I'm assuming instead of saying "forgot password?" the text would say "lost your key?" or "don't have your device?". But what would the process of secondary access look like in the future when passwords are ..ahem.. dead?
Would sending a login link to emails still be the primary method of access? Although, you'd need your FIDO2 device for accessing emails in this fictional future. Would you perhaps need to use multiple security keys as backup (equivalent to TOTP one-time recovery codes) ?
There are legitimate reasons for why a user may not have their authenticator with them, such as:
There are several possible ways to react to this now, and it's best to offer the user several options:
That could be a Time-Based One-Time Password (TOTP), as is supported in multiple "authenticator" apps, or a hardware-based key like a YubiKey. Certain mobile phones also support similar hardware-backed solutions.
This solution works well if you encourage you user to register several different methods, so in case one is unavailable, another one can be selected. However, if your user only registered, say a TOTP app and then their phone takes an unexpected fall, that may be an issue.
One option several platforms offer is to create a set of "backup codes", which are long, automatically generated codes. Users are encouraged to print them out and keep them in a safe place. The advantage of this is that it's pretty low-tech, so it's hard for a piece of paper to break or get hacked, and users themselves can choose how many copies they'd like to make. More copies offer higher availability, but also increase the risk of an adversary gaining access to the copies.
Of course, this solution also requires the user to be prepared beforehand. Hindsight is 20/20, as they say.
If you are authenticated on your mobile device and wish to authenticate on, say, a desktop device, then one possibility is to let the already authenticated device generate a one-time code. The process works as follows:
example.com/auth/5GH8D38DFG 66TNThe advantage of this is that, as long as at least one device has access, other devices can gain access again as well, which allows the user to register more authenticator options.
Some users may simply be out of luck and only have one authenticator, and that may break. In that case, contacting the user via already verified channels, such as e-mail, may be an option. However, users should expect significant delay here, like one week or so. In this case, users should first be notified via every possible means that an account-recovery process was initiated and that, if they did not initiate that, they should immediately contact support.
After 7 days or such, users contacted by support must show some sort of proof that they own the account. This differs from application to application, but Steam for example asks you about your last purchases.
Naturally, this will also allow malicious actors to gain access to the account, so it should be possible for the user to disable this option. Just make sure that you add a big, bold warning sign like WARNING! IF YOU DISABLE THIS OPTION AND LOSE ACCESS TO YOUR AUTHENTICATOR, THERE IS NO WAY TO RECOVER YOUR ACCOUNT. BY SELECTING THIS OPTION, YOU EXPLICITLY ACCEPT THE RISK THAT YOUR ACCOUNT MAY BE LOST WITHOUT ANY RECOVERY! You know, something like that...