That's all well and good, but a few weeks later I have another service I'm going to sign up for... I have to... first go to my safe deposit box to grab my third key? If I don't, then seems like it's a lot of bookkeeping.
Needless to say, I don't use these devices on my home depot account. I use them for Google, Github, Dropbox, I don't actually remember anything else. My DNS registrar doesn't support it :P
I also don't use my personal key for work stuff and recovering my work key is my sysadmins problem :)
That said, when I had admin accounts at work, we used TOTP with a similar scheme: when we registered important (admin) accounts we shared the second factor (the QR code) between 2 people and sometimes I printed the QR code itself. This works for AWS, gsuite, github, etc. I still receive calls from old colleges for TOTP codes occasionally :)
I actually just changed my DNS registrar to namecheap specifically because it supports U2F. I figure my domain is too important to risk losing because I use my domain for email.
You don't need to make it as elaborate as 'safe deposit box' or 'implanted into spouse' and most accounts that matter have other ways of recovery, e.g. an app-based authenticator, one-time recovery codes (a recovery code is something you might want to stick in a safe deposit box). You can just get, say, three hw keys, put one on a keychain another somewhere on your desk and a third in a drawer somewhere.
This is vulnerable to a house fire/other natural disaster. In general, I recommend having at least one thing offsite - whether that’s in a security deposit box, with a trusted friend or family member, in your desk at the office, or whatever.
The tech exists. My neighbor works for a company that does encoding of data on packaging. Goal is that every cereal box on the grocery aisle can be individually tracked.
