>If that manufacturer key is known, it only takes two samples from an authenticator to determine the sequence key.

Not if seed with appropriate length is used. Though I don't know how common that is, back in 2008 authors noted that "We would like to mention that none of the real-world KeeLoq systems we analyzed used any seed" (https://www.iacr.org/archive/crypto2008/51570204/51570204.pd..., section 4.3)