btw yubikey 4s cannot do fido2/webauthn. they can only do u2f. most sites that migrated from u2f to fido2/webauthn did not maintain an upgrade path for users, so i got locked out of several accounts because i used mandatory fido(1)/u2f. now the websites support webauthn/fido2 only and i can't login with my yubikey 4s.

i've now ordered 3x yk5c-nano and 1x yk5c-nfc. time to do the key rotation dance.