Leave Nothing to Chance: Have a Backup and Recovery Plan

A backup and recovery process is an indispensable component of every security solutions strategy, and is something to think carefully about as you develop a plan to integrate YubiKeys into yours. Having a proper backup and recovery process keeps employees productive without them having to worry about losing their YubiKey or losing access to systems and accounts. More importantly, your backup and recovery process must be secure and should not diminish the overall security in place. Remember, your security is only as good as its weakest link.

The most secure plan is for each user to have two YubiKeys. Establishing a backup YubiKey ensures that the user can effortlessly access all of their accounts if they accidentally misplace their primary YubiKey. We strongly recommend this approach to all customers as a general best practice, as it guarantees that all users have a recovery solution easily accessible to them at any time. Having a backup YubiKey gives users peace of mind and eliminates the need for them to go through complicated, time-consuming processes to access their accounts. While other backup and recovery options are available, they come with a variety of pros and cons.

Other Backup and Recovery Options

One such alternative is having a Service Desk team issue a secondary temporary key on demand. This is the next best approach to having a backup YubiKey for all users, as it supplies a physical device registered with the same authentication system to the user at the time of need. With the YubiKey at its core, this approach removes many areas of risk that come with alternate solutions, and can serve as an extension of the two YubiKey approach if a user loses both keys. However, this option requires additional time, processes, and personnel, as the Service Desk must always be open to the user should they have an immediate need for a key.

Another popular backup alternative is having a mobile authenticator. Using an app like Google Authenticator provides a valid backup method by issuing a temporary passcode to users. However, mobile authenticators are often based on older technology, and do not provide the same protection that the YubiKey delivers, as the secrets used to generate the passcodes can be deciphered if enough codes are intercepted. Should you decide to use a mobile authenticator as a backup option, we encourage you to use it sparingly to avoid the risk of security breaches.

Beyond these, you can establish other backup methods, but they will not be as secure or as stable as a multi-key approach. SMS and email, for example, are the least secure backup and recovery methods, as they are susceptible to man in the middle and phishing attacks. In fact, section 5.1.3.2 of the NIST 800-63-3 guidelines, which will soon be published, recommends deprecating SMS due to security limitations. Additionally, a phone can run out of battery, be lost, stolen or broken, get infected by malware, or have storage retrieved by a connected computer. Conversely, the YubiKey is not vulnerable to most of these concerns.

While we understand that cost plays a key role in restricting organizations’ options for secure backup and recovery solutions, we do not recommend processes that could allow remote access to a corporate resource or introduce social engineering risk, reducing the initial security that our YubiKey solution was designed to protect against. Security always comes first! This is precisely why we urge all customers to consider using the two YubiKey approach as a best practice.

Talk to our teamTalk to our team

Share this article:


  • Works with YubiKey Spotlight: Passkeys are here – are you ready?With 2025 at its midpoint, enterprises worldwide are grappling with how to protect their users and data against emerging challenges around user security. Since 2022, generative AI has fueled a 4,000% surge in phishing – exploiting human vulnerability in 68% of breaches. It’s no longer a question – the world has a password problem that […]Read morepartnerspasskeysWorks with YubiKeywwyk
  • Yubico LogoYubico liefert PIN-Verbesserungen mit dem neuen YubiKey 5 – Verbesserte PIN-SchlüsselUm sich auf die sich ständig weiterentwickelnden Cyber-Bedrohungen vorzubereiten, passen Regierungen weltweit die Authentifizierungsanforderungen für Online-Dienste an und aktualisieren sie, was direkte Auswirkungen auf viele Unternehmen und deren Mitarbeiter hat. Zwar gibt es derzeit keine universelle Regelung für eine robustere Multi-Faktor-Authentifizierung (MFA), doch wird deren Notwendigkeit in einer Reihe von Anforderungen hervorgehoben, darunter PSD2, DSGVO […]Read moreYubiKey
  • Yubico delivers PIN advancements with new YubiKey 5 – Enhanced PIN keysTo prepare for continuously evolving cyber threats, governments around the world are adapting and updating authentication requirements for online services which directly impact thousands of organizations and their employees. While there’s currently no universal regulation for more robust multi-factor authentication (MFA), the need is highlighted across a range of requirements including PSD2, GDPR, and the […]Read moreCompany NewsProduct NewsYubiKeyYubiKey 5 – Enhanced PINYubiKey 5 SeriesYubiKey as a Service
  • An inside look at Yubico’s transition to passwordlessBefore “passkey” became a familiar term in our industry, Yubico had long delivered hardware-backed and phishing-resistant FIDO2 based authentication. Today, the adoption of passkey usage is accelerating. However, it’s taken quite a bit longer to integrate passwordless authentication into the everyday, enterprise-grade authentication flows that are required for today’s businesses.  As long as it’s been […]Read moreOktapasswordless