> Are there any FIDO security keys that explicitly support backing up and restoring their master secrets?
Yup there are for sure, for I tried it and it works. Now: I tried it out of curiosity and I'm not actually using it atm, so I don't where it's at but...
I tried on Ledger hardware wallets (stuff meant for cryptocurrencies, but I tried them precisely for the U2F app): initialize the device with a seed of my own and then register to FIDO2/U2F/webauthn sites. Worked fine.
Took a second hardware wallet, initialized it with the exact same seed: boom, it's working fine and I could login using that 2nd HSM device as the 2FA.
Note that as soon as I used the 2nd device, the first one wasn't working anymore: if I wanted it to work again, I'd need to reinstall the U2F app on the HSM device (the way the device work is it only accepts apps that are signed, and that is enforced by the HSM itself: the HSM has the public key of the Ledger company so it can only install "apps", like the U2F app, that is actually signed by Ledger... I'm not saying that's 100% foolproof, but it's not exactly the most hackable thing on earth either).
The reason you cannot use both devices at once is because of how an increment number is used: it has to be monotonicaly increasing and when the app is installed on the HSM, it uses the current time to initialize its counter.
I haven't checked these lately: I know the specs evolved and I know Ledger said they were coming with a new U2F app but I didn't follow the latest developments.
Still: I 100% confirm you that it's not only doable but it's actually been done.
> requires that I am able to regain access to my digital accounts using nothing but a few page paper backup including core service passwords & exported TOTP secrets.
EDIT: you basically save a 256 master seed as a list of 24 words (out of a fixed dictionary of precisely 2048 words, so 11 bits of entropy per number). 264 bits altogether: last word contains 3 bits par of the seed and 8 bits of checksum.
Trivial to write down. Very little chance of miswriting it for: a) you must prove to the HSM you wrote your seed down correctly and b) the dictionary is known and hardly any word can be mistaken for another.
Yup there are for sure, for I tried it and it works. Now: I tried it out of curiosity and I'm not actually using it atm, so I don't where it's at but...
I tried on Ledger hardware wallets (stuff meant for cryptocurrencies, but I tried them precisely for the U2F app): initialize the device with a seed of my own and then register to FIDO2/U2F/webauthn sites. Worked fine.
Took a second hardware wallet, initialized it with the exact same seed: boom, it's working fine and I could login using that 2nd HSM device as the 2FA.
Note that as soon as I used the 2nd device, the first one wasn't working anymore: if I wanted it to work again, I'd need to reinstall the U2F app on the HSM device (the way the device work is it only accepts apps that are signed, and that is enforced by the HSM itself: the HSM has the public key of the Ledger company so it can only install "apps", like the U2F app, that is actually signed by Ledger... I'm not saying that's 100% foolproof, but it's not exactly the most hackable thing on earth either).
The reason you cannot use both devices at once is because of how an increment number is used: it has to be monotonicaly increasing and when the app is installed on the HSM, it uses the current time to initialize its counter.
I haven't checked these lately: I know the specs evolved and I know Ledger said they were coming with a new U2F app but I didn't follow the latest developments.
Still: I 100% confirm you that it's not only doable but it's actually been done.