How does recovering from a broken/lost/stolen device work in this scenario? I'm assuming it's the same as other MFA methods, namely using a recovery code that was given at the time of enrollment, or am I wrong in that line of thinking?
Recovery code or another key. You can enroll multiple keys. As long as you have one of them, you can use your access to disenroll the broken/lost/whatever key and enroll a replacement. I have one key that I keep with me, and another that I keep in my safe. If I lose both, I'll use a recovery code that I keep in an encrypted vault online (as well as in my safe in paper form, but assuming that whatever destroyed the key in the safe also destroyed the list of codes in the safe...)
