For improving the II we could discuss:
-
creating two levels of authentication methods, higher level and lower level, and you need to be logged in with a higher level method in order to remove (i.e. delete) a lower level method. But
a) using the higher level must be optional,
b) the user must be able to choose which method to put on the higher level (for some it is the phrase, for others a Yubikey, etc.)
c) it must be possible to put more than one method to the higher level if the user wants that.
This is just like an admin vs user account in an OS. You can create multiple accounts of either type. -
Introducing threshold. So that for example you need to call “delete” with two out of three authentication methods in order to be able to delete an authentication method.