Edit: Usually HN is so angry about Google not following web standards but everyone in this thread seems to be in favor of Google trampling the WebAuthn standard. Weird.
What sites currently let me authenticate with WebAuthn? (Github still uses U2F, it seems.)
Disclaimer: I make the Solo key that's mentioned in the article.
Today the backup practice is to enable 2 keys in all accounts: one that you keep with yourself, the other that you leave in a safe.
There's been some experiments of creating copies of the master secret, e.g. . Today you can do so either w/ u2f zero or with its upgrade solo hacker (note the hacker version), but we currently don't support it officially.
My personal advice as of now is to always have security key(s) + totp code. The security keys protect you against phishing, so if you click on an email link and get prompted for login, you're either safe (if you use the security key) or at least reminded about the risk (if you're used to use the security key but you don't have it with you at the moment). Viceversa, if you're directly logging into a website and you typed the url yourself, then totp offers the same security, so it's a totally valid alternative. Hope this makes sense.
My biggest concern is that I don't have a solid method to build the habit of using the devices. I started using pass to generate and store passwords. That doesn't work with just u2f keys, though. That I could tell.
Microsoft sites like Outlook and OneDrive.
Android is open source, and Linux-based. The licenses allow phone manufacturers to fork Android and integrate it with devices that only have closed-source binary blob drivers, without involving Google. The end result is a bunch of phones whose kernels (and thus OSes) are impossible to update. (I am told that Microsoft found this sufficiently frustrating and that it decided it would write its own drivers for the vast majority of hardware.)
Linux has a Very Good Reason to discourage binary driver compatibility -- it would rather see those drivers be open-sourced under GPL and moved in-tree. But the end result has seriously hurt the security of more than two-thirds of Android users -- users who otherwise should be inclined to choose open-source because they are paranoid about security.
I think the right answer is to require folks to have Android Q+ to continue to use security keys with an Android account, but I imagine that's not a viable choice because the optics would be that Google is doing a "money grab" in exchange for security.
That's just ridiculous.
"We’ve recently learned that Google Accounts has slipped their schedule for using Web Authentication to register new credentials. This delay is attributed to security key support on Android being, for most devices, non-upgradable."
Linux has had perfectly fine U2F 1 support for ages. All you need on a normal desktop box is u2f-hidraw-policy  and, optionally, the u2f CLI tools.
"Be conservative in what you do, be liberal in what you accept from others" is good practice in software, espacially in open source. You can't be picky when you are the underdog anyway.
Maybe it's because according to the article "Google trampling WebAuthn standard" miss characterises what is actually going on:
> We’ve recently learned that Google Accounts has slipped their schedule for using Web Authentication to register new credentials.
Do you think they planned legacy Android devices not being able to support the new standard?
* FastMail has implemented WebAuth, the newer standard, which Firefox supports
* Google hasn't implemented WebAuth because they have to(?) wait for the end-of-life of old Android devices.
* Firefox is going to put an override so that you can use the old standard on Google accounts, which Google does support.
It sounds like Google's slowness to enable WebAuth is a somewhat legitimate issue of backwards compatibility for old devices, though I haven't personally evaluated it.
They've changed the message in Firefox to make it a little clearer this is how to do it.
I'm also curious if anyone in this topic has advice for how to make U2F a habit. I posted https://news.ycombinator.com/item?id=19316509, but didn't get anything. :(
I should get it into upstream systemd.