top | item 44691153

(no title)

devman0 | 7 months ago

The principle issue with hardware keys as implemented today via FIDO2 or U2F is that you can't enroll them without having them in your physical possession, which means if you have a backup key stored offsite, you have to fetch it anytime you sign up for a new service.

discuss

Wilder7977|7 months ago

A good strategy for this is to enroll it at day 0 for the most sensitive systems (e.g., password manager, email accounts). This way you are able to use it as a backup in the sense of giving the option to reset or access (e.g., via backup codes) all the services, without being necessarily enrolled in all of them.