[vel0city]

Including printable backup codes, most services supporting FIDO U2F or WebAuthn support tying multiple security keys to your account. Many of these authenticator devices are pretty cheap these days, its not insane to have a few of them. Have one on your keychain, another in a desk drawer, etc.

[chowell]

I was super surprised to learn AWS will only allow you to register a single FIDO token - the inherent lockout risk pushed me back to using OTP with the seed stored in multiple Yubikeys.

[blintz]

This is actually against the WebAuthn spec (https://www.w3.org/TR/webauthn-1/#credential-loss-key-mobili...). Hope they fix it soon.

[bradstewart]

Yea it's very annoying. I ended up making multiple IAM users--one for each of my security keys.

[hsivonen]

It's bad that many sites require you to set up TOTP (single seed) before they allow you to set up U2F (multiple keys), so you have the problem of having to take care of the TOTP seed anyway even if you have multiple U2F keys. (It's even worse when sites forget the U2F keys when you regenerate the TOTP seed.)