A few weeks ago, I was in my hotel and reached into my pocket to get my YubiKey. Without it, I can’t log into certain email, CMS or other systems without going through an involved IT administrative process.
The key was gone.
That is an instantaneous bad feeling, wiped away only by the backup key I carry and store in a separate location.
Earlier, at a gathering of identity and authentication geeks, I was one of three Yubico employees walking people through the registration and use of the YubiKey with various apps.
Afterward, I left my computer with colleagues to go have a side conversation for a few minutes.
Unbeknownst to me, my diligent co-worker was cleaning up and collecting keys that had not been used or handed out. He saw a key inserted into my computer, and thinking it was part of the demonstration, removed it, tucked it back into its plastic sleeve and tossed it in a bag with 50 or so other keys.
(In his defense, he was unaware that I use the plastic package sleeve to protect against inadvertent key taps. What? You throw the sleeve away!)
The next day, my colleague unknowingly handed the key out to a random person who had requested a sample. My key was gone. Never to be seen again.
(I only learned that part of the story after telling him the next day about how I had lost my key but had been saved by a backup.)
So when I discovered in the hotel that my key was missing, my immediate reaction was “where is it?” and I spent a few moments searching for it. But I knew I had my backup YubiKey cleverly concealed in the room.
I retrieved the backup key and got right to work, having full access to my complement of applications and services.
This scenario is the answer to a common question Yubico hears: “What happens if I lose my YubiKey?” If you are prepared, the answer is nothing happens. It’s the same answer for “What if my hard drive crashes?” The real question is how important is my data/security and how do I protect and preserve it.
Given the YubiKey’s design, I didn’t need to worry about my main key in the hands of a stranger. The key has no data about the owner so I was undiscoverable. In addition, I was able to delete my YubiKey registrations from each one of my apps.
On the (very) off chance the stranger with my key located my computer and me; the key was worthless (even without deleting registrations, an attacker would also need my username and password for each app). I was able to pick right up with a new key. The only thing I had to do was establish a new backup key.
I did that after I was done working just to get a taste of what it feels like to live on security’s edge for a few hours. The feeling of having a backup is much more comfortable.