I bought a Yubikey now what: Use second slot for a static password 

Thanks, in two months we rescued 7 kittens this year 😀, all now have new house

Credit card number is a nice usage, after all you need also to know expire date and CVV. The only drawback is that if you have only 2 keys, the second slot is better to be used with OATH and KeepassXC in my life. I use static password on third and fourth key.

Correct, this is actually not the perfect use for a second slot. Actually I'm not using it anymore, but it is an option that I need to mention. Also there is the risk that you type the key in some chat (it happened ... more than you can think of) :(

I do not have an iPhone so I can't be sure, sorry

If the service does not ask for a password it means that is using the key as second factor of authentication. If the service allow you to login only with the key without requiring the PIN, the service is (in my opinion) using the key in the wrong way. You should have two option Username+password then touch the key (used as 2FA) PIN+Key (FIDO2) But touching the key without requiring keyword pin is not security HAve you tried from an incognito browser tab? (Maybe you are still logged in and the site is asking only the key as 2FA)

@@codewrecks Now, when I check it on the computer, it works properly, first it verifies the pin and then the yubike. But I couldn't verify from the phone (I tried with Google). When I do it from the computer for Binance, it asks for the pin and then the yubike, but only the yubikey is enough on the phone. Is this their problem, right? Also, I installed yubico authenticator instead of authenticator and put a password there. Even if the wrong password is entered repeatedly, nothing happens. Is this normal? So, after a certain number of incorrect entries, there is no reset etc.?

@@slay1_1 If they do not require pin on the phone is their problem (but it seems strange to me because it means that they are only using 2FA part of the key). The password on yubico authenticator is used only to protect the 2FA stored inside the key, but there is not protection against incorrect entries. since it is used only for 2FA there is no need for this kind of protection. (yubico authenticator is the equivalent of google authenticator, with the sole difference that the seeds are inside your yubikey)

@@codewrecks Now I added the yubikey to the tutanota (mail service) phone application and it was added as U2f but it does not ask for my password. I think it doesn't require a password for the phone. Can you check that? Can you check if any phone app requires a password? I made the settings you made, I put a password on the fido side, I put a password on the piv side, but I did not set a password or any settings on the otp side. I made a password from the Yubico authenticator application and the password there works. I think I did something wrong or Yubikey is not working properly for the phone.

When key is used as two factor auth, it does not require the pin. What I suppose is that the application stores your credentials and uses yubikey only as 2FA. Usually all mail app on your phone does not ask credentials every time you open the app, it just stored them securely inside the phone. When you add your yubikey you are adding only the second factor, so it is normal that the pin is not requested. you should try to uninstall completely the app, reinstall again (or install in a new phone) then verify the login procedure. No application can use a FIDO2 credential inside your yubikey without entering the pin.

I do not use binance so I do not know how they are using the key. Basically if the key is used as FIDO2 SINGLE source of auth, it should ask you the pin. Combination of KEY+PIN is enough to login. What you need is configure the key only as Second factor of authentication (but since I do not know binance, I do not know if it is possible and how to do it.)