I’m trying to get people at my workplace to use yubikeys. I would have thought it’d be easy, since “touch the blinking green circle on your yubikey” is a way less obnoxious form of 2FA than “pull out your phone, wait for a text, type in the number” or “pull out your phone, open up the 2FA app, scroll to the service, type in the number”. I was wrong though, it’s like pulling teeth and I’m not sure why!
I think you’re right, any change has to fight against the “this is how I do it already” inertia.
For me, the problem with YubiKeys is not the normal usage. That works great.
The problems are the "corner" cases: enrolling new keys, removing old keys, handling unintentional destruction of the key. The last one, in particular, is really problematic.
Some of the security mechanisms that a YubiKey provides are an extreme inconvenience. For example, I want to be able to clone my key via some mechanism in case it gets destroyed. I don't want to have to enroll 3 separate keys in every service on the planet just in case I put one in the wash accidentally. That's not possible with a YubiKey--for good reason--but it's a significant annoyance.
We consider "duplicating a physical key" such a common need that we have automated machines to do it at 7 Eleven. The fact that we don't have the same consideration of digital ones is problematic.
Yubikey was even planning working on a FIDO extension that would allow that for a while, but I don't think it went anywhere.
It's a real shame, as I'd also love "Yubikey twins" of which I can put one in a safe deposit box and have the other one always with me, without needing to periodically synchronize them to all services I'm using them on.
I think you’re right, any change has to fight against the “this is how I do it already” inertia.