To avoid lockout, you need multiple ways to get into your more important accounts.
A phone is one way, and it's pretty good. A Yubikey is another good way. A third way is a printout of secure backup codes, kept with your important papers.
At that point you're pretty safe. (Although, if your phone and Yubikey are both lost while traveling, you might not be able to get in until you get home.)
Some services like Github and Google actually support this, but it's not that common yet.
The other lockout risk is access denied due to a policy violation (which could be a false positive) and adding authentication schemes won't help there; you need backups.
So it's great that this FIDO initiative lets people use their phones, but what's it going to take to make sure everyone has multiple, reasonably secure ways to get in?
A phone is one way, and it's pretty good. A Yubikey is another good way. A third way is a printout of secure backup codes, kept with your important papers.
At that point you're pretty safe. (Although, if your phone and Yubikey are both lost while traveling, you might not be able to get in until you get home.)
Some services like Github and Google actually support this, but it's not that common yet.
The other lockout risk is access denied due to a policy violation (which could be a false positive) and adding authentication schemes won't help there; you need backups.
So it's great that this FIDO initiative lets people use their phones, but what's it going to take to make sure everyone has multiple, reasonably secure ways to get in?