[mgbmtl]

Depends on the implementation? For many services, I register my Yubikey, but also the Android fingerprint authentication (as well as TOTP as another fallback).

So for example, if I login to Gitlab on my phone, I can use my fingerprint (lockscreen auth). It's more convenient than using the TOTP app.

Similarly, I could register a TPM from my desktop that could be the same as using the fingerprint auth? It would only work from that desktop, but it's the same logic as my phone, and in a sense, that's a nice benefit.

[donmcronald]

Every fallback method adds risk. Realistically though, I don't think any of it really matters. By far the weakest link everywhere is SMS/Email based account recovery and it's almost impossible to avoid those.

Sometimes I think the average person would be better of with a highly secured email account and magic links for everything else. Even for me, I have YubiKeys, TPMs, etc. configured for everything, but if I forget to lock my laptop and someone walks off with it, they have access to my email which is basically my entire digital life due to account recovery via email.