So in your threat model the attacker is someone who has the resources to target you individually (plausible for high-value targets), the capability and capacity to further develop the physical field attack kit (current cost at ~11k for lab condition hardware), and can haul around essentially a mobile electrics oven - approximate size between a fusion splicer and a small 3D printer - to re-shell a decapped YubiKey.
I'm discounting the need to conduct phishing. That comes for free. I'll also give you that the victim may be rather unlikely to spot that their YubiKey has been replaced with a freshly manufactured copy.
For those kinds of capabilities you're still looking at nation state actors or very motivated enterprises.
Nation state actors have the resources to destroy me. Defending fully against them is cost prohibitive. I'll take basic actions to make it more expensive though.
My threat model is much less well resources actors who would happily sim-swap or password-stuff, etc, and there a ubikey is enough to foil those attacks. I have locks on my doors to prevent random teenagers and miscreants from walking in, not to prevent people motivated enough to pick the locks, break a window, or go through a wall.
> My threat model is much less well resources actors who would happily sim-swap or password-stuff, etc, and there a ubikey is enough to foil those attacks.
...whereas many users trusting the "industry’s #1 security key" pitch were relying upon a lot more.
I'm discounting the need to conduct phishing. That comes for free. I'll also give you that the victim may be rather unlikely to spot that their YubiKey has been replaced with a freshly manufactured copy.
For those kinds of capabilities you're still looking at nation state actors or very motivated enterprises.