I worry that some of my friends would be locked out of all their accounts and struggle to bootstrap if their phone with their TOTP two factor codes and SIM card for their phone number got stolen. I've also seen pushback against using security keys as they're too inconvenient to use frequently.
This post is not aimed at people who want to ensure maximum protection against someone unauthorized gaining access to an account. I don't follow this approach personally, and prefer to avoid weaker 2FA methods.
- Keep your existing MFA methods enabled, and keep using them
- Only add a security key to accounts that would cause trouble for you if locked out, eg email, github
- Keep that security key somewhere different from your normal MFA method
- Keep a spreadsheet of which accounts have which key associated with them if you have more than a few
- If your security key insists on having a PIN set and you worry about forgetting it, you can write it down and keep it physically with the key, as well as storing it digitally.