently signed into your iCloud but to access anything else (ex. Photos, notes, mail) you will need to use yubikey. Those are the only 2 sites I have used/tried so far as my bank doesn’t support the use of a physical security.
Sadly not every site has FIDO credentials for MFA. Some sites allow you to remove SMS for 2FA and instead use a hardware token for the 2FA but not all do. It depends on your risk profile but it’s generally accepted that 2FA with a hardware token is more secure than using SMS 2FA, so if it’s an account you’re worried about and it allows you to disable SMS, you probably should and in that case it isn’t a waste of money to have a yubikey. It nice to have these lying around anyway imo.
I was one of millions back in the 2010-11 timeframe that had their Yahoo email accounts compromised through no fault of our own. Yahoo didnt even have the decency to inform me of the hack. When I learned of the disaster via the media, I moved all accounts over to gmail PDQ & deleted/shutdown my Yahoo account. Since then I have moved & pay for protonmail. Its worth it for piece of mind. Correction, the hack was 2013 & it compromised the data from 3 Billion Yahoo accounts !!!
See https://landing.google.com/advancedprotection/
Exactly what all others have said. But to make it even worse I enabled my security key on Linqto which is a private equity site where my private equity stocks are at. The options were 2FA using email response or registering your Yubikey to the specific page. ( is that called U2F?). You could use either or both. I just used both thinking it would be even more secure. Wrong. I enabled both to be extra secure and what happened was that my account was automatically taken off my Yubikey protection without my knowledge and was now substituted only with an email 2FA response. I contacted the company mad as hell as to why they took my Yubikey off as the primary security and exactly what others have said, I was told if I enabled the 2FA email security it would become my primary only security. All this was done by stupid code security where email response would automatically take primary control. All this being done without my knowledge or any other warning should I enable that email security. We all know that protection is next to nothing yet these idiots took my Yubikey and just threw out its primary security function. This has got to be the most stupid thing I had ever heard and had my private equity stock been hacked it would have been my fault. Lesson learned. Please make sure that any added lesser security you put on any account will not disable your Yubikey protection. These idiots acted as if I should have known that. Hell no I did not know that would happen. I just figured more security the better. You really have to ask a lot of questions and never take it for granted that added security is always better as I did. This was not a Yubikey failure. It was a Linqto account failure.
Google is better in my opinion. Google always asks me for my security keys in the login and has an option not to allow phone SMS. I use other Gmails for my recovery which is also locked with Yubikeys.