YubiKey vs TOTP app

a quick and dirty comparison considering a Yubikey (or other FIDO2 token) vs. Google Authenticator (or other TOTP app) as second factors

Yubikey (or other FIDO2 token) vs. Google Authenticator (or other TOTP app)

Phishing protection:
win for the TOKEN
WebAuthN uses a handshake where the site (reported by the browser) is one of the inputs. That said it simply won’t work for a phishing site.
An entered TOTP code, will provide the dark side, as long as they can keep the session alive, a ton of opportunities to do something like disable 2FA and/or roll out a new device with just username and password.

Long-term security / key exposure:
win for the TOKEN
You can’t get a key out of a YubiKey, but there are plenty ways to export / backup data of your APP

Ability to connect it to the user:
win for the TOKEN, no chance if you find a TOKEN on the street and ther is nothing on like an email phone number handler whatever to connect it to the user who lost it. Same situation an a phone most likely to be a whole different ball game, speaking of imformation provided to the finder.

Ability to authenticate the user:
win for the APP, your phone the home of the APP is locked, yor TOKEN usually not

a very very small win for the TOKEN
some sites and services, not all, will allow you to revoke a single hardware TOKEN, without revoking others (eg the BACKUP TOKEN)
Try this with your APP (we are not talkin about revoke a single account within the app)