[l0b0]

Thank you all so much for the answers! Sorry for my ignorance (or laziness, since I haven't read up on this and don't know of a disinterested guide for techies) about backups; not allowing it is a completely understandable trade-off between security and convenience.

It sounds like this is a perfect solution for people at high risk of phishing, a good solution for somewhat technical laypeople with something important to protect which supports this (like a bank account), and too much hassle/risk of losing access/lack of support for most people/use cases. Does that sound fair?

[tialaramex]

I guess. However, I'd add that it's also definitely a sensible thing to require of people, however non-technical, where you've got some out-of-band way to issue and re-issue these authenticators to those people.

Suppose you're Twitter. If every Twitter employee has a FIDO2 device and they need to tap it to begin their work day, and to confirm any important actions like "Block YetAnotherNazi" or "Validate that this Twitter account really does represent Jim's 24 hour Celery and Dog Collar Deliveries" then instantly a bunch of your security problems disappear, and all you need are your existing procedures that stop random people walking into your offices off the street and pretending to be employees, which, I'm going to guess, is already a problem you've got at Twitter.

I can't see any reason a university wouldn't do this for its students for example. Or a hospital for its medical staff. Or a police force for... all the cops. These are very easy to use, with that one sharp edge of "What if I lose it?" which is not a problem if your organisation already has procedures to ensure only the right people get physical ID.