.. ykauth-register-spare-key.rst

.. _ykauth-register-spare-key-label:

==========================
Register a Spare YubiKey
==========================

We at Yubico always recommend having more than one YubiKey. This way, one key can be used as a primary key, and the other can be used as a spare. There are a few ways to register a spare key, and the process is different depending on if the service supports Yubico OTP and FIDO security protocols, or OATH-TOTP protocol.

.. Important:: Keys are not linked together in any way. Rather, both keys nare registered separately to the account. That way either can be used for authentication.


Identify your service security protocols
=========================================

Identify the security protocols the services you use support. Check our `Works with YubiKey Catalog <https://www.yubico.com/works-with-yubikey/catalog/>`_.


Generate the QR code for the YubiKey
=====================================

 * If the service uses **Yubico OTP or FIDO security protocols**, register the second key exactly as you registered the first. Follow the same setup instructions listed in our `Works with YubiKey Catalog <https://www.yubico.com/works-with-yubikey/catalog/>`_.

 * If the service uses **OATH-TOTP protocol**, meaning you use the `Yubico Authenticator app <https://www.yubico.com/products/services-software/download/yubico-authenticator/>`_ to generate codes to login, then the process is a bit different.

 .. Important:: Save this generated QR code!

 Saving the QR code essential to creating a spare key for this particular account in the future. We recommend taking a picture of the QR code and storing it someplace safe.

Locate the QR code for your primary YubiKey
============================================

When registering your first YubiKey, you are given a secret from the service in the form of a QR code.

 **If you did not save the QR code generated the first time,**

  :Step 1: Delete your primary key from the account.

  :Step 2: Restart the registration process again.

  :Step 3: Be sure to save the QR code generated!

 See, :ref:`ykauth-with-auth-codes-label`. This article describes how to use your YubiKey with authenticator codes.


Link the primary YubiKey QR code with the spare YubiKey
=========================================================

 :Step 1: Use the Yubico Authenticator app, to scan the QR code from the first time you registered a YubiKey to this account.

 :Step 2: Scan your primary YubiKey.

 This links the primary YubiKey QR code and the primary YubiKey to the account.


Create a spare key for this account
====================================

 :Step 1: Scan the same QR code generated from the initial registration (when you registered the primary YubiKey).

 :Step 2: Scan your spare YubiKey.

Now either key can be used to authenticate.


Challenge-Response services backup process
===========================================

For services that use Challenge-Response, the backup process is similar to OATH-TOTP.

 :Step 1: Locate a backup of the secret that was programmed into your primary YubiKey.

 This is required to program the same credential into your spare YubiKeys.

 :Step 2: If you do not have the Challenge-Response secret:

   * Re-set up your primary YubiKey with the service(s) that use Challenge-Response.

   * Save a copy of the secret key in the process.

 :Step 3: Program the same credential into your backup YubiKeys. For most configurations, you should be able to use the **Applications > OTP** menu in `YubiKey Manager <https://www.yubico.com/support/download/yubikey-manager/>`_ to accomplish this.


Static password function backup process
========================================

If you use the YubiKey's static password function, the backup process is similar to OATH-TOTP.

For static passwords, you likely do not need a backup of the original credential, but can use the YubiKey's output (the static password it "types") to program your backup key(s).

If you programmed a static password that is greater than 38 characters using the **Static Password > Advanced** menu in the `YubiKey Personalization Tool <ahttps://www.yubico.com/support/download/yubikey-personalization-tools/>`_, in order to program it into another key you need:

 * A copy of the parameters of your static password credential (public ID, private ID and secret key).

 * To use the Personalization Tool.

**If you do not have these parameters:**

 :Step 1: Reconfigure your primary YubiKey and the services you use its static password with.

 :Step 2: **Save a copy of the new parameters** -- if your **new** static password also exceeds 38 characters and was programmed using the **Static Password > Advanced** menu.


-------------------------------------

To file a support ticket with Yubico, click `Support <https://www.yubico.com/products/yubienterprise/contact-support/>`_.