Ode to the value of Backup YubiKey(s)

May 27, 2015 3 minute read

A few weeks ago, I was in my hotel and reached into my pocket to get my YubiKey. Without it, I can’t log into certain email, CMS or other systems without going through an involved IT administrative process.

The key was gone.

That is an instantaneous bad feeling, wiped away only by the backup YubiKey I carry and store in a separate location.

Earlier, at a gathering of identity and authentication geeks, I was one of three Yubico employees walking people through the registration and use of the YubiKey with various apps.

Afterward, I left my computer with colleagues to go have a side conversation for a few minutes. YubiKey in plastic sleeve

Unbeknownst to me, my diligent co-worker was cleaning up and collecting keys that had not been used or handed out. He saw a key inserted into my computer, and thinking it was part of the demonstration, removed it, tucked it back into its plastic sleeve and tossed it in a bag with 50 or so other keys.

(In his defense, he was unaware that I use the plastic package sleeve to protect against inadvertent key taps. What? You throw the sleeve away!)

The next day, my colleague unknowingly handed the key out to a random person who had requested a sample. My key was gone. Never to be seen again.

(I only learned that part of the story after telling him the next day about how I had lost my key but had been saved by a backup.)

So when I discovered in the hotel that my key was missing, my immediate reaction was “where is it?” and I spent a few moments searching for it. But I knew I had my backup YubiKey cleverly concealed in the room.

I retrieved the backup YubiKey and got right to work, having full access to my complement of applications and services.

This scenario is the answer to a common question Yubico hears: “What happens if I lose my YubiKey?” If you are prepared, the answer is nothing happens. It’s the same answer for “What if my hard drive crashes?” The real question is how important is my data/security and how do I protect and preserve it.

Given the YubiKey’s design, I didn’t need to worry about my main key in the hands of a stranger. The key has no data about the owner so I was undiscoverable. In addition, I was able to delete my YubiKey registrations from each one of my apps.

On the (very) off chance the stranger with my key located my computer and me; the key was worthless (even without deleting registrations, an attacker would also need my username and password for each app). I was able to pick right up with a new key. The only thing I had to do was establish a new backup key.

I did that after I was done working just to get a taste of what it feels like to live on security’s edge for a few hours. The feeling of having a backup is much more comfortable.

Want to learn more about lost YubiKey best practices?

Share this article:

Recommended content


YubiKey SaaS offering from Yubico now available through the Microsoft Azure Marketplace

Today, Yubico is announcing the availability of its multi-factor authentication YubiKeys in the Microsoft Azure Marketplace. Microsoft Azure customers in the U.S. will now have access to YubiKeys to take advantage of the scalability, reliability, and agility of Azure to drive application development and shape business strategies.  “We’re pleased to welcome Yubico to the Microsoft ...


Put Your Finger on the Pulse of What’s New with the YubiKey Bio Series

Today, we are announcing the YubiKey Bio Series, Yubico’s first-ever YubiKeys supporting biometric authentication. The YubiKey Bio was first previewed at Microsoft Ignite in 2019 where we showed a live demo of passwordless sign-in to Microsoft Azure Active Directory accounts. We’ve taken the time to ensure that we are launching products that are highly secure ...


Combating ransomware attacks on your enterprise

What do a PC manufacturer, a meat supplier and a mental health clinic have in common? They have all been victims of ransomware attacks. They’re not alone. Ransomware attacks grew by over 485% in 2020, leveraging the new ransomware-as-a-service (RaaS) model of profit-sharing in exchange for ransomware tools.  One of the most infamous recent ransomware ...


Top five pitfalls companies should avoid when rolling out a passwordless strategy

Given the number of breaches in the news today where passwords were at the root of the problem, many companies are now exploring the benefits of a secure passwordless future. Secure passwordless logins not only bring cost efficiencies and a more frictionless user login experience into the organization, but deliver the security that is necessary ...