> An attacker not only needs your username and password
Usernames and passwords are leaked all the time. Many users even re-use these across multiple services.
> they also need physical access to your key.
With enough practice, a motivated actor could make it seamless enough that you don’t notice. Or stalk the target to find a weak point in schedule and give attacker enough time to perform EUCLEAK. We are creatures of habit after all.
> And if your token is lost or stolen, you have to manually revoke every single one.
I agree here. No way to easily track. I have to make a manual note for each service in password manager.
Usernames and passwords are leaked all the time. Many users even re-use these across multiple services.
> they also need physical access to your key.
With enough practice, a motivated actor could make it seamless enough that you don’t notice. Or stalk the target to find a weak point in schedule and give attacker enough time to perform EUCLEAK. We are creatures of habit after all.
> And if your token is lost or stolen, you have to manually revoke every single one.
I agree here. No way to easily track. I have to make a manual note for each service in password manager.