[ykevinator]

Virtually every u2f implementation I've ever seen allows otp as a backup, reducing the security of one to the other. U2f is so much nicer than otp but hardware keys have devolved to being convenient not more secure than otp.

[tialaramex]

Just because you're allowed to do OTP backup doesn't require you to switch it on. If you have two FIDO keys that's fine.

What isn't fine is one FIDO key and no other backup. The good ones aren't fragile, but you can still easily lose them.

If there's a site you use on the phone too, newer Android devices which know how to keep a secret (e.g. a Pixel) can do WebAuthn for themselves and be that second option for you.

[pricechild]

I think the point was that most u2f implementations around don't just allow OTP as backups... they require you to set up OTP first before u2f can be enabled.

It does make a bit of sense. Users can't be trusted not to lose their single token. But rarely is the option to enrol a second u2f key as backup permitted.

[tialaramex]

The only place I've used WebAuthn/ U2F that did not allow me to enrol multiple keys was AWS. I have two (or more) keys enrolled at Facebook, Google, GitHub, and for my government services.

WebAuthn (which is the one that's actually a documented standard) not only goes out of its way to make multiple tokens practical it explicitly calls out the intent that you should allow users to enrol multiple tokens.

[fullstop]

Google won't let you enroll with just one key. You need at least two.

Also, if you happen to have a Ledger for crypto crap, those support U2F as well. It's less convenient because you need to connect it to a PC, enter the PIN, and then open the U2F applet.

[teambayleaf]

The major advantage of u2f is phishing resistance.

If you always use u2f for auth, you can be sure that you are not fooled by fake login pages. It ain't just matter whether secondary otp is available. (it's just a backup for when you lost a hardware token!)