That avoids keeping the seeds somewhere a general attack could get (and requiring a tap complicates attacks) and works across all of my devices. The main drawback is that there isn’t an easy way to install a seed on multiple keys when first enrolling.
If you are using the yubico-authenticator app then you are using TOTP, just with the seeds stored on your yubikey. This is still vulnerable to phishing.
I hope what you meant to say is that you are switching to using WebAuthn with your yubikey on all sites that support it, and then using your yubikey for TOTP on sites that don't support WebAuthn yet. WebAuthn is the thing that gives you actual protection against phishing.
I use webauthn where ever available, but considering how rare that is, I might start using this.
How well does it work on mobile? Totp via app, tap the nfc key to the phone?
And what does "no easy way" mean, how involved is that process? I’d prefer to have the keys on all 3 (or 4, not sure if the security key allows TOTP) sticks.
Yes, on mobile you either plug the YubiKey into your devices USB-C (or lightning) port, or tap the YubiKey to your phone. The totp secrets live on the yubikey and can't be extracted. You can only read out the current code. I believe you can also secure your YubiKey with a password so it must be entered to see the codes.
If you wish to have the same TOTPs on multiple YubiKeys, you are recommended to take a screenshot of the QR code you're given at the beginning (which contains the secret key), and manually add it to all the backup keys you prefer, and then securely erase the screenshot.
It's worth noting that if you install Yubico Authenticator on another device and use the same key, you do have access to the codes, because as you said, they're stored on the key.
I initially thought the codes were stored on my phone and the key was only required for access, but that's not the case.
That's either a benefit or a drawback, depending on your threat model, but it's definitely something people should understand.
Yes - on my desktops and laptops, I use USB. For my phones, I use the same keys with NFC. Basically you start the app, tap the key next to the phone, and then copy/paste the code. It means that my daily two factor needs are handled by the Yubikey I keep on my badge lanyard for both modern and legacy sites.
"No easy way" basically means that you either have to save the seed and repeat the setup process for your backup key or enroll two separate devices if allowed. It feels like the authenticator app could have a useful addition where it'd automate that for you if you have two keys present.
"Password Store" ('pass' compatible) for Android also supports TOTP to tokens and Gpg encryption.
With Syncthing, 'gopass' and 'Android Password Store', I have a fully open source, very easy to reason about fully in my control, password and totp storage, accessible on all my devices. All of which can only be accessed with my Yubikey that I keep in my pocket and my GPG PIN.
https://www.yubico.com/products/yubico-authenticator/
That avoids keeping the seeds somewhere a general attack could get (and requiring a tap complicates attacks) and works across all of my devices. The main drawback is that there isn’t an easy way to install a seed on multiple keys when first enrolling.