I have lost my YubiKey recently, and my heart sank when I realized that I could lose access to my most important accounts. Luckily, that feeling lasted only a few seconds as I knew that I had taken the necessary steps to prevent this from happening.
I follow a few rules every time I secure my accounts with YubiKey or any other form of authentication like 2FA, for example.
These simple rules allow me to access my accounts in the event of losing or damaging my Yubikey or losing access to my Authenticator app, like when I lost my phone with Google Authenticator on it.
To regain access to your account after losing your YubiKey, check if the application or service supports an alternative method of authentication. For example, you can use a code generated by your Google Authenticator app to regain access to your account. Alternatively, you can use your Backup Codes or authenticate via SMS if this is the option you have configured. Once you log in, make sure to de-associate the lost YubiKey and register a new one.
You may also like: Yubico Authenticator vs Google Authenticator.
If all the above has failed, there is a big chance that the service or application you are trying to use offers a credentials recovery method. Contact their customer support service, and be patient. The process may take a while.
Can someone else use your Yubikey?
If you lost your YubiKey, there is a chance that someone will find it and try to use it.
Keep in mind, though, that the Security Key is not enough to log in to your account. Your login and password are also needed.
Most importantly, the person who found your YubiKey will face an almost impossible task to figure out who that YobiKey belonged to, not to mention knowing the account associated with it and of course your credentials.
That doesn’t change the fact that you should de-associate any lost YubiKeys with an affected account as soon as you regain access and register a new spare one.
If you planning on buying another one, make sure to take a look at the YubiKey 5C NFC. This is my favorite YubiKey which not only supports the latest USB-C port but also NFC connectivity. With NFC support you will be able to log in to your accounts on your mobile device by simply tapping your NFC antenna.
If you are looking for something smaller, make sure to check the YubiKey 5 Series selection on the Yubico website. The YubiKey 5 Series provides a range of authentication choices including strong two-factor, multi-factor, and passwordless authentication, and seamless touch-to-sign.
Can you have a backup Yubikey?
I bet you have a spare set of keys to your house.
Well, you should treat your Security Key the same way and get a spare YubiKey which you can then use as a backup.
You may also like: How to use Yubico Authenticator?
Many applications and services allow for multiple Security Keys registration.
The list below is by no means comprehensive, and you have to check your service or the application if they support more than one YubiKey.
|Service or application supporting U2F Security Keys.||Multiple Security Keys supported?||Link to support page.|
|1Password||Yes – Unlimited.||Use U2F Security Key with 1Password|
|LastPass||Yes – Up to 5 Security Keys.||Use YubiKey Multifactor Authentication.|
|Dashlane||Yes||Use U2F with Dashlane.|
|Bitwarden||Yes – Up to 5 Security Keys.||Two-Step login via YubiKey.|
|Keeper||Yes – Up to 5 Security Keys.||Add Security Key.|
|Coinbase||Yes – Up to 5 Security Keys.||Using and managing Security Keys.|
|Yes||Use Security Key for 2FA.|
|Microsoft||Yes – Up to 10 Security Keys.||Setup Security Key as your verification method.|
|Yes||Setup Security Key|
|Yes||How to use Two-Factor Authentication.|
If the application or service does not support multiple Security Keys registration, make sure to enable an alternative authentication method that will serve as a backup.
For example, by default, your YubiKey cannot be the only authentication method on your Google account. You can use your YubiKey, but you will also need to set up another alternative way so you can still access your account in case your Security Key is lost or stolen.
Google offers a wide range of Two-Factor Authentication methods, including codes generated by the Google Authenticator app or Microsoft Authenticator, for example.
You can also use the Backup Codes, which you hopefully saved during the initial setup. Another way is to use another device where you have already logged in to generate a one-time security code that you can then use to access the account.
Typically each service or application offers a range of alternative Two-Factor Authentication methods. If you are not sure what they are, visit the support page for more information or ask the customer support service.
By simply canceling the browser request to authenticate using your Security Key, Google will offer an alternative method that you have set.
Press the ‘Try another way’ link once you cancel the request.
Finally, select the alternative Two-Factor Authentication method to access your Google account.
I have said earlier that this is a default setup because Google also offers an Advanced Protection Programme, which will allow you to use your YubiKey as a single authentication method, among many other advanced security features.
The Advanced Protection Programme has been created for users with high visibility, politicians or celebrities, for example.
Users who can possess sensitive information and have an elevated risk of being a target of a cyber-criminal.
Does YubiKey need to stay plugged in?
You don’t need to have your YubiKey to stay continuously plugged in into your device. Every time you try to log in to the account protected by the Security Key, the browser or the application will ask you to insert or touch the NFC antenna for the authentication process to begin.
Once logged in, you can safely remove your YubiKey from the USB port.
Where should I keep my Yubikey?
It would be best if you kept your spare YubiKey in a safe but easily accessible place. Use the other Security Key as a daily driver.
I have my YubiKey 5C NFC attached to my car keys if I need to access an account on my mobile phone.
As I have explained earlier, losing your YubiKey can be stressful, but as long as your credentials have not been exposed, there’s no danger that someone will access your accounts.
Make sure, though, to log in to your affected accounts using your second YubiKey and de-associate the lost one.
Once you do this, repurchase a second YubiKey and register with that account, so you don’t have to use an alternative authentication method again when you lose that one too.