I think the obvious failure here in your hypothetical is that you did not have an off-site backup. Superficially it looks like you do, cause everything is in the cloud. However it's not an off-site backup unless your encryption keys are also backed up off-site, along with the credentials to access it all (and yes your second factor is a credential). In this hypothetical, all your second factors (security keys, phone, paper with recovery codes) were stored on-site, which is why everything failed. You mention storing a USB stick with a friend, but then only consider the unworkable solution of storing a frequently changing target (backup codes for all your services). All you really need to store is the credentials and keys to restore from your off-site backup, and possibly for your email account. That is probably just the recovery codes (and passwords if not memorized) for your cloud site(s) and your email account, and maybe a spare security key that's authorized for those accounts if that's in your budget. Those shouldn't need to be updated very often. Encrypt those with the same passphrase you use for your password manager (which you presumably have memorized). You can reduce the risk of your friend or their kid misplacing/wiping it with an envelope and marker (pretty cheap). As for the concurrent loss of both sites, do you only have one friend? Do they all live in the same city? Other solutions include using another cloud backup site which you only put your encrypted password store in, and then don't turn on 2FA for that one (it's only protecting an encrypted file). I've even seen the suggestion somewhere to store your encrypted password file in the public part of your cloud account, but that effectively turns off 2FA for your password management.