I Lost My Yubikey! How To Setup Backup Keys

“What do I do if I lose my hardware key?!”

That’s a really common question, and a totally valid one. The answer is also the reason why I’ve consistently recommended that you buy two Yubikeys whenever you’re setting up your multi factor authentication.

The reason I recommend getting more than one is to prevent you from getting locked out of an account. These keys are used for authentication. After you log in to a website with your username and password, the website prompts you to plug in a key - this is that key. I’ve discussed how to set one of these up and what they are used for - this is called multi factor authentication - but today I’ll show you how to set up more than one on your online accounts.

Let’s say you carry your Yubikey with you and for some reason it gets lost while you’re traveling or it gets damaged. If you only have that one key for logging into your online accounts, then how would you log in? You’d get stuck on the screen that asks you to insert the key. But if you have a spare key set up for that online account, you could just grab the spare key and plug that one in instead.

If you lose the Yubikey you use most often (we’ll call this one your primary key), then you could use the second Yubikey to log into your accounts (this one will be the spare key). Purchase a Yubikey for ultimate security of your online accounts!

Yubikey’s don’t allow for “secrets” to be read from them, so that also means you can’t clone one key to another one. That also means that the security is very strong, but you will need to set up each key separately, with very much the same process. Keys are also not linked together - they are treated like completely separate entities. While this process will be time consuming, it’s also a thing you only have to do once. You won’t need to do it again until you choose to buy a new key to replace an older one, or buy a new one as a spare.

The websites I’ll demo use one of these protocols: either they use OTP or FIDO protocols so you simply have to plug in the Yubikey and touch the little gold sensors… OR they use OATH-TOTP which means they’ll still ask you for a six digit code, which will be shown to you via an app. Note that some sites may still only support sms 2fa - meaning they text you a code that you have to type in. This isn’t as secure as a Yubikey, but it is better than no security at all.

So before I show you a couple of demos, would you mind subscribing if you are enjoying this video? I’ve dedicated this channel to bringing you really in depth tech content, with pro tips trickled in. So if you want those pro tips that I drop every week, a click of the subscribe button tells me what content you wanna see more of.

First, we have OTP or FIDO supported websites.

These ones are easy, especially if they support setting up more than one Yubikey natively. Let’s setup 2 keys on our Google and Facebook Accounts, which both support these protocols. On Google, you’ll need to go to your security settings then browse to the setting that says 2 Step Verification and click get started. From here, choose Show More Options, and Security Key. Grab your keys as you’ll need to plug them in soon. Click next, then OK on the pop up prompt, then follow the on screen directions to plug in your key, type in your PIN code or create a new one if you’ve never made one, then touch your key. This registers your key.

Now, go back to that 2 Step Verification setting and choose security key. This will bring you to the security key menu, choose Add Security key, and again, follow those same on screen prompts while plugging in your spare yubikey. If you’re asked to add a name, you can do so here, or you can go into the Passkeys setting page and rename your keys on that page. They will be listed at the bottom of the page. One of my keys can also be used as a passkey, while the other one can only be used for 2FA.

So now, it doesn’t matter which key I have with me - both of them allow me to log into my google account in the same way - by plugging in the key and touching it. The 2FA one still requires me to put in my password, but the passkey one works like a passkey on supported devices, or just as a 2fa key on devices that don’t support passkeys yet. That’s so cool!

It took me forever to find the Facebook settings page for 2FA so the link for this is accountscenter.facebook.com , choose password and security, then choose 2 factor authentication. From here it’s pretty similar, you’ll need to choose how you want to log in - that’ll be Security keys. Click Add, then follow the directions on screen to add your new key. Insert it, type in the PIN for that yubikey, and add it. Want to add a spare key? Go back to the security keys page, choose your second key, and go through the same setup process.

If at this point you’re thinking “I should probably get another yubikey” first - yes, you should.

Okay, but what if the site is OATH-TOTP? You’ll know if it’s a TOTP type login protocol if the site shows you a QR code when you’re setting up your multi factor authentication option.

For sites that only accept 1 key, or they require you to setup an app that gives you a six digit code to type in on the authentication page - we can use the Yubico Authenticator app to set up more than one key.

This app is available cross platform, so I’m doing my demo on a desktop computer.

It took me a bit to figure out how to do this correctly but I figured it out! Download your app, open it and insert your key. Then hop on your website and go to the security page - in my case, I’m using squarespace since they only support those 6 digit codes. So when I get to the page that pulls up the QR code - first thing I’ll do is print out a backup of that QR code - because anytime I need to add a new yubikey to that account, I can reuse that QR code.

While I’m chillin on this page I go to the Yubico Authenticator app, plug in my key and click the menu icon, then click Add Account. This will find the QR code pulled up on my display and automatically add the website name, profile, and the secret to the Authenticator app. When I click save, it’ll add that key pairing to my Authenticator app as a new account.

Now, before I go any further, I’m going to do the same thing with the second Yubikey. I’ll unplug my current key, plug in the spare, and add the SAME account to my Yubikey AGAIN - hit add account, verify the data looks right, click save. So now, both of these Yubikeys have the same secret key on them.

Going back over to Squarespace, I click okay, which takes me away from the screen with the QR code. The reason I saved that QR code is because if I ever lose one of my Yubikeys, and I want to add another one, I’ll need that same QR code to add another one. Squarespace doesn’t know any better - it just assumes these are all the same key, so if I want to add a new one even though my space is still tied to the account, then I’ll need to use that same QR code, as I can’t get a new QR code unless I completely revoke the current secret.

So Squarespace will ask me for a 6 digit code and I can get this by clicking on the profile in my Yubico Authenticator App and copying the six digit code from the app into Squarespace and hitting save.

It doesn’t matter which key I am currently using - either one’s six digit code will work when I try to log into Squarespace.

If you lose one of your keys, the spare key will allow you to log into your accounts. So keep the spare somewhere safe, and use the primary when you’re traveling or commuting or whatnot. If one gets lost, you’ll log in with the spare key and revoke the lost Yubikey.

And if you lose both keys? Well, this is why we save those backup codes that I did a whole video about here - so watch that next to understand why backup codes exist and what they’re used for.