WebAuthn, so, a Yubikey would work for that, but also cheaper products (the keywords for a product search are FIDO Security Key) which are similarly capable.

If they have a nice phone (modern iPhone or Android phone that is able to recognise who you are by fingerprint or facial recognition ought to be enough) that can do WebAuthn too, the actual recognition remains local to your device (so you're not giving some mysterious entity your face or fingerprint).

I'm assuming since they're "nontechnical" that you mean as a user, the user experience for WebAuthn is trivial, one touch. You do this to enroll the Yubikey, and then you do it whenever you need to prove who you are to the same site. It's entirely phishing proof, the credentials can't be stolen, you can keep one on your keyring or just leave it plugged into a personal PC all the time, it has excellent privacy properties, the biggest problem is too few sites do WebAuthn but Google and Facebook do, so that's a good start for non-technical people.

Which brings me to the other side, if your non-technical friends are wondering what their organisation should mandate, then again, WebAuthn, but this time I admit it's somewhat complicated. Somebody is going to need to at least research what product suits the userbase, and check boxes in the software they use, and at worst they need to do a bunch of software development. It's not crazy hard, but it's a bit trickier than yet another stupid password rule requirement. However unlike requiring passwords to contain at least two state birds and the name of an African country requiring WebAuthn will actually make you safer.

What are the problem parts with yubikey? I've got a Fetian Epass and it feels like the most natural way of doing auth - here's a key, it goes on my keyring next to my locker key or my car key if I had one, I use it to log in like putting a key in a lock.

Authenticator Apps?

The annoying part is most of them are very hard to move over to a new phone or backup

Do any of them work on desktops? I keep around a spare iPad to run my authentication apps, but I'd rather have it installed on my computer instead.

Authy does but has some issues showing same site names as on PC so not perfect

1Password has built-in TOTP support, though it's a little overkill if you only use it for that purpose.

On Windows there's WinAuth: https://github.com/winauth/winauth

It doesn't seem to be updated anymore, but it works well.

Then use other ones :)

I currently use Aegis and Bitwarden. AndOTP also allows you to export tokens.

Google Authenticator now has an export and import feature where it bundles all your accounts into a QR code to scan on your new phone.

Might not be ideal for backup however

TOTP is only better than SMS against SIM swapping, a rare threat. They are identical against phishing, an enormously more common problem. For a typical user the delta in security when transitioning from SMS to TOTP is minimal.

... or trivial number porting attacks like the one described in this exact article.

Depends on your threat model, but unlike SIM swapping this may not be out of the reach of even a mildly technical angry ex.

And a mildly technical angry ex is a lot less likely than phishing. These are valuable topics but people go way way way too far and say that SMS is horrible and should be basically banned while TOTP is fabulous and a completely viable alternative, which is just fantasy.

My protection against phishing is my password manager. If the site is fake, it won't find the password for it.

The difficulty there is evaluating which ones are reliable, secure, and easy to use. I'd welcome recommendations.

I personally use andOTP [0] which I'm a fan of. I've been thinking of switching to aegis [1] for nothing more than a UI change.

[0]https://github.com/andOTP/andOTP

[1]https://github.com/beemdevelopment/Aegis

I never had any issues with andOTP. It worked even when some websites specifically asked for a different app.

The integrated TOTP in 1Password is pretty good, it can grab the QR code off the screen and everything.

https://support.1password.com/one-time-passwords/

Just be careful with these solutions, I use the one in Bitwarden for a few things and while great for convenience, there's a significant security tradeoff when you go ahead and load all your TOTP tokens into memory on the same machine you keep the passwords on. Turns your 2 factor authentication into single factor pretty fast against even a decent piece of malware, let alone a dedicated attacker.

Microsoft Authenticator is good, and there’s a reasonable chance they already use it at work.

Google Authenticator seems fine?

Google Authenticator ?

Yubikey is complicated?

For many non-technical users, unfortunately, yes.