I keep an extra Yubikey in my bank box, next to my other backup keys. The only account I'd be locked out of is Twitter since they only let you add 1 token (my primary).
AWS also only allows you to add a single device, much to my annoyance. I still haven’t found a solution for that, that doesn’t involve risking getting locked out.
One answer I've seen is to create multiple users for the same person. The second user becomes the "backup" user with a different physical device and is used only to reset the primary.
At $dayjob I "solved" that problem by setting up SAML auth so we would all login via gsuite (thus using 2FA via yubikey there). After a few months I set that up we got acquired by a big company that uses RSA secureId software security tokens. The security policy mandates that you have only one active security token instance (which BTW acts as a password replacement instead of 2FA, I assume for better interop with legacy tools that only talk ldap...)
Sure, I know. Just pointing out that, at least for AWS, you do not need recovery codes or a second device for MFA. For me personally, phone+email is good enough for my threat model.
