The specifics depend on the use case, but even if you fall back to something less secure like an email and TOTP, you still come out ahead overall because most authentications are done by U2F.
It’s not as big of a deal as you might expect because:
- The spec requires providers to allow independent addition / removal of multiple keys per account, so it’s easy to manage backup U2F keys.
- Providers can use any backup authentication method they want. This includes SMS codes, TOTP / HOTP apps, email resets, or maybe VCing in to tech support.
And even if the backup method is less awesome (e.g. sms codes) it still reduces your risk because because you use it less often.
It reduces the urge to whip out my mobile device at every moment of mild boredom, and collaborative apps like ported board games shine.
The one downside is that I look pretty silly when taking photos.