This is true, and it is dangerous (once the key fails, folks get locked out). I don't use security keys with such providers.
It would be nice if someone made a library that made incorporating Webauthn login into an app as simple as using django or Ruby on Rails or React to create a login form, so folks don't end up rolling their own and assuming that a user will have at most one yubikey.
Failing that, you could do what Zeit does and rely on email providers' support for Security Keys (login by email link only).
It would be nice if someone made a library that made incorporating Webauthn login into an app as simple as using django or Ruby on Rails or React to create a login form, so folks don't end up rolling their own and assuming that a user will have at most one yubikey.
Failing that, you could do what Zeit does and rely on email providers' support for Security Keys (login by email link only).