I keep an extra Yubikey in my bank box, next to my other backup keys. The only account I'd be locked out of is Twitter since they only let you add 1 token (my primary).
AWS also only allows you to add a single device, much to my annoyance. I still haven’t found a solution for that, that doesn’t involve risking getting locked out.
One answer I've seen is to create multiple users for the same person. The second user becomes the "backup" user with a different physical device and is used only to reset the primary.
At $dayjob I "solved" that problem by setting up SAML auth so we would all login via gsuite (thus using 2FA via yubikey there). After a few months I set that up we got acquired by a big company that uses RSA secureId software security tokens. The security policy mandates that you have only one active security token instance (which BTW acts as a password replacement instead of 2FA, I assume for better interop with legacy tools that only talk ldap...)
Sure, I know. Just pointing out that, at least for AWS, you do not need recovery codes or a second device for MFA. For me personally, phone+email is good enough for my threat model.
Most sites let you set up both the Yubikey and a Google auth style TOTP. I always set up both, with TOTP codes saved in KeePassXC and SFTP'd to a backup server.
If I keep one with me and one at home, then I only have to worry about leaving both at home if I’m caught in the fire. Additionally, if I can prove who I am in person, or via friends attestations or both, that’s a lot better than a forgot password form or SMS hijacking.
You’d then have to contact support to let you bypass 2FA, but if that’s possible then the 2FA protection is weak, prone to social hacking.