[filleokus]

> Alternatively you print out the backup codes.

But those are per site right?

Re hardware and that above is not something for most people:

Yeah I agree. Something like https://uni.horse/notes/solo-key-backups.html, but it shouldn’t be a solution for most people.

But I still think the backup story is flawed, and could be improved to work in a easy and secure way:

Using some easy vendor GUI tool, with a simple clone button:

1: Generate on-hardware webauthn master key on device A. 2: Generate on-hardware key-par on device B 3: Export B’s public key to A 4: Encrypt A’s private key with B’s public key 5: Export encrypted master key to B 6: Decrypt on B

But I guess we ideally would want some standardized protocol for doing this so you can do cross vendor backup.

[kitsunesoba]

Personally I don't think I'd bother with redundant keys for most sites/services, only for those of the greatest importance. I think for most of us that list is short enough that redundancy is manageable.

[filleokus]

Probably true. But my point is that if there was some secure/easy way to clone a key you wouldn’t need to think about redundant keys at all. If you create a clone you get redundancy for all sites in one sweep

(Most likely this will be solved by the mobile os vendors who will sync and backup your private key for you. Using your phones HSM instead of an external device)