
Out of all of the sites I have in my password manager, only google, yahoo, and one other site uses hardware keys. This is rather depressing.
However, I have notice that many sites allow you to log in using Google or Facebook. I read through this article:
https://www.avg.com/en/signal/is-it-safe-to-log-in-with-facebook-or-google
Basically, the login generates a OAUTH token, which is used by the site to authenticate that it’s you. Now the nice thing is that by doing it this way, I can make the site hardware key 2FA. This is because my google account is hardware 2FA.
My only issue with this is that I end up concentrating all of the website under one google account and there are probably privacy concerns. However, I would expect that google have pretty good security so hacking your account will be harder and you have to get around the hardware key.
Paul