As of today I do not own a hardware authentication device (YubiKey etc) but am very keen on acquiring one and starting to make use of the recently published WebAuthn standard wherever it is offered.<p>However, until today it eludes me how a credential backup/restore process is supposed to work, since it is only a question of WHEN not IF the hardware device becomes damaged/missing/stolen/'to be replaced by shiny new device'/etc.<p>Obviously, in any of these cases a process is needed to identify myself to all GAZILLION web properties that I enrolled on the old/damaged/missing/stolen/etc hardware device, revoke the credentials of the missing device and re-enroll a new authentication device... all in one go for all web pages that I enrolled on.<p>Non-starters for practical purposes are any kind of manual processes that would need to be performed for each web site individually, such as logging in with some 'printed emergency backup token' and enrolling a new hardware device on each web site.<p>I am aware that credentials cannot and must not be extracted from a hardware device (the raison d'être for using a hardware device). As far as I understand I am generally able to enroll a second hardware authentication device during the enrollment process, which would obviously defeat the purpose of a worst case / emergency / backup device if it always needs to be present in the same physical location as the primary device for enrollment purposes. Even in the simple case of always enrolling two authentication devices and just wanting to 'retire' one and enrolling a new device, I could not find any documentation on how to revoke the credentials of one device, authenticate with the remaining one, and to enroll a new 'backup' device for all GAZILLION web pages that I need to authenticate on.<p>How is this intended to work in practice? Am I missing something?