Far as I can tell, the best strategy when using any 2FA system personally is to enroll at least 2 authenticators, and keep one in a safe place (preferably that a family member or trusted friend can get to while you are traveling).
If either is compromised, you can use the other to log in and block it.
Thanks, this makes sense. I suppose you can buy as many Yubikeys as your paranoia dictates and potentially even distribute your backups in different physical locations.
Is there any potential for the Yubikeys to get "out of sync"? Or do you just initialize both Yubikeys upfront, and then distribute them to a safe place?
If either is compromised, you can use the other to log in and block it.