Every place that I use my key gives you a set of one-time-use recovery codes. To log into your account, you can use either the key or a code. (You still need your password.) Codes can be regenerated at any time. To revoke a key, you simply remove it from your account.
You have to make sure the attacker cannot revoke your key first. If the backup code is unrevokable, then it is indeed a nice solution, albeit a high-friction one if you are doing safe backups for each new account.
