> But many sites only allow a single device to be enrolled.
Ugh, I hate these. I want to use u2f, but I am not willing to risk being locked out of my account if I lose the key. So I only enable it if there is some other 2fa I can enable (either adding a second key or totp).
Most sites which offer U2F (or WebAuthn, which is what they ought to be doing for new sites) have a last ditch "Write down this huge random string" way back in. If you're the sort of person who'd hate to lose an account (seems like you are) then you should definitely write that down, and keep it somewhere damn safe.
But, as I wrote elsewhere in this thread, the only site I'm aware of that forbids multiple Authenticators (Security Keys) is AWS. And to be fair, AWS accounts are multi-user. If Bob loses his Security Key and Bob was your only admin, the biggest mistake wasn't AWS forbidding Bob from having two keys (though I agree that's bad) it's you not assigning another admin. Jim, the company secretary, may not know a t2.nano from m4.xlarge but he can keep a Security Key in his desk drawer and never give it to anybody unless the Big Boss authorises it.
There’s one special account though and that’s the AWS root account. It’s needed for certain special things and tying it to a yubikey means that you cannot easily give those a creds to 2 people.
Ugh, I hate these. I want to use u2f, but I am not willing to risk being locked out of my account if I lose the key. So I only enable it if there is some other 2fa I can enable (either adding a second key or totp).