Legit question from someone who both wants their mum to stop getting hacked, and is not sure Security Keys are a good idea: What happens when they lose their phone?
My limited understanding is that the key is on their phone (let's say it's a Google key, on an Android phone). When their phone gets lost, stolen, or breaks, are they screwed? This worries me because the chances of the phone being lost is high.
A security key is a hardware token that uses USB, Bluetooth, NFC. A security key may not have TOTP capability like a Yubikey. Security keys are not marketed or suitable for consumers, and sysadmins don’t like them either:
Maybe start a pilot automated service run by Google or Microsoft or whoever where backup codes are securely sent to local credit unions and it's all almost transparent to the user. They just need to either pick up the code at the credit union and put it in their safety deposit box or approve that last step.
I'm not upset at all about banking working with private entities or any of the past with banks. I'm mostly upset because some of these ideas are good, you know? Maybe not this, but some. For a short while longer.
Security Keys are an independent device. I believe you are thinking of Passkeys which can live on the phone or in a password manager like 1Password.
If you do go with a security key it’s typically recommended to have at least 2 so that if one dies or is lost both have the same level of access. So long as you add them both/all to every account you need to access.
My limited understanding is that the key is on their phone (let's say it's a Google key, on an Android phone). When their phone gets lost, stolen, or breaks, are they screwed? This worries me because the chances of the phone being lost is high.