Backups. Either in backuping the data, or in enabling several tokens for the same service.
The problem is that the first one is frowned upon for good reasons (but maybe not as good as they seem), while nobody supports the second one. So, yes, currently depending on hardware keys is dangerous.
The same as real keys: you make a copy. If you don’t, you have to call someone to get it fixed, which is an expensive hassle. It’s an intuitive model that everyone already groks. No fragile user re-education necessary.
and when the fingerprint database is stolen and shared with multiple adversarial parties? they now have your password and its gonna be hard to update / change yours.
This happened with the opm hack and a big one in India or Indonesia or something not too long ago I think.
The problem is that the first one is frowned upon for good reasons (but maybe not as good as they seem), while nobody supports the second one. So, yes, currently depending on hardware keys is dangerous.