[tzs]

I think that you are intended to use AWS as described in this comment [1]. Even if you are a one person operation, you can create those separate IAM accounts for admin and normal use. Once you have this hierarchy of accounts in place, it is fairly straightforward to deal with a lost hardware key.

[1] https://news.ycombinator.com/item?id=21411013

[psanford]

In my organization there are certain operations that we require you to have authenticated with 2fa in order to perform them. For the CLI or terraform this means using something like awsmfa. There's no way of doing that with a FIDO key.

It would be nice to be able to use a FIDO dongle for the web console and TOTP for cli tools but the (bad) AWS restriction forcing you to only use one or the other means I'm stuck on TOTP for everything.