[robalfonso]

Because of this, I make a point of having 3 2fa keys. A daily driver, a backup key on a key ring and the final one in a fireproof safe. Like you I would be afraid what would happen if I lacked my key.

Companies need to at least clarify “what happens if I don’t have my key” also one time codes are a thing that need to be saved and can help mitigate a hardware failure.

[wackget]

Great for you, but you have to realise that the average person can barely even remember a single password. That is not a solution suitable for mass adoption.

[jmurphyau]

I would see Apple's recent addition of 2FA support to iCloud passwords would be a good (and maybe the only) 'average person solution'? MS Authenticator is also good as you can sync it and if you get a new phone you can get the same 2FA codes again

[thelittleone]

Amazing that in 2021 there are few better alternatives than have 3 x 2FA keys.

[Alupis]

What would be that alternative?

The point of 2FA is "something you have"... if you lose it, you no longer have it. It's designed to lock you out if lost/stolen... otherwise, what would be the point?

As an aside, 2FA keys are not what most people use... they use cell phone numbers, time-based rolling-code authentication apps, email addresses, etc. It's your choice to use a physical key, even if it might technically be the most secure of the options.

Security is always a trade off with convenience.

GP seems to not understand the point of 2FA. If you can simply call up customer support and maneuver you way back into a locked account, then so can the "bad guys". Any information they have about you can be found by a determined attacker... hence, the "something you have" approach.

[derekp7]

Ideally I'd like to be able to register my physical token with the manufacturer and have them send me a replacement based on sufficient identification. Things like ordering the replacement with a credit card in my name, sent to my mailing address, vouched for by a notary public, and/or anything else that I check off on the list of factors I find acceptable when I send them my registration form.

The alternative is for me to use TOTP and have the secrets printed out, lightly encrypted, and stored in a safe deposit box.

[Alupis]

In order for this plan to work, the token manufacturer would have to be able to store your secrets, which means you uploading your secrets, which defeats the purpose of physical tokens. Just use a cell phone number one-time-code or authenticator app with time-based-codes instead.

[jackson1442]

You can enroll your phone and some laptops with most sites, so it's def getting better.

[kevin_thibedeau]

I wouldn't depend on long term data retention of flash memory. You should have a passphrase encrypted printout of the contents as well.