> These devices generate and store a private key on the device secure element itself, so the private key is never materialized on a suspiciously general purpose computing device like your laptop.
What's suspicious about being general-purpose?
> This is significantly better than storing TOTP private keys on other (software) authenticator apps, because again you should not trust general purpose computing devices.
If you can't trust your own PC, a Yubikey doesn't help much.
The PC is what generates the request to the Yubikey and presents the UI where you approve it, so an attacker in control of your PC could for example replace the intended request with one that transfer all your Bitcoins to the attacker. Or it could replace the recipient in whatever transaction you're approving. You would need a separate trusted screen on the Yubikey to verify the details of the request if you don't trust the PC.
The PC is also what actually processes the data (or at least mediates access to it if it's processed on the server side), so an attacker in control of the PC can modify any data you view or submit, regardless of what authentication method you use.
What's suspicious about being general-purpose?
> This is significantly better than storing TOTP private keys on other (software) authenticator apps, because again you should not trust general purpose computing devices.
If you can't trust your own PC, a Yubikey doesn't help much.
The PC is what generates the request to the Yubikey and presents the UI where you approve it, so an attacker in control of your PC could for example replace the intended request with one that transfer all your Bitcoins to the attacker. Or it could replace the recipient in whatever transaction you're approving. You would need a separate trusted screen on the Yubikey to verify the details of the request if you don't trust the PC.
The PC is also what actually processes the data (or at least mediates access to it if it's processed on the server side), so an attacker in control of the PC can modify any data you view or submit, regardless of what authentication method you use.