6

I bought a YubiKey 5 NFC this week and have started using 2FA and U2F where I can but am deathly allergic to the idea of losing access.

For backing up U2F access I'm going to buy a second U2F token (probably a YubiKey depending upon the answer to this question) and register it to all my services. But I am not sure how to back up all of my YubiKey-backed TOTP-based authentication codes. I have the recovery codes for all of these services, but I would like to have a second TOTP generating mechanism.

I have read that YubiKey-backed TOTP is phone-independent in an article titled YubiKey for SSH, Login, 2FA, GPG and Git Signing:

One very nice (and unclear, at first) advantage of having a YubiKey seeded with 2FA codes is that we can now generate 2FA codes on any phone, as long as we have our YubiKey with us.

I already had to remote-lock and remote-erase a phone in the past, and losing the Google Authenticator settings is not fun. If you handle your YubiKey with care, you shouldn't have that problem anymore.

But I am unsure how this would work. Furthermore, that is the case if I lose the phone, but not the YubiKey.

So my question is two-fold:

  1. How do I ensure I can use the same TOTP tokens if I lose my phone? That is to say, if I have a YubiKey seeded with TOTP authentication for n services, would simply installing Yubico Authenticator on a new phone and then tapping the YubiKey to the new phone's NFC antenna generate the same TOTP tokens? If not, how would I access them on the new phone?
  2. How can I ensure back up TOTP authentication with a second YubiKey in case I lose my first YubiKey? That is to say, it is easy to register a second YubiKey in, say, GitHub, by simply going to the two-factor authentication management screen and clicking Register New Device, but there is no clear way to register a second authenticator app, which is how I registered the TOTP passwords for the YubiKey. I have read on the Yubico website that "if you backup the secret (or QR code) at the time of programming, you can later program the same secret onto a second YubiKey and it will work identically as the first." Can this be done at the time of 2FA registration in the Yubico Authenticator app? That is to say, I register two YubiKey's with the same 2FA QR code simultaneously?
Community
  • 1
mas
  • 297
  • 2
  • 9

2 Answers2

5

When setting up TOTP with a site, they give you a shared secret.

  1. Yubico Authenticator uses your Yubikey to store that info. As long as your key is present, all instances of Yubico Authenticator are interchangeable.

  2. Most sites will only share a single secret with you, but you can freely update that secret. When registering a "new authenticator" with a site, you can put that secret on multiple keys/authenticators before telling the site you're done.

tjd
  • 755
  • 4
  • 6
  • So, to clarify number 2, if I want to register multiple YubiKey's with the same account at the same time, simply scan the QR code and sync it with the first yubikey to save it, then scan it again and sync it with the second yubikey? That is awesome. And super easy. – mas Feb 14 '19 at 14:50
  • 2
    The process is connect key 1 to authenticator, scan, connect key 2 to authenticator, scan, tell web site you've done the scan, & use either key to verify the scan. – tjd Feb 14 '19 at 15:02
2

While anyone using a OTP token should allow you to configure more than one token source (at least two so you can have a secured backup), not all do. If all of your places will let you enroll two authenticator apps, then just enroll one on each YubiKey (I'd recommend sticking with a 5 for the backup as well, so you can use FIDO2 on sites that support it -- also every site supporting FIDO/FIDO2 will allow multiple tokens to enroll).

For the sites that don't let you enroll a second token I'll take a different approach. I've been using the LastPass Authenticator app to store my TOTP codes. The bonus for using LastPass Authenticator is that the TOTP secrets are stored in your LastPass vault (so if you lose a phone/computer you can still recover). And LastPass will allow you to secure your account with YubiKeys, you can enroll several of them. So you launch the LastPass authenticator and perform your 2FA on it (password plus YubiKey), then use the TOTP right there to auth to the web site.

If you are using the YubiKey NFC and your phone supports NFC, then you can still use this in virtually the same way as the Yubi Authenticator. The difference is that the secret keys are stored in your LastPass vault and the Yubi-OTP (from either key) is used to unlock that; as opposed to all the secret keys being loaded onto individual Yubi sticks.

Ruscal
  • 811
  • 4
  • 7
  • I prefer the tokens to all be on the YubiKeys (mostly because I don't use LastPass, I use [`pass`](https://www.passwordstore.org/) and love it), but I understand your point about not letting you enroll a second OTP Token. GitHub itself, when you click `Edit` on the `Authenticator app` settings says "You’re about to change your two-factor authentication device. This will invalidate your current two-factor devices and recovery codes..." So when I get the backup 5 (which I just ordered), I'll have to redo both YubiKeys. Not a big deal. – mas Feb 14 '19 at 15:53
  • GitHub also has FIDO2 support, and if you enroll the YubiKey as a FIDO2 token, you can enroll multiple (I have a couple of Yubi-s that I use for my tokens. LastPass for TOTP as I previously described, but U2F and FIDO2 for tons as well. One is now in my deposit box, the other on my key ring; which gives me an every-day-use unit plus a secured backup) – Ruscal Feb 19 '19 at 17:51