Comment by __turbobrew__
4 months ago
There is a big gap in the greater security landscape here. I personally use hardware authenticators for this reason, but I have to manually enrol each security key for each account.
Really what I would like is a root of trust which maybe is a cipher text which I can store in several physical locations, and then my security keys are derived from that root of trust. Then when I set up 2fa with a service it is using the root of trust and seeing that my security keys are is derived from that root of trust. This allows me to register the root of trust only once and then I can use any key derived from it.
Some cryptocurrency hardware wallets such as Trezor's are usable exactly how you want: they support fido2/webauthn and derive their keys from the recovery seed phrase. You can write down the recovery seed phrase, initialize other hardware wallets with the same recovery seed later on, and they will present to a computer as the same fido2/webauthn token.
If it's hardware it can break or be lost or stolen.
As I said, you can write down the recovery seed and initialize other security keys from it, so you're able to deal with a hardware wallet breaking, unlike most fido2/webauthn security keys. Hardware wallets also require a pin to be entered, so they're more secure against being lost or stolen too than security keys that don't need a pin.