multi factor – How should a company manage physical 2FA tokens?

Physical 2FA tokens, such as smart cards or YubiKeys, are becoming more popular in large companies for authentication purposes. However, one issue with them is availability: When a physical 2FA token is lost or gets broken, the user is by design not able to authenticate anymore.

How should a company manage their physical 2FA tokens to ensure employees who lose their 2FA tokens can get access back as soon as possible?

Here are some possible solutions I thought of:

Keep some empty tokens as backup

By keeping a handful of empty tokens as backup, these can be personalized by IT relatively quickly, and should allow the users to continue working. The downside is that, given the current situation forcing many people to work from home, employees may not be able to pick up a new token immediately, which can lead to significant downtime.

Give everyone a second token

Basically, employees are given two tokens (let’s call them “primary” and “backup” tokens), and told to keep their backup tokens in a safe place. Should the primary token become unavailable due to loss or malfunction, the secondary token can be accessed rather easily. The downside here is that this essentially doubles the cost for 2FA tokens, while also increasing attack surface.