Something mentioned in another topic, re-posting here @lastmjs for visibility and comments.
More specifically:
One very likely “device” to be stolen is IMHO a non-physical device, and that would in our case be the “recovery phrase”. Is there anything we can do to prevent this theft?
Maybe we can require entering multiple authentication and/or recovery devices (i.e. n out of m total auth schemes) in order to be able to remove the “recovery phrase”? The actual required mix of the devices would be open for discussion, of course.
But thinking a bit more about it, it might make sense to have to do this for any removal of the authentication devices? Otherwise, someone could remove authentication devices one by one until only the recovery phrase is left, and then add their own authentication device, and then they have the “majority”.