Register a Spare YubiKey
We at Yubico always recommend having more than one YubiKey. This way, one key can be used as a primary key, and the other can be used as a spare. There are a few ways to register a spare key, and the process is different depending on if the service supports Yubico OTP and FIDO security protocols, or OATH-TOTP protocol.
Keys are not linked together in any way. Rather, both keys nare registered separately to the account. That way either can be used for authentication.
Identify your service security protocols
Identify the security protocols the services you use support. Check our Works with YubiKey Catalog.
Generate the QR code for the YubiKey
- If the service uses Yubico OTP or FIDO security protocols, register the second key exactly as you registered the first. Follow the same setup instructions listed in our Works with YubiKey Catalog.
- If the service uses OATH-TOTP protocol, meaning you use the Yubico Authenticator app to generate codes to login, then the process is a bit different.
Save this generated QR code!
Saving the QR code essential to creating a spare key for this particular account in the future. We recommend taking a picture of the QR code and storing it someplace safe.
Locate the QR code for your primary YubiKey
When registering your first YubiKey, you are given a secret from the service in the form of a QR code.
If you did not save the QR code generated the first time,
Step 1: Delete your primary key from the account. Step 2: Restart the registration process again. Step 3: Be sure to save the QR code generated!
See, Using MFA Authenticator Codes with your Yubikey on Mobile Devices. This article describes how to use your YubiKey with authenticator codes.
Link the primary YubiKey QR code with the spare YubiKey
Step 1: Use the Yubico Authenticator app, to scan the QR code from the first time you registered a YubiKey to this account. Step 2: Scan your primary YubiKey.
This links the primary YubiKey QR code and the primary YubiKey to the account.
Create a spare key for this account
Step 1: Scan the same QR code generated from the initial registration (when you registered the primary YubiKey). Step 2: Scan your spare YubiKey.
Now either key can be used to authenticate.
Challenge-Response services backup process
For services that use Challenge-Response, the backup process is similar to OATH-TOTP.
Step 1: Locate a backup of the secret that was programmed into your primary YubiKey.
This is required to program the same credential into your spare YubiKeys.
If you do not have the Challenge-Response secret:
- Re-set up your primary YubiKey with the service(s) that use Challenge-Response.
- Save a copy of the secret key in the process.
Program the same credential into your backup YubiKeys. For most configurations, you should be able to use the Applications > OTP menu in YubiKey Manager to accomplish this.
Static password function backup process
If you use the YubiKey’s static password function, the backup process is similar to OATH-TOTP.
For static passwords, you likely do not need a backup of the original credential, but can use the YubiKey’s output (the static password it “types”) to program your backup key(s).
If you programmed a static password that is greater than 38 characters using the Static Password > Advanced menu in the YubiKey Personalization Tool, in order to program it into another key you need:
- A copy of the parameters of your static password credential (public ID, private ID and secret key).
- To use the Personalization Tool.
If you do not have these parameters:
Step 1: Reconfigure your primary YubiKey and the services you use its static password with. Step 2: Save a copy of the new parameters – if your new static password also exceeds 38 characters and was programmed using the Static Password > Advanced menu.
To file a support ticket with Yubico, click Support.