SSH and GPG/PGP private keys are stored encrypted with a passphrase. Using a Yubikey or similar devices, it is easy to have a 2-factors encryption.

The Yubikey can be configured to store a static password: it behaves as a keyboard that types the same password each time it is long-touched, followed by a return key. The idea to have a 2-factor is simple:

• type a password you remember
• then insert the Yubikey and touch it to have it typing its static password

The actual password that is used to decrypt your SSH/GPG keys is thus the concatenation of one (simple) password that you remember and another (much more complicated) that is stored on the Yubikey. Don’t forget to configure a second Yubikey with the same static password in the case you lose the first one. (Or store a copy of the static password in a safe place.)

The same trick may be used everywhere you need a password, but for login, there is usually a better way to enable 2-factors authentication directly. And for web passwords, you’d better use a password manager like Firefox lockwise that can generate a distinct random password for every site.