My policy is to enroll multiple WebAuthn keys and treat the second, third etc. key as the backup.