Tips

The following tips and tricks can help you take full advantage of the Yubico Authenticator application’s functionality:

Resizing the app window

Note

The app window size can only be changed on desktop and Android tablet devices.

The Yubico Authenticator app window can be resized by both height and width. The default window width on most desktop devices shows the following:

_images/settings-default-window.jpg

When the window is narrowed sufficiently, the righthand menu becomes hidden. However, these menu options can still be accessed by clicking the three dots in the upper right corner of the app:

_images/settings-narrow-window.jpg

Further narrowing the width makes all page icons disappear. However, these pages can still be accessed by clicking the three lines in the upper left corner:

_images/settings-ultra-narrow-window.jpg

When the window is widened sufficiently, the page names are expanded. To collapse these names again, click the three lines in the upper left corner:

_images/settings-wide-window.jpg

Register a spare YubiKey

We highly recommended registering at least one backup YubiKey with each account you have. In the event that you lose your primary YubiKey, you will still be able to access your accounts with your spare key.

The registration process for the spare key depends on the type of authentication and the specific site/service. Refer to the following sections.

OATH accounts

To register a spare YubiKey for OATH authentication, the OATH account must be added to the spare key using the same QR code and credentials as your primary key. This means that the primary key and spare key will generate the same TOTP codes in Yubico Authenticator on any device.

For many sites and services, OATH authentication is often referred to as “registering an authenticator app” in your account settings. Generally, these sites/services allow you to register only one application, meaning that only one set of OATH credentials can be associated with your account at a time. So to be able to use more than one YubiKey to generate TOTP codes in Yubico Authenticator for a single account, each of those keys must have the same credentials so that they can generate the same TOTPs.

If you do not have a copy of the QR code or OATH credentials used to register your primary key, you will have to remove your primary key from your account and reregister the primary key along with the spare key. To do so, perform the following:

  1. Locate the OATH authentication settings within your account. For guidance on how to find this with your particular site/service, see the Works with YubiKey catalog.
  2. Remove the registered key/app and generate a new QR code or OATH credentials. Take a screenshot of the QR code or copy the OATH credentials.
  3. Perform the full registration process for the primary key.
  4. Register the account with the spare key in Yubico Authenticator using the screenshot of the QR code or copy of the OATH credentials. You do not need to provide another TOTP to the site/service in order to complete the registration process; once your primary key has been successfully registered, spare keys need only to be configured in the Yubico Authenticator app.
  5. Once completed, you should see the keys generate the same TOTP codes in the Yubico Authenticator app. As a security best practice, delete the QR code screenshot or copy of the OATH credentials once all spare keys have been registered.

Passkeys

To register a spare YubiKey for use as a passkey with an existing account or service, follow the same steps you performed when registering your primary key. See the Works with YubiKey catalog for more information on your account’s specific registration process.

Yubico OTP application credentials

Spare YubiKeys can be configured for all Yubico OTP application configuration types:

  • Yubico OTP
  • Challenge-response
  • Static password
  • OATH HOTP

Yubico OTPs

For sites and services that use Yubico OTP authentication, register a spare key the same way that you registered the primary key. See the Works with YubiKey catalog for more information on your account’s specific registration process.

An important caveat: if the site/service in question uses the YubiCloud validation service and the Yubico OTP credential on your spare key has not been registered with YubiCloud, you will need to do that prior to registering the key with the site/service. To register a Yubico OTP credential with YubiCloud, upload the required information via the Yubico OTP key upload form. You will need the key’s serial number, public ID, private ID, and secret key.

How do you know if your Yubico OTP credential is registered with YubiCloud? Generate and submit a Yubico OTP with your key for validation on the Yubico demo site. As a reminder, tap the key briefly to active the short press slot or touch and hold the key to activate the long press slot.

Note

Standard YubiKeys are preconfigured with a Yubico OTP in the short press slot. This credential is also preregistered with YubiCloud for out-of-the-box validation.

If the site/service uses a non-YubiCloud validation server, the OTP credential information (serial number, public ID, private ID, and secret key) will need to be shared with the server during the registration process.

Challenge-response credentials

To register a spare YubiKey for challenge-response authentication, you must configure a slot of the spare YubiKey with the same challenge-response secret key as your primary key.

If you do not have a copy of the secret key that the primary key was configured with, you will have to reconfigure and reregister the primary key in addition to configuring the spare key.

Static passwords

To register a spare YubiKey for static password authentication, you must configure a slot of the spare YubiKey with the same static password and keyboard layout as your primary key.

If you do not remember your static password, open a text editor and activate the slot on your primary key that is configured with the static password (tap the key briefly to active the short press slot or touch and hold the key to activate the long press slot). The static password will be typed into the text editor.

If you do not remember the keyboard layout the primary key was configured with, you will have to reconfigure and reregister the primary key in addition to configuring the spare key.

OATH HOTP

To register a spare YubiKey for OATH HOTP authentication, you must configure a slot of the spare YubiKey with the same OATH HOTP secret key and OTP length as your primary key.

If you do not have a copy of the secret key that the primary key was configured with, you will have to reconfigure and reregister the primary key in addition to configuring the spare key.

If you do not remember the OTP length that the primary key was configured with, open a text editor and activate the slot on your primary key that is configured with the OATH HOTP credential (tap the key briefly to active the short press slot or touch and hold the key to activate the long press slot). The HOTP will be typed into the text editor. Count the number of digits present; this is the OTP length.

Start Yubico Authenticator with the app window hidden

Note

Yubico Authenticator can only be started in the “hidden” state on desktop devices.

To reduce desktop clutter, Yubico Authenticator can be started in the “hidden” state; the app runs in the background, but the app window will not be shown until requested.

OATH OTPs can still be generated for pinned accounts from the menu bar/system tray while the app window is hidden.

To start the app with the window hidden, start a terminal and pass the --hidden argument when opening the app. The full command depends on your OS:

macOS:

open -a "Yubico Authenticator" --args --hidden

Windows:

C:\Program Files\Yubico\Yubico Authenticator\authenticator.exe --hidden

Linux:

/path/to/authenticator --hidden

Once the app has been started, you will see the Yubico Authenticator icon in the menu bar (macOS) or system tray (Windows, Linux). To show the app window, click on this icon and select Show window. To hide the window again, click on the icon and select Hide window.

_images/tips-show-window.jpg

Generate OATH OTPs from pinned accounts via the menu bar or system tray

Note

OATH OTPs can only be generated from the menu bar or system tray on desktop devices.

When Yubico Authenticator is running (with the app window shown or hidden), OTPs can be generated for pinned accounts from the menu bar (macOS) or system tray (Windows, Linux) instead of within the app window itself. To do so, perform the following:

  1. Plug your YubiKey into your device.

    To connect via NFC on desktop, click the NFC icon in Yubico Authenticator and place your YubiKey on top of a desktop NFC reader.

  2. If the OATH application of your YubiKey is protected with a password, enter that password on the Accounts screen in Yubico Authenticator and click Unlock. If you remove your key from your device and reconnect it at any point, you will need to enter your OATH password again.

  3. Click on the Yubico Authenticator icon in the menu bar (macOS) or system tray (Windows, Linux). Select the OATH account for which you would like to generate an OTP.

    _images/tips-pinned-otp.jpg
  4. If touching the key is not required to generate the OTP, the YubiKey will light up and remain illuminated for several seconds. This means the key generated the OTP and copied it to the clipboard automatically. Paste the OTP into the desired window.

    If touching the key is required, the YubiKey will flash until you touch the gold contact. Once touched, the key will generate the OTP and copy it to the clipboard.

Important

For some Linux configurations running Wayland, copying an OTP to the clipboard only works when the app has focus (as in, you’ve clicked on the Yubico Authenticator app window). If you are unable to reliably copy to the clipboard from the system tray icon, you can use a separate binary which takes the payload to stdin by defining the environment variable _YA_TRAY_CLIPBOARD. This must be an absolute path to a binary owned by root:root and should not be world-writable. For example: _YA_TRAY_CLIPBOARD=/usr/bin/wl-copy.

Only use a trusted binary. OTPs will be sent to it when copied to the clipboard from the system tray.

Set an OATH application password

Note

OATH-compatible YubiKeys include the YubiKey 5 Series (standard, FIPS, and CSPN), YubiKey 4 Series, and YubiKey NEO.

To further enhance the security of your YubiKey, create a password for its OATH application. Once the OATH application has password protection, the key’s OATH accounts and their OTPs cannot be viewed or generated until the correct password is entered in the Yubico Authenticator app.

_images/tips-oath-password.jpg

To create and manage an OATH password, see the OATH Accounts chapter.

Works with YubiKey Catalog

Not sure if a particular site or service supports a specific security protocol or YubiKey model? Check out the Works with YubiKey Catalog to quickly and easily find compatibility information.

_images/tips-catalog.jpg