Now I have had my yubikey for about a week, and I have put it on my keychain. It really works extremely well! The only small issue is that I tend not to have my keys immediately within reach while at home in the house or on travel, so there is a step of “go retrieve the keys” before I can use it for login.
I just listened to Episode 103 of the Security Now podcast, where Leo Laporte and Steve Gibson talk to the head of security at PayPal. PayPal is doing the right thing right now, issuing their customers with RSA security keys. Which gives them two-factor authentication (password and security key passnumber).
But for some reason, they do not enforce the use of security keys on their customers. Even when you have obtained a security key (which is optional, weirdly enough) and said you are using it, you can still login without it doing some additional security questions. For the reason of convenience! Which basically reduces the security added to nothing, since you can still login in a traditional fashion.