I learned the other day that FIDO2 keys have a counter so that if an attacker does manage to clone the key, and both keys continue to be used, the counter for them will desync and the server can detect the clone.
Pretty cool, wonder how that plays out in practice.
Conversation
Replying to
You have to deal with this when you recover from the seed phrase on a BIP39-based device like a Trezor with U2F/FIDO2 support. The simplest approach is setting the counter to the current Unix time since you have no clue what it had gotten up to before you had to recover.