> It's logically equivalent to having a backup key, but it's more secure because if you lose a key, you can use another key to disable the lost key.

That's slightly more convenient but I don't see how it is more secure. With one key that has backups if I lose that key I can use one of the backups to disable that key.

Multiple keys is slightly more convenient in that scenario because with multiple keys I just have to disable the key that was lost, and then make a new key for the device that held that key and install it. With one key on multiple devices I'll have to install the new key on all of them.

Convenience is a key aspect of security, but consider the scenario where you have to replace all your locks while you issue a new key... you have to keep the extant key valid for a longer period of time.

The problem is you don’t actually know these keys do or do not work until you need them to. This is not a trivial failure mode for many systems.

The same is true for physical keys for cars, houses, lockers, etc., which is why people have an intuition to test out keys to make sure that they work.

Most people aren't going to do that for the standby keys. And while they test out the real keys, they mostly don't go from working to not working because someone did a garbage collection/unused keys pass or failed to update some field or deleted something on a server.

Yup. Instead they stop working because of rust, corrosion, wear & tear, or heat distortion from improper storage...

There seems to be an obsession that if a digital key doesn't comprehensively solve all problems, it's terrible, despite the empirical evidence that people are fully capable of using physical keys despite their limitations.