[dimonomid]

Thanks. What do you mean by "possibly" though?

> and possibly the invalidation of the lost key at first login

Do you mean that some service might disregard the counter value (the fact that Google and Github respect it doesn't mean everyone does the same), or something else?

[nickray]

Yes :) Personally, I would just start replacing credentials upon loss in descending order of importance.

[dimonomid]

Yeah sure, I mentioned in the article that the purpose of the backup is to enroll a new token and revoke the old one. It would be a bad idea to keep using backup for a long time anyway.