How to add a spare YubiKey security key and why to do it

YubiKey hardware security key very reliable – it is resistant to wear and tear and does not lose its properties when exposed to water. But it has a small size, so it can get lost by accident. Also, criminals can try to steal it if you often work in crowded places.

Of course, after losing the security key, almost all access to accounts can be restored, but correspondence with service administrations can take a lot of time. In order not to lose it, we, as the official distributors of the YubiKey manufacturer in Ukraine, always recommend buying a pair security keys, one of which will be kept in a safe place, such as a safe.

The second YubiKey hardware key, does not necessarily have to be the same form factor or belong to the same series as the main one. But it is important that the keys support the same protocols. These can be OTP passwords, FIDO2, FIDO U2F or the OATH-TOTP protocol.

Importantly. Having a spare key will help in emergency situations and save precious time.

Registration of the YubiKey security key with OTP or FIDO protocols

To find out which services support the security key protocols of your choice, go to the “Services Compatible with YubiKey Security Keys”.

If your security key supports OTP¹ або FIDO²protocols, the second key will need to be registered³ just like the first one. But keep in mind that the keys are not related to each other in any way, because they are created in such a way that the information contained on them cannot be transferred or copied. Therefore, each key must be registered separately so that any of them can be used for authentication in the future.

¹ OTP (One Time Password) is a password that is valid only for one authentication session.

² FIDO (Fast Identity Online) is a protocol for passwordless or two-factor authentication.

³ To register the security key, you can use the instructions in the catalog.

Registration of YubiKey security key with OATH-TOTP protocol

If your chosen service or service uses the OATH-TOTP⁴protocol, then you need to register the second security key differently.

⁴ OATH-TOTP (Time-based One-Time Password Algorithm) is a secure authentication algorithm using a one-time password.

When you register the first key, you will receive a secret in the form of a QR code. You will need to scan it and save it in a safe place. This code will be needed when registering the second key.

To do this, you will first need to use the Yubico Authenticator app to scan the QR code that was issued to the first security key by the service. Then get the QR code for the second security key. Scan it with the same app and link them that way. After that, you can use any of these keys for authentication.

Please note: If you did not save the QR code that was provided to you by the service or service the first time, you must first delete the key from your account and start registering security keys again.

Registration of YubiKey security key with Challenge-Response protocol

For services that use Challenge-Response (or “request-response”) protocols or a static password function, the second key registration instructions will be similar to the previous one. Only for the Challenge-Response protocol, instead of the QR code, you will need a backup copy of the secret encrypted in the first key of the YubiKey. With its help, you will encrypt your data in a spare key.

To perform these actions, you will need the YubiKey-manager application, which can be downloaded from the links:

• Linux – Ubuntu Download
• Linux – Download AppImage (may need to install pcscd package)
• Linux – Download source code
• Download macOS
• Windows (x64) Download
• Windows (x86) Download

In the application, go to the menu program -> OTP and make settings

You will not need a copy of your credentials to register a spare key with the static password feature enabled. But only if your password does not exceed 38 characters. Otherwise, you will need to use a copy of the parameters stored in the credentials: public ID, private ID, and secret key.

You will need the YubiKey Personalization Tool to set it up. It works with all keys (except the Security Key series). You can download them from the links below.

Download YubiKey Personalization Tool v3.1.25:

• Download Linux
• Download for Mac (.pkg file)
• Download Microsoft Windows

Download YubiKey Personalization Tool v1.19.0:

• Download Linux
• Download Mac
• Download the 64-bit version of Microsoft Windows
• Download the 32-bit version of Microsoft Windows

In the application menu, find sections Static password > Additionally and make the necessary settings. As in the previous cases, if you have not previously saved your public ID, private ID and secret key, you will need to delete the first key from your account and register again.

If you have not yet purchased a second key, you can choose it in our online store.