[taeric]

Having multiple keys without auditing when the backups are used, though, feels wrong. And that is my main gripe with these right now. Very hard to get any system to help build the habit of using the things. Most places default to remember your login. Basically forever.

[g_p]

While not cryptographic level auditing, this is arguably a UX feature for sites to implement -- on their inevitable loading spinner after login, they could show you the U2F tokens enrolled, and their most recent use on a small timeline. If your cold backup suddenly goes from ancient to now, that ought to be looked into!

Regards habits, I find U2F is so easy to use that there's no real issue there. The bigger issue is that (relatively) few services support it. I'd much prefer to use it over TOTP phone generated codes, but far more sites seem to support phone app generated codes (while pretending you need their proprietary app to use them, even when it's just plain TOTP) or, even worse, SMS!

[taeric]

Yeah, I just installed the pass support for otp for some site. Can't remember which.

My problem with the habit remains, though. I would love if my phone insisted me try a key at least once a week. I don't know how to force that. :(