Lost YubiKey Best Practices

June 10, 2014 3 minute read

We hope that you will not lose your YubiKey, but for larger deployments and serious use, establishing processes around lost YubiKeys is an important and challenging aspect. Yubico has offered the YubiRevoke service to help with this aspect, which is a centralized way to disable YubiKeys validated through the YubiCloud. Initially we thought this was a natural part of a YubiCloud service. The more we have worked with customers to establish and recommend practices around use and deployment of YubiKeys, though, we have come to reconsider this recommendation. We have realized that a centralized service for revoking a YubiKey often leads to deployments that are ineffective to use for administrators, and it introduces a new set of security considerations for deployments.

For systems that use YubiKeys validated through the YubiCloud, the standard pattern is to setup a service that performs authentication using username, usually a password, and a Yubico OTP. These systems usually have an administrative interface, of varying level of sophistication, for managing users. Technically the system performs authentication by validating the username and password, and then validates the Yubico OTP against the YubiCloud to achieve two-factor authentication. For example, the system may be as simple as a WordPress blog with the YubiKey plugin, or Unix (typically Mac or GNU/Linux) login using the PAM module. The WordPress system has its user management interface, and Unix has its own user management and configuration interface. When a YubiKey is lost, to regain access to the system, the administrator has to provide a mechanism for users to associate a new YubiKey, or at least temporarily disable two-factor authentication. When YubiRevoke is used, customers sometimes end up implementing procedures for administrators to disable the YubiKey in both systems, which is inefficient.

A centralized revocation system for YubiKeys also introduces security considerations for deployments. Our revocation system depends on good authentication, and with access to an admin account, you can disable a YubiKey immediately. For larger deployments, having an attacker gain access to the administrator password/OTP could lead to situations which are difficult to recover from — consider for example if the attacker (maybe a disgruntled employee) changes the YubiRevoke password and disables all your YubiKeys. Implementing proper social recovery mechanisms on our side is not cost effective, and there will always be room for doubt. There is also a risk for Yubico to host a service that is using username/password authentication, since that will become a target of attacks.

For the reasons above, Yubico is planning to decomission our YubiRevoke service on the 1st of October 2014. We advise customers to simplify their processes around revocation to not involve the YubiRevoke service. We will disable new YubiRevoke account registration on June 13th 2014, and disable adding new Yubikeys to existing accounts on the 1st of August 2014. Please find below a quick FAQ around this.

Q: If I lose my YubiKey what should I do?
A: You should login to the sites where you used the YubiKey on and change the account settings to use your replacement YubiKey instead.

Q: What if I can’t login to the site to change my settings?
A: Use the service’s authentication recovery method.

Share this article:

Recommended content

Thumbnail

Combating ransomware attacks on your enterprise

What do a PC manufacturer, a meat supplier and a mental health clinic have in common? They have all been victims of ransomware attacks. They’re not alone. Ransomware attacks grew by over 485% in 2020, leveraging the new ransomware-as-a-service (RaaS) model of profit-sharing in exchange for ransomware tools.  One of the most infamous recent ransomware ...

Thumbnail

Top five pitfalls companies should avoid when rolling out a passwordless strategy

Given the number of breaches in the news today where passwords were at the root of the problem, many companies are now exploring the benefits of a secure passwordless future. Secure passwordless logins not only bring cost efficiencies and a more frictionless user login experience into the organization, but deliver the security that is necessary ...

Thumbnail

Built-in FIDO authenticators and YubiKeys are making the internet safer for all

In 2007, Yubico set out to protect as many people as possible by making secure login easy and available for everyone. We are happy Apple has joined Yubico, Google, and Microsoft on this journey by implementing W3C WebAuthn/FIDO compatible platform authenticators and are pleased to say that now all major platforms have adopted the standards ...

Thumbnail

YubiKey 5 Series product brief

The YubiKey 5 Series security keys deliver expanded authentication options.