I cannot stress this enough: if you lose physical possession of your hardware then you MUST assume it is compromised and act accordingly.
@jakehamilton yeah... sigh. you may have noticed us rotating our keys a few months ago when several of our hardware tokens disappeared to the cat toy dimension for a while.
@jakehamilton they eventually came back, and showed signs of damage consistent with having been cat toys and not consistent with having been decapped and subsequently reassembled by a high resource attacker. we're still glad we rotated.
@ireneista better safe than sorry!!
@jakehamilton the way we think of it is that for our security practices to be real, they need to just be the boring thing we always do when we're in the situation that prompts it. we can't let ourselves overthink it every time or else we won't do it when we need to.