[gruez]

Same thing that happens if your FIDO/U2F key breaks. If you have a backup key (or in the case of this implementation, icloud backup), then it shouldn't matter. Otherwise you're at the mercy of the site that's requesting the credentials. They might allow you to authenticate via another method (security questions?), or lock you out permanently.

[toomuchtodo]

Ideally, if you can’t identity proof in person, recovery flow should be Stripe Identity or another proofing system that will consume government ID and output pass or fail. It’s the next best thing to showing up in person and having a human proof you, and saying “oops keys all gone” isn’t going to fly for the masses at scale.