Every hardware based key I ever used also required PIN, but as far as expense and backups, yes, for personal use the cost generally may not be justified. I got all my personal ones as a bundle that was on sale. For work I would argue that some businesses can easily justify the cost to create a rotating stock of hardware keys to deal with lost keys. Generally in that environment you have centralized PKI, where you can revoke the certificate on the lost key and then issue a new certificate on a new hardware key. This doesn’t help for all sign in methods tied to hardware keys, but can be very practical when implemented right.

I also agree on TOTP as the ultimate generic 2FA method, with several worsening options until the despised email or sms 2FA. I will also add that you can setup TOTP on modern hardware keys, where you must insert and complete PIN entry. The inconvenience is that you must have all your keys and password manager available at setup time for places that don’t support multiple TOTP codes.

I love this sabotage. Has this worked against anyone that you know of yet?