Using a yubikey says, specifically, that if I lose this little device and the bypass codes, that I have presumably stored on encrypted storage in a way that doesn't require the yubikey to access, then I want it to either be impossible or exceedingly difficult to recover access to this account.
Very few people actually want that, and if yubikeys become widespread, there will be a wave of people having tantrums because their yubikey is lost and the account is unrecoverable.
If it isn't extremely difficult to recover an account in the absence of a yubikey and the loss of the bypass codes generated on enrollment, then there's no point to them.
I've run a b2c website. There is a shocking percent of internet users -- I'd estimate 20% -- that cannot reliably tell you their email address (5% that literally can't, and another 15 that can't reliably). Those users having yubikeys would be an utter disaster.
It's absolutely a problem with cost, though a little bit with UX. If YubiKeys cost $5, it would be reasonable to have 3 of them, and you keep on your keychain, one at home, and one somewhere else. The UX problem is that you would want a way to enroll a YubiKey that you don't physically possess, but that is a solvable problem.
The bigger problem is that a large number of sites don't implement MFA properly, and don't allow you to enroll multiple MFA devices. This really could only be fixed with regulation that clearly defined MFA, so there would be consequences for improperly implementing it.
I promise you there is a significant percentage of people that would fumble enrollment; you handwaved away a giant problem (multiple enrollment, not present); and many people would put them all on the same keychain.
In the politest way possible, I question whether you've interacted with the modal user.
edit: I can try to dig up the article, but here's the precis: 5-ish years ago, google briefly changed their search results ranking. Lots of people were logging into facebook by searching facebook, instead of typing facebook.com, then following the top result. Some other site briefly was the top result when searching for google. That site got a wave of users submitting help requests because they couldn't log in with their facebook credentials, and accusations of subterfuge or wrongdoing because their accounts were deleted. I think it was pinterest, but I may not remember correctly. Either way, it looked nothing like facebook and didn't use blue.
That's what a significant fraction of internet users are like.
There is a shocking percent of internet users -- I'd estimate 20% -- that cannot reliably tell you their email address (5% that literally can't, and another 15 that can't reliably).
My email address is firstname.midddlename@<wellknownemailprovder>.com
I get a dozen emails a week from companies and government agencies trying to reach people with the same first + middle name combination from around the world. People seem to think they automatically get an email address with their name provisioned or something and they just sign up for accounts and services using that combo.
Using a yubikey says, specifically, that if I lose this little device and the bypass codes, that I have presumably stored on encrypted storage in a way that doesn't require the yubikey to access, then I want it to either be impossible or exceedingly difficult to recover access to this account.
Very few people actually want that, and if yubikeys become widespread, there will be a wave of people having tantrums because their yubikey is lost and the account is unrecoverable.
If it isn't extremely difficult to recover an account in the absence of a yubikey and the loss of the bypass codes generated on enrollment, then there's no point to them.
I've run a b2c website. There is a shocking percent of internet users -- I'd estimate 20% -- that cannot reliably tell you their email address (5% that literally can't, and another 15 that can't reliably). Those users having yubikeys would be an utter disaster.