[tjoff]

Yeah, scenario that I still need to solve is:

Go on vacation, loose your phone and security key (along with any written passwords) - by robbery, theft, customs or accident.

You'd still need to be able to access your email etc. or else your experience is going to be a hundred times worse.

What you really want is optional 2FA. You have a regular (unique) password but you never use it unless there is an emergency.

Now you just must make sure to remember that password that you never use, even when in distress... Not that straightforward either.

Also upon use any "smart" site would flag it for unusual activity and lock you out until you can verify it.

I guess I'm stuck with passwords.

[minty_phoenix]

Many services offering 2FA, esp. TOTP, will give you a set of backup codes – print/store them separately, safely (using the rule of backups). At the very least, Google does and allows you to view the existing ones and I think regenerate new ones on-demand as long as you can currently securely access your account.

The same can be done with security keys – typically you can add more than one to your account so have at least two and keep one stored safely somewhere.

Sadly, I recently set up an AWS account and, from what I could tell during that period, they support TOTP/hardware keys, but you can seemingly only pick a single 2FA method – so either TOTP or one single hardware key. That’s a service I would have expected better from (or perhaps I am misunderstanding my settings panel where I can’t find a way to add another factor – I am rather new to managing that ecosystem/account).

[tzs]

I think that you are intended to use AWS as described in this comment [1]. Even if you are a one person operation, you can create those separate IAM accounts for admin and normal use. Once you have this hierarchy of accounts in place, it is fairly straightforward to deal with a lost hardware key.

[1] https://news.ycombinator.com/item?id=21411013

[psanford]

In my organization there are certain operations that we require you to have authenticated with 2fa in order to perform them. For the CLI or terraform this means using something like awsmfa. There's no way of doing that with a FIDO key.

It would be nice to be able to use a FIDO dongle for the web console and TOTP for cli tools but the (bad) AWS restriction forcing you to only use one or the other means I'm stuck on TOTP for everything.

[deadbunny]

1. Buy 2 yubikeys (with U2F)

2. Add both for each site you use it for

3. If using gpg keys you masterkey lives on a USB key, use subkeys which get transferred onto both yubikeys

4. Lock one the USB key and 2nd yubikey in a safe* with the password you never use

5. If you lose your day to day keys, unlock safe

*safe can be an actual safe, a "secure enough" place in your house, a bank safety deposit box, etc... You can also have multiple safes, one on site, one offsite.

[tjoff]

Doesn't cover the scenario I outlined.

Step 1 then becomes "buy airline ticket to get home so I can get at the safe".

Sure, of course doable, but a million times more cumbersome.

What if passport was also stolen? Maybe in such a time it would be convenient to be able to contact anyone? Even if not to solve the situation but more of a heads-up.

[casefields]

For me, I have a sibling I trust to store a set of back up codes in their fire safe across the country. Another option would a lawyer, such as one you already have a will with. That would be an expense though.