I don't know what you mean by "up to date". The keys do not change.
I don't lose keys.
When I get new accounts, I simply enroll each of the keys in each computer, plus my keychain key, in the U2F for the new account. This doesn't happen often due to SSO.
But that means you have to go out of state to enroll the keys you have in storage there. Not exactly practical.
Although I think that for the general (ie not ultra-critical) U2F use-case, not having all the keys enrolled is acceptable, if you're able to log back in without them, say by using codes stored encrypted with the GPG keys of all the others.
Oh, only the computer (and keychain) keys are used for U2F. There is one 24/7 resident in each computer (the C Nano variant) and an extra on my keyring. Each of these also has a PGP key.
The 4 in the vaults are only used for PGP.
I have a script that will PGP
encrypt a file to all 10 of the Yubikeys. I keep track of all of the fingerprints and pubkeys in spreadsheet.
