[GoMonad]

How do you manage keeping all the keys "synced" in terms of which services they are registered with.

I keep keys in separate locations for safety, but that makes adding all keys to a new account a big pain.

This hasn't been a big problem yet because there are so few services that support the keys, but I wonder how people would manage it if it became widespread.

[xur17]

This has become a pretty big problem for me. I keep the backup key offsite, and retrieve it every few months to enroll as a backup device with new services. I try to keep a list of services I need to enroll it in, but I've definitely forgotten to do so at times.

Ideally there would be a way to enroll the second device without possessing it, but I'm not sure that's technically possible.

[dickeytk]

It's a pain, I don't have a good answer.

What I'm going to do personally is only use U2F on my most secure services (email, 1Password itself, GitHub). 1Password with the TOTP stored inside of it should be good enough for the others.

[GoMonad]

I like this hierarchical approach. Thanks.

[ralphm]

For U2F there's nothing to be in sync: each key is added individually, and you don't have to add all of them at once. I.e. if you register the key on your keychain at work, you could later add the backup key in your home vault.

For storing TOTP keys on your YubiKeys, those must be the same, so you probably have to add them at the same time, or take a picture of the QR-code before you complete the registration.

[xur17]

> For U2F there's nothing to be in sync: each key is added individually, and you don't have to add all of them at once. I.e. if you register the key on your keychain at work, you could later add the backup key in your home vault.

The challenge is remembering to enroll using your backup device. Also, ideally your 2 devices would never be in the same room as each other, otherwise you are at risk of something like a fire destroying both.