You would need an event signed with the first key that references the backup key, no? If I get access to your private key, I can just publish an older event certifying a public key I control. Anyone who tries to visit your account will be redirected to the oldest verified public key (my own).