Leave Nothing to Chance: Have a Backup and Recovery Plan

A backup and recovery process is an indispensable component of every security solutions strategy, and is something to think carefully about as you develop a plan to integrate YubiKeys into yours. Having a proper backup and recovery process keeps employees productive without them having to worry about losing their YubiKey or losing access to systems and accounts. More importantly, your backup and recovery process must be secure and should not diminish the overall security in place. Remember, your security is only as good as its weakest link.

The most secure plan is for each user to have two YubiKeys. Establishing a backup YubiKey ensures that the user can effortlessly access all of their accounts if they accidentally misplace their primary YubiKey. We strongly recommend this approach to all customers as a general best practice, as it guarantees that all users have a recovery solution easily accessible to them at any time. Having a backup YubiKey gives users peace of mind and eliminates the need for them to go through complicated, time-consuming processes to access their accounts. While other backup and recovery options are available, they come with a variety of pros and cons.

Other Backup and Recovery Options

One such alternative is having a Service Desk team issue a secondary temporary key on demand. This is the next best approach to having a backup YubiKey for all users, as it supplies a physical device registered with the same authentication system to the user at the time of need. With the YubiKey at its core, this approach removes many areas of risk that come with alternate solutions, and can serve as an extension of the two YubiKey approach if a user loses both keys. However, this option requires additional time, processes, and personnel, as the Service Desk must always be open to the user should they have an immediate need for a key.

Another popular backup alternative is having a mobile authenticator. Using an app like Google Authenticator provides a valid backup method by issuing a temporary passcode to users. However, mobile authenticators are often based on older technology, and do not provide the same protection that the YubiKey delivers, as the secrets used to generate the passcodes can be deciphered if enough codes are intercepted. Should you decide to use a mobile authenticator as a backup option, we encourage you to use it sparingly to avoid the risk of security breaches.

Beyond these, you can establish other backup methods, but they will not be as secure or as stable as a multi-key approach. SMS and email, for example, are the least secure backup and recovery methods, as they are susceptible to man in the middle and phishing attacks. In fact, section 5.1.3.2 of the NIST 800-63-3 guidelines, which will soon be published, recommends deprecating SMS due to security limitations. Additionally, a phone can run out of battery, be lost, stolen or broken, get infected by malware, or have storage retrieved by a connected computer. Conversely, the YubiKey is not vulnerable to most of these concerns.

While we understand that cost plays a key role in restricting organizations’ options for secure backup and recovery solutions, we do not recommend processes that could allow remote access to a corporate resource or introduce social engineering risk, reducing the initial security that our YubiKey solution was designed to protect against. Security always comes first! This is precisely why we urge all customers to consider using the two YubiKey approach as a best practice.

Talk to our teamTalk to our team

Share this article:


  • FIPS certified vs. FIPS compliant: What’s the real difference?“Is your MFA solution FIPS compliant, or is it certified?”  This is a question we hear a lot, and for good reason. In industries where security and compliance are critical (especially in government contracts), understanding the difference between FIPS certified and FIPS compliant isn’t just semantics – it can mean the difference between meeting requirements […]Read moreFIPSNIST
  • 2025 Global State of Authentication survey: A world of difference in cybersecurity habitsIn a world that’s more connected than ever, the landscape of cybersecurity threats is constantly evolving. Bad actors, now supercharged with artificial intelligence (AI), are becoming increasingly adept at exploiting human error through sophisticated phishing and social engineering attacks. This makes robust cybersecurity a universal issue, impacting everyone from individuals to the largest global enterprises. […]Read moreGlobal State of Authenticationsurvey
  • Making digital security a right: Inside Yubico’s Secure it Forward programTechnology can be a great equalizer — but only if the strongest protection is within reach. Since 2022, Yubico has donated more than 65,000 YubiKeys to hundreds of organizations worldwide — a retail value of over $3.3 million. Each key helps strengthen digital protection for those doing vital work in their communities. This isn’t just […]Read more
  • Unlocking trust in enterprise security: Yubico and Okta empowering businesses togetherCollaboration with ecosystem partners is critical for providing our customers with the best cybersecurity solutions. Together, Yubico and Okta have achieved remarkable milestones over the years, including launching innovative solutions and aligning our go-to-market efforts – all aimed at delivering the most impactful cybersecurity solutions and user experience for our customers and partners. At the heart […]Read moreOktaOktane