How should a company manage physical 2FA tokens?
Physical 2FA tokens, such as smart cards or YubiKeys, are becoming more popular in large companies for authentication purposes. However, one issue with them is availability: When a physical 2FA token is lost or gets broken, the user is by design not able to authenticate anymore.
How should a company manage their physical 2FA tokens to ensure employees who lose their 2FA tokens can get access back as soon as possible?
Here are some possible solutions I thought of:
Keep some empty tokens as backup
By keeping a handful of empty tokens as backup, these can be personalized by IT relatively quickly, and should allow the users to continue working. The downside is that, given the current situation forcing many people to work from home, employees may not be able to pick up a new token immediately, which can lead to significant downtime.
Give everyone a second token
Basically, employees are given two tokens (let's call them "primary" and "backup" tokens), and told to keep their backup tokens in a safe place. Should the primary token become unavailable due to loss or malfunction, the secondary token can be accessed rather easily. The downside here is that this essentially doubles the cost for 2FA tokens, while also increasing attack surface.
The common practice is to be able to ship a replacement token ASAP to the user. Spares or being able to drop-ship from a supplier are common approaches.
You invalidate the lost token, and remove the need for 2FA for that user, and add in additional protections to limit the risk in the meantime. Then walk the user through setting up the new token when it arrives.
Giving people 2 tokens is silly. It's crazy expensive, and you expand the attack surface. If the "backup" token is lost, would the user have visibility of it? How long would a backup be lost before it was noticed?
Best option yet is to use soft tokens (apps). They can use spare or backup equipment, or even a PC-based app until an acceptable option is put in place.
FIDO released a Token Lifecycle Whitepaper (April 2021) with a section on practices to consider for lost tokens (page 6). It says what I say above.