Update Yubikey < 2018
Make sure your Yubikey 4, SmartCards and TPM chips are made AFTER 2018. Infineon generated RSA keys 2048 and smaller (most of them) were flawed in a way that made it ridiculously easy to derive the private key from only the public key.
google search 2017 ROCA vulnerability