This is a text-only version of the following page on https://raymii.org:
---
Title       : 	My Yubikey broke, but I had a backup. So should you with your 2FA
Author      : 	Remy van Elst
Date        : 	18-03-2018
URL         : 	https://raymii.org/s/blog/My_Yubikey_Broke_-_Important_tip_for_two_factor_BACKUP.html
Format      : 	Markdown/HTML
---



![yubikey][1]

Today my trusty old first generation Yubikey didn't light up when I plugged it
in. No problem for me, I had a backup key. But most people don't, so here's an
important tip when you use two factor authentication like a Yubikey, Nitrokey or
Google Authenticator (HOTP). TL;DR: Have a second hardware token stored away
safely and backup your QR codes (print/screenshot) somewhere secure. Swap the
hardware tokens often to make sure they both work with all services. Today my
trusty old first generation Yubikey didn't light up when I plugged it in. No
problem for me, I had a backup key. But most people don't, so here's an
important tip when you use two factor authentication like a Yubikey, Nitrokey or
Google Authenticator (HOTP). TL;DR: Have a second hardware token stored away
safely and backup your QR codes (print/screenshot) somewhere secure. Swap the
hardware tokens often to make sure they both work with all services.

<p class="ad"> <b>Recently I removed all Google Ads from this site due to their invasive tracking, as well as Google Analytics. Please, if you found this content useful, consider a small donation using any of the options below:</b><br><br> <a href="https://leafnode.nl">I'm developing an open source monitoring app called  Leaf Node Monitoring, for windows, linux & android. Go check it out!</a><br><br> <a href="https://github.com/sponsors/RaymiiOrg/">Consider sponsoring me on Github. It means the world to me if you show your appreciation and you'll help pay the server costs.</a><br><br> <a href="https://www.digitalocean.com/?refcode=7435ae6b8212">You can also sponsor me by getting a Digital Ocean VPS. With this referral link you'll get $100 credit for 60 days. </a><br><br> </p>


As we all know, 2 factor authentication is important. Passwords are insecure,
can be brute forced or logged (malware, keylogger) and are re-used everywhere.
If you're password is leaked, when you are using two factor, something you know
(password/username) and something you have (security token, time-based code),
the attacker doesn't have access to your stuff unless they also compromise the
second factor.

I love security devices, I've written [a lot][3] about the open source
[NitroKey][4] devices, [even how to get the private key fronm the HSM][5]. Also,
the [FST-01][6], an open source GnuPG token and the [SmartCard-HSM][7]. In my
professional job I work with enterprise HSM devices (Safenet, Gemalto).

### Backups backups backups!

This tip applies both to HOTP tokens (Google Authenticator) and hardware tokens.

#### HOTP / TOTP

If you use Google Authenticator (or any other TOTP/HOTP), you get a QR code to
scan with your device or a code to enter. Screenshot that code and print it,
file it in a folder. Or write down the code.

![TOTP][8]

I myself have a second Android device at home with all the codes scanned as
well, so when my main phone breaks I have an 'online' backup. Since the codes
are all printed, when my main phone is working again, I scan the codes from the
'offline' backup to add them back. I don't have to login to every service or
contact customer support to change the 2 factor settings.

#### Hardware tokens

![yubikeys][9]

The physical tokens, like the Yubikey, GnuPG (FST-01 or Nitrokey Start/Pro),
SmartCard HSM, Nitrokey HSM or the RSA token, yes my keychain is full with those
sadly, all have a second device. At home I have a 'backup' keychain with
authentication tokens. Which means, a second Yubikey (for KeePass), a second
Nitrokey Pro (for GPG) and a second Nitrokey HSM (S/MIME and other
certificates). It also has copies of the important physical keys (car, home,
etc).

This keychain is stored in a safe next to the phone with the authenticator and
the printed QR codes. Also a printout of my private keys which are not in
hardware tokens (with passwords).

You must also add all these devices to the services you use. Lastpass for
example supports up to 5 yubikeys. It's not much use to have a second YubiKey if
you can't use it. So make sure to add the token to the service you use.

In the case of the GPG token and the HSM, backup the key material on them and
import it on the second device.

The last step in this backup scheme is, as is with all backups, to regularly
test them. Otherwise a backup is worth nothing. I swap the keychain once every
month, so I know it works with all the services it needs to. If something
doesn't work, I don't want to find out on a critical moment, rather as soon as
possible. Just as with all other backups, do a restore test once in a while.

I know that this increases the cost, instead of 1 token you need to buy two, and
Yubikeys are pricey ($50 as of today). But I had my two Yubikeys since around
2010, so 8 years, that is a cost I could spread out. The other hardware tokens
are either bought via my work (free for me yay) or paid for myself. But, my time
is costly, so I rather buy two tokens than to spend an afternoon fixing all the
2 factor authentication.

   [1]: https://raymii.org/s/inc/img/yubikey.png
   [2]: https://www.digitalocean.com/?refcode=7435ae6b8212
   [3]: https://raymii.org/s/articles/Get_Started_With_The_Nitrokey_HSM.html
   [4]: https://raymii.org/s/articles/Nitrokey_Start_Getting_started_guide.html
   [5]: https://raymii.org/s/articles/Decrypt_NitroKey_HSM_or_SmartCard-HSM_private_keys.html
   [6]: https://raymii.org/s/tutorials/FST-01_firmware_upgrade_via_usb.html
   [7]: https://raymii.org/s/articles/Nitrokey_HSM_in_Apache_with_mod_nss.html
   [8]: https://raymii.org/s/inc/img/google_auth.png
   [9]: https://raymii.org/s/inc/img/yubikeys.png

---

License:
All the text on this website is free as in freedom unless stated otherwise. 
This means you can use it in any way you want, you can copy it, change it 
the way you like and republish it, as long as you release the (modified) 
content under the same license to give others the same freedoms you've got 
and place my name and a link to this site with the article as source.

This site uses Google Analytics for statistics and Google Adwords for 
advertisements. You are tracked and Google knows everything about you. 
Use an adblocker like ublock-origin if you don't want it.

All the code on this website is licensed under the GNU GPL v3 license 
unless already licensed under a license which does not allows this form 
of licensing or if another license is stated on that page / in that software:

    This program is free software: you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
    the Free Software Foundation, either version 3 of the License, or
    (at your option) any later version.

    This program is distributed in the hope that it will be useful,
    but WITHOUT ANY WARRANTY; without even the implied warranty of
    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
    GNU General Public License for more details.

    You should have received a copy of the GNU General Public License
    along with this program.  If not, see <http://www.gnu.org/licenses/>.

Just to be clear, the information on this website is for meant for educational 
purposes and you use it at your own risk. I do not take responsibility if you 
screw something up. Use common sense, do not 'rm -rf /' as root for example. 
If you have any questions then do not hesitate to contact me.

See https://raymii.org/s/static/About.html for details.