Except many people keep their keyring in their bag and muggers often just grab the bag.

And when you get mugged in transit from the hotel to the airport or vis-versa your plan falls apart. Unless you are going to pay someone to drive a different route in a different car with your hardware key...

Good luck making a copy of a security key - most are designed to prevent that (for valid-ish reasons) and the only other option (always enroll two keys) has a host of other problems, especially since in the "always carry two" case you need to also keep a third one at home.

I have encrypted backups and duplicates of all my security keys.

You simply need to choose a security key that supports BIP39 backups like a Trezor or Ledger.

As an alternative most sites support enrolling multiple keys.

You can’t duplicate hardware MFA keys. You’d have to individually set up the second device everywhere you use MFA, and many services only support a single device (looking at you, AWS).

> many services only support a single device (looking at you, AWS)

I really wish people would stop doing this.

It's not "many services" it's one service. "Many women have played the role of Ellen Ripley in the Alien movies (looking at you, Sigourney Weaver)". No. One woman did that and you just named her, not many.

Don't use "many" to mean, "Well, one, but when I wrote that it didn't seem like I had a point worth making". If you instead present this as "AWS is broken" then we see what the problem actually is and who needs to fix it.

> many services only support a single device (looking at you, AWS).

We can (finally) take AWS off that list.

I can say I was pleasantly surprised recently by being able to enroll multiple MFA Tokens and device types, for a single IAM SSO User.

Don't know the restrictions on it, but https://aws.amazon.com/iam/features/mfa/ probably has more details.

This is inaccurate.

You can't duplicate entry level devices like Yubikeys but hardware wallets like Ledger and Trezor both support backup of FIDO seeds in the form of 24 english words you can store endless ways, or recover to a secondary device.

I have duplicates of all my MFA keys.

These devices are also more secure as they show you the website you are approving on screen to avoid being tricked by malware.

> Then keep another key somewhere else, like with a fellow traveler or at the hotel

Hotels aren’t safe for valuables and people travel alone. We’re getting pretty far removed from convenience here as well. Might as well suggest people keep their keys shoved up their ass.

Buttplug with yubikey integrated. Startup idea of the year :P

A 24 word mnemonic FIDO backup seed can fit AES256 encrypted in a 1K NFC tag, which come in sizes as small as a grain of rice.

You can store it in a subdermal implant, under the sole of your shoe, a belt buckle, or in a finger ring or other jewelry.

Options are endless.

Maybe we could just use something that can't be stolen. Something like a shared secret that is exchanged through secure channels beforehand and then only resides in the users permanent memory. The second party could even use some kind of novel mathematical function that maps arbitrarily sized secrets to a seemingly random fixed size value that is both sufficiently different for similiar inputs and big enough to avoid collisions. That would allow them to not store the secret in plain text as they could just compare the output of the function with the previously saved one to verify that the secret the user gave is most likely correct.