(no title)

The most ideal set up would be to have a universally Yubikey or something equivalent. Preferrably with a backup pre-configured second Yukibey possible in a disaster recovery bugout kit. Then have all the initial QR codes, otp secret manual otp key strings like i demonstrated above your post, account recovery keys, backup break-in codes, or whatever other flavor of two-factor recovery a service uses, all this notated in a secured password manager. The real problem i see with two factor is that the offered recovery method is so variable from service to service. it makes knowing which information you need to have on hand when you've gotten locked out is problematic.

the other thing i do is that for core cloud service providers, i print out the password manager details for the accounts. this is apple, cloud backup service, google, microsoft and a couple of hardware device passwords. it's a risk to have this printed, but the print out is in a fireproof safe with a trusted party.

i basically assume my disaster recovery plan is that i have my wallet and the clothes on my back and nothing else. everything else gone including my computers and phones and i have to get back all services and data without having any devices.

the higher the level of security, the higher level of disaster preparedness the end user needs to practice.

I've emailed my elderly parents to make sure they understand that this mandatory 2fa roll out is happening, and I've explained how they could fuck up their accounts by not notating the recovery method. offered to review their details to make sure it passes a sniff test.