You cannot be secure while offering easy 'backdoors' into your own account at the same time. People will just have to be more careful (e.g. by associating a backup U2F key with their account), or go through a real-world ID process otherwise (like banks typically do).
Also, for the coming years, U2F will probably just be an optional second factor like TOTP. One can only hope that more sites will follow the lead of GitHub, Dropbox, and Google, because TOTP is worthless against 'real-time' phishing attacks.
> You cannot be secure while offering easy 'backdoors' into your own account at the same time. People will just have to be more careful (e.g. by associating a backup U2F key with their account), or go through a real-world ID process otherwise (like banks typically do).
Sure, but by that logic the most secure system is offline. It's the same issue with corporate networks requiring "complex" passwords and changing of them once a month. Sure, it's technically more secure, but the end result is the office genpop writes a post-it with their current password which defeats the whole purpose.
The most secure real-world system is the one you can keep using with its designed security solutions, regardless of its (low) theoretical security level.
Also, for the coming years, U2F will probably just be an optional second factor like TOTP. One can only hope that more sites will follow the lead of GitHub, Dropbox, and Google, because TOTP is worthless against 'real-time' phishing attacks.