What are your expected failure modes? Consider this pretty common scenario: ahe user lost their one and only enrolled device. How can the user reinstate access?
I suppose the user must have printed the real root password / secret key / whatever and put the paper somewhere in a safe. That password should allow to reinstate access when all hardware is lost. But it should not be required daily.
Good point. We have recovery keys for this. These are 12 word random phrases generated from a 1952 word list (about 131 bits of entropy).
They require email authentication to redeem, so a recovery key by itself isn't sufficient to access an account, though of course they do need to be protected.
An org admin can also re-invite a user that loses access this way. The only scenario where you're really in trouble is if you're the only admin, you lose access to your only authorized device, and you lose access to your recovery key.
Apples solution for this with their new hardware 2fa stuff is to not let you turn it on without registering two hardware keys. So perhaps forcing two enrolled devices might work? (I have all my totp seeds on my iPhone and my iPad, for that reason.)
Tying my entire life (every account etc) to two devices that can be remote-killed by a corporation which is not your friend is definitely a risk that I would not take.
You really keep no access to your life that isn't under someone else's control?
I was under the impression that the user is using 2 iOS devices as key generators for their 2FA. And Apple can certainly blacklist their device, delete their Account, and remotely disable their devices permanently.
If they are just registering yubikeys to their iphone and ipad so they can use their apple account... then sure, welcome to 2012.
The obvious question is: what if you lose both keys?
Deep down, I think it's something that requires cooperating with real world entities (governments, banks, basically real world trust), not something that tech bros seem to want to do for ideological reasons
It's even worse now, no company truly locks you out and with enough noise on social media a real human can get you your access back even if you don't have your Yubikey. So it's always vulnerable to social engineering.
Of course I'm not talking about just relying on SIM. Maybe we can stop with the knee-jerk reaction and actually think of how to add better ways to do it. Government IDs could enter as some piece of the puzzle, trusted contacts, yeah, even SIM... At the very least out here in the real world I have some recourse if my ID is stolen, and I don't have to worry about having to buy all my stuff back because I lost my keys.
As I understand it, Keybase actually has a very interesting concept of spreading key materials over your social media. So it's not even unprecedented.
Only because companies are trying to do this human verification on the cheap. SIM swapping-alike attacks aren't a problem with institutions like banks where they keep ID on file and you can visit in person to prove your identity.
Oh yeah, I guess we can be all about getting 10 yubikeys and keep one in your wallet, another together with your keys, another in your home, bury another in your family's farm, another in a safe in the capital city of every country you visit...
I suppose the user must have printed the real root password / secret key / whatever and put the paper somewhere in a safe. That password should allow to reinstate access when all hardware is lost. But it should not be required daily.