[schrodingersket]

I keep one of my keys in a fireproof safe at home, and the other on my keychain as my daily driver. If a site allows me to enroll multiple U2F keys, I just bring the backup to work (my home office, currently) with me the next day and enroll it then. For sites that only allow a single key (looking at you, AWS), I will usually enroll the key I have on me, and then when I have both, I write the same TOTP seed to both keys (usually by scanning the QR code with each key plugged into my phone before entering the one-time code used to verify and finalize TOTP enrollment) and use that instead so that there's effectively a TOTP duplicate.

This gives me a pretty convenient list of sites I've set up the Yubikey with (at least for TOTP), since Yubico's OTP app lists all the sites I've used it for.

If a site only allows a single U2F key to be registered, I'd rather have a backup with TOTP over the better security of a single U2F key, so this arrangement works reasonably well for me.