YubiKey and FIDO2 keys: everything they didn't tell you

A security researcher loses their YubiKey on a business trip. They have one key. 47 accounts are locked out. Three weeks to recover access one by one, through more or less painful recovery procedures. “I thought one key was enough.” This is the most common pattern I see: buy a YubiKey, register it on a few accounts, and never think about the loss scenario.

The common trap

Buying a YubiKey is not a security strategy. The key is a tool. The strategy is the deployment — how many keys, on which accounts, where is the backup, how do you handle loss, how do you manage the lifecycle.

The most common configuration I see: one YubiKey, registered on two or three important accounts (Google, GitHub), with insecure recovery methods still active in parallel (SMS, unprotected recovery email). In this case, the YubiKey helps at the margin but doesn’t radically change your exposure. Worse: if the recovery method is an SMS to an unprotected mobile number, the attacker can bypass the YubiKey via SIM swap.

The baseline rule: every critical account must have two hardware keys registered, and alternative recovery methods must be at least as secure as the primary key.

The protocols explained without jargon

A YubiKey can operate under several different protocols. Understanding which one is used for which account changes what you can actually accomplish.

FIDO2 / WebAuthn

This is the main protocol, the one you should prioritize. It offers phishing resistance that exists in no other authentication factor.

Here’s why: when you register a FIDO2 key on a site, the key creates a cryptographic key pair bound to the exact domain of the site (accounts.google.com, for example). During a login attempt, the key verifies that the domain requesting authentication matches exactly the registration domain. A phishing page at accounts-google.com or google.com.phishing.example does not match — the key refuses to authenticate. No TOTP token, no SMS does this.

Resident keys (discoverable credentials): a variant where the credential is stored on the key itself, not just at the service. Allows logging in on a new machine without entering a username — just touch the key. More convenient, but the key’s memory is limited (YubiKey 5: 25 resident keys).

WebAuthn is the W3C specification that standardizes the client-side browser interface. FIDO2 is the set of underlying protocols. In practice, the terms are often used interchangeably when talking about hardware authentication in a browser.

OTP (TOTP, HOTP, Yubico OTP)

The YubiKey can generate one-time OTP codes. Useful for sites that don’t yet support FIDO2 but accept an authenticator app.

Slot 1 and Slot 2 on YubiKey: two configurable slots for OTP credentials. Slot 1 is enabled by default with Yubico OTP (a short press generates a long OTP). Slot 2 is configurable.

TOTP via YubiKey Authenticator is useful if you want to centralize your TOTPs on the hardware key rather than a mobile app — codes are generated on the key and never leave it.

PIV (Personal Identity Verification)

PIV is the smart card standard for authentication via x.509 certificates. It is used in:

• SSH authentication with certificates (alternative to SSH keys, with revocation capability)
• Enterprise environments that use smart cards (Windows Hello for Business, for example)
• Document signing with a qualified certificate

If you use ssh-agent with a YubiKey in PIV mode, your SSH private key never leaves the YubiKey. The signing operation happens on the key, not on the host machine. If your laptop is compromised, the attacker cannot exfiltrate your SSH private key.

OpenPGP

The YubiKey can store and use PGP keys for:

• Signing Git commits (git config --global commit.gpgsign true)
• Encrypting and signing emails (Thunderbird + Enigmail)
• Decrypting PGP files

The PGP private key is generated on the YubiKey (or imported) and cannot subsequently be exported from it. Same principle as PIV: cryptographic operations happen on the key, not on the machine.

Choosing your model

YubiKey 5 NFC

The reference model. USB-A + NFC. Works with the vast majority of computers and smartphones (NFC). Supports all protocols (FIDO2, OTP, PIV, OpenPGP). This is the model I recommend for a first deployment.

YubiKey 5C NFC

USB-C + NFC. Essential if your laptop only has USB-C ports (recent MacBook Pros, ultrabook laptops). Same capabilities as the 5 NFC.

YubiKey 5 Nano / 5C Nano

Ultra-compact format that stays permanently plugged into the USB port. Convenient for desk use — you never unplug it. Drawback: easy to forget to remove it before handing the machine to someone, or it stays in a stolen laptop.

YubiKey Bio

Adds a fingerprint for local authorization. The key only executes a FIDO2 operation if the fingerprint matches — not just a “touch to confirm.” Useful in shared environments or if you want to prevent a simple physical touch on the key from being sufficient. Higher price, fewer supported protocols (FIDO2 only).

Alternatives

Nitrokey: open-source hardware (designed in Germany), an interesting option for profiles that don’t want to depend on an American manufacturer. Less polished management tools, but functionally equivalent for FIDO2 and OpenPGP.

Google Titan Key: not programmable, supports FIDO2 only. Reliable, simple, not configurable. A correct option if you want just FIDO2 without other protocols.

The three-key rule

This is the deployment framework I apply consistently.

Primary key: on you at all times, used daily. Can be on your keychain or in your bag.

Backup key: stored in a secure, distinct physical location — home safe, bank vault, or with a trusted third party. This key is used only if the primary key is lost or defective.

Third key (optional, for exposed profiles): with a trusted third party (lawyer, trusted family member, colleague) for extreme emergency situations — you are incapacitated, detained, or the backup key is inaccessible.

The absolute rule: every backup key must be registered on all critical accounts at the time of purchase, not after losing the primary key. When you configure an account with the primary key, configure the backup in the same session. If you lose the primary without having registered the backup on the account, you are locked out.

Practical deployment: where to start

Step 1: inventory of critical accounts

Before touching anything, list your critical accounts in order of criticality:

1. Your password manager (Bitwarden, 1Password, Dashlane) — the most critical, it is the keystone
2. Your main email — the recovery vector for everything else
3. Google account or Apple ID
4. GitHub / GitLab if you are a developer
5. Bank accounts and crypto if applicable

Step 2: register both keys on each critical account

For each account on the list: log in, go to security settings / two-factor authentication, register the primary key, then register the backup key. Download recovery codes if the service offers them — store them in your password manager or printed in a safe.

Do not immediately disable other MFA methods. Migrate gradually over 2-3 weeks to ensure everything works.

Step 3: test the recovery flow

Once migration is complete: test the recovery flow from the backup key on at least one account. If you have never tested recovery, you will not know if it works when you need it.

Lifecycle and reset

Loss of primary key: accounts remain accessible with the backup key. Order a new key, register it on all accounts before revoking the old one (if revocable — not all services allow key-specific revocation).

Factory reset: erases all resident FIDO2 credentials, resets OTP counters, clears PIV and OpenPGP slots. Use cases: selling a key, inherited key, potentially compromised key. With ykman fido reset for FIDO2, ykman piv reset for PIV.

Lifespan: YubiKeys have no technical expiration. Yubico recommends renewing them at a job change or every 5 years — less for technical reasons than for deployment hygiene (an opportunity to inventory registered accounts).

Common mistakes

One key without backup: the most common case. Works until you lose the key.

Backup registered on only some accounts: you register the backup on Google and GitHub but not on your password manager. If you lose the primary, you are locked out of the manager.

Recovery codes not saved: recovery codes are your final safety net. If you lose them and lose your key, recovery can be very complex or impossible.

Primary and backup in the same bag: lose both at the same time.

Weak recovery methods still active: SMS backup to a number not protected against SIM swap, recovery email without MFA. The YubiKey is useless if the attacker can bypass it via a weaker vector.

• N2 Buy at minimum two hardware keys (primary + backup)
• N2 Register both keys on your password manager first
• N2 Register both keys on your main email and critical accounts
• N2 Download and store recovery codes offline for each critical account
• N2 Store the backup key in a physically distinct location from the primary key
• N2 Inventory FIDO2-compatible accounts and migrate the most critical ones
• N2 Test the recovery flow from the backup key on at least one account
• N3 Install ykman and inventory credentials registered on each key
• N3 Disable weak recovery methods (SMS) after full migration
• N3 Register a third key with a trusted third party for highly exposed profiles