[Groxx]

Completely agreed. I don't have a good solution for that either, aside from "try harder". Which puts them in a fairly specific niche of reasonable use, tbh. And any site without the ability to set up multiple emails / keys / etc is not taking basic steps to allow its users to maintain access their account, so I think it's fair to rule them out simply as "bad sites" (though they're quite numerous, sadly).

For corporate purposes, they're pretty decent. If one is lost or fails or whatever, they can get you a new one, because the company can quite-strongly verify that you are you - much better than your average website. A bank or something might also be reasonable.

For general personal use... I dunno. You really don't want to be locked out permanently if you lose the key, which tends to mean they degrade to your email security, and they're just convenience tools. Which is more than nothing! Convenience that emails you when it is bypassed is better than no email when bypassed! But it's very far from the security claims that tend to go along with these keys.

Personally I'd like these keys to be a "fast login" convenience, and for email-reset to be delayed by a day or three with an easy "revoke" button. It's exceedingly rare that I truly need backup access immediately, and allowing it all the time is definitely opening the door to bulk theft of accounts.