This is a text-only version of the following page on https://raymii.org: --- Title : My Yubikey broke, but I had a backup. So should you with your 2FA Author : Remy van Elst Date : 18-03-2018 URL : https://raymii.org/s/blog/My_Yubikey_Broke_-_Important_tip_for_two_factor_BACKUP.html Format : Markdown/HTML --- ![yubikey][1] Today my trusty old first generation Yubikey didn't light up when I plugged it in. No problem for me, I had a backup key. But most people don't, so here's an important tip when you use two factor authentication like a Yubikey, Nitrokey or Google Authenticator (HOTP). TL;DR: Have a second hardware token stored away safely and backup your QR codes (print/screenshot) somewhere secure. Swap the hardware tokens often to make sure they both work with all services. Today my trusty old first generation Yubikey didn't light up when I plugged it in. No problem for me, I had a backup key. But most people don't, so here's an important tip when you use two factor authentication like a Yubikey, Nitrokey or Google Authenticator (HOTP). TL;DR: Have a second hardware token stored away safely and backup your QR codes (print/screenshot) somewhere secure. Swap the hardware tokens often to make sure they both work with all services. <p class="ad"> <b>Recently I removed all Google Ads from this site due to their invasive tracking, as well as Google Analytics. Please, if you found this content useful, consider a small donation using any of the options below:</b><br><br> <a href="https://leafnode.nl">I'm developing an open source monitoring app called Leaf Node Monitoring, for windows, linux & android. Go check it out!</a><br><br> <a href="https://github.com/sponsors/RaymiiOrg/">Consider sponsoring me on Github. It means the world to me if you show your appreciation and you'll help pay the server costs.</a><br><br> <a href="https://www.digitalocean.com/?refcode=7435ae6b8212">You can also sponsor me by getting a Digital Ocean VPS. With this referral link you'll get $100 credit for 60 days. </a><br><br> </p> As we all know, 2 factor authentication is important. Passwords are insecure, can be brute forced or logged (malware, keylogger) and are re-used everywhere. If you're password is leaked, when you are using two factor, something you know (password/username) and something you have (security token, time-based code), the attacker doesn't have access to your stuff unless they also compromise the second factor. I love security devices, I've written [a lot][3] about the open source [NitroKey][4] devices, [even how to get the private key fronm the HSM][5]. Also, the [FST-01][6], an open source GnuPG token and the [SmartCard-HSM][7]. In my professional job I work with enterprise HSM devices (Safenet, Gemalto). ### Backups backups backups! This tip applies both to HOTP tokens (Google Authenticator) and hardware tokens. #### HOTP / TOTP If you use Google Authenticator (or any other TOTP/HOTP), you get a QR code to scan with your device or a code to enter. Screenshot that code and print it, file it in a folder. Or write down the code. ![TOTP][8] I myself have a second Android device at home with all the codes scanned as well, so when my main phone breaks I have an 'online' backup. Since the codes are all printed, when my main phone is working again, I scan the codes from the 'offline' backup to add them back. I don't have to login to every service or contact customer support to change the 2 factor settings. #### Hardware tokens ![yubikeys][9] The physical tokens, like the Yubikey, GnuPG (FST-01 or Nitrokey Start/Pro), SmartCard HSM, Nitrokey HSM or the RSA token, yes my keychain is full with those sadly, all have a second device. At home I have a 'backup' keychain with authentication tokens. Which means, a second Yubikey (for KeePass), a second Nitrokey Pro (for GPG) and a second Nitrokey HSM (S/MIME and other certificates). It also has copies of the important physical keys (car, home, etc). This keychain is stored in a safe next to the phone with the authenticator and the printed QR codes. Also a printout of my private keys which are not in hardware tokens (with passwords). You must also add all these devices to the services you use. Lastpass for example supports up to 5 yubikeys. It's not much use to have a second YubiKey if you can't use it. So make sure to add the token to the service you use. In the case of the GPG token and the HSM, backup the key material on them and import it on the second device. The last step in this backup scheme is, as is with all backups, to regularly test them. Otherwise a backup is worth nothing. I swap the keychain once every month, so I know it works with all the services it needs to. If something doesn't work, I don't want to find out on a critical moment, rather as soon as possible. Just as with all other backups, do a restore test once in a while. I know that this increases the cost, instead of 1 token you need to buy two, and Yubikeys are pricey ($50 as of today). But I had my two Yubikeys since around 2010, so 8 years, that is a cost I could spread out. The other hardware tokens are either bought via my work (free for me yay) or paid for myself. But, my time is costly, so I rather buy two tokens than to spend an afternoon fixing all the 2 factor authentication. [1]: https://raymii.org/s/inc/img/yubikey.png [2]: https://www.digitalocean.com/?refcode=7435ae6b8212 [3]: https://raymii.org/s/articles/Get_Started_With_The_Nitrokey_HSM.html [4]: https://raymii.org/s/articles/Nitrokey_Start_Getting_started_guide.html [5]: https://raymii.org/s/articles/Decrypt_NitroKey_HSM_or_SmartCard-HSM_private_keys.html [6]: https://raymii.org/s/tutorials/FST-01_firmware_upgrade_via_usb.html [7]: https://raymii.org/s/articles/Nitrokey_HSM_in_Apache_with_mod_nss.html [8]: https://raymii.org/s/inc/img/google_auth.png [9]: https://raymii.org/s/inc/img/yubikeys.png --- License: All the text on this website is free as in freedom unless stated otherwise. This means you can use it in any way you want, you can copy it, change it the way you like and republish it, as long as you release the (modified) content under the same license to give others the same freedoms you've got and place my name and a link to this site with the article as source. This site uses Google Analytics for statistics and Google Adwords for advertisements. You are tracked and Google knows everything about you. Use an adblocker like ublock-origin if you don't want it. All the code on this website is licensed under the GNU GPL v3 license unless already licensed under a license which does not allows this form of licensing or if another license is stated on that page / in that software: This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program. If not, see <http://www.gnu.org/licenses/>. Just to be clear, the information on this website is for meant for educational purposes and you use it at your own risk. I do not take responsibility if you screw something up. Use common sense, do not 'rm -rf /' as root for example. If you have any questions then do not hesitate to contact me. See https://raymii.org/s/static/About.html for details.