With the FIDO2 certification of Windows Hello, Microsoft is putting the 800 million people who use Windows 10 one step closer to a world without passwords.
No one likes passwords (except hackers). ...
Updated May 07, 2019
Version 2.0
Blog Post
Mike-E Migrating Authenticator codes eg. shared secrets is a bit irrelevant, because they are not different than passwords and something you know and not something you have like a hardware security key.
And so anyone can at least take screenshots of the QR Codes containing the shared secrets and save them in case the device where they was added gets lost or blows up (already happened to me with a Samsung S7). It's also easily possible to get the whole databases out of mobiles btw. And how easy it is to 'steal' varies from brand to brand and model to model. Like on the iPhones it's possible to get it without rooting the mobiles, while on androids it isn't possible without rooting the phone.
So my advise is to at least use and add them to multiple Authenticators, like on mobiles and on tablets and also to save a screenshot of the QR Matrix somewhere on a USB Stick that you can put into a safe in case you need to add it somewhere else.
The more secure alternative to simply saving screenshots which could easily be stolen, is to also add all shared secrets to WinAuth (Authenticator Tool that runs on Windows), because you can protect them with a Hardware Security Key there and the tool supports exporting the whole database and even is able to display the original QR on screen in case you need to scan it with a new mobile etc.
So even if it may hurt TOTP/HOTP solutions aren't 2FA at all, they are fake 2FA that don't provide any more security than a additional password. And the shared secrets can also be stolen from the servers or mobiles along with stored passwords. Of course you also can steal Hardware Security Keys, but the difference is they can only be stolen physically what you will notice, while the shared secrets of the TOTP/HOTP can easily be stolen without you knowing, just like passwords.
And so if companies want to provide 2FA they should simply support FIDO U2F and forget all those fake 2FA methods like EMAIL, SMS and App based TOTP/HOTP with shared secrets that can be stolen directly from the servers.
And it's nice that MS now supports FIDO U2F and FIDO2 but it's a bit useless if it intentionally only works with Edge, it should work with every browser that supports it and that are almost all now a day, because I don't want to be dependent of a specific browser. Further I don't want to also have less secure methods (EMAIL, SMS, APP) TOTP/HOTP, Phone or backup codes active that could be abused to downgrade security if I already have several FIDO U2F or FIDO2 Hardware Security Keys registered.
I currently own about 8 FIDO U2F Keys and about 4 FIDO2 Keys where one of them has a finger print sensor to secure the FIDO2 credentials. Unfortunately 99% of all sites and services still only supports fake TOTP/HOTP 2FA or even worse nothing at all. It also may be hard, but such companies somehow reminds me anti-vaxxers and if I would be an insurance company I wouldn't pay a cent in case of a incident if they not at least support FIDO U2F.