Hey everyone! I'm currently setting up Yubikeys as hardware security keys for my important accounts. It's widely recommended to have a pair of these keys, with one kept offsite for extra security. However, I'm facing a bit of a dilemma: when you have a key stored in a different location, how do you handle the situation where you need both keys at the same time for setting up multi-factor authentication (MFA) on new services? Is it wise to register the two keys separately, or do most of you keep everything in sync? Also, how often do you check that all your keys are functioning properly? I'd love to hear your strategies!
4 Answers
I usually register all my keys at once and then split them up for security purposes. I keep one on me, one hidden at home, and another in my office. It might depend on what you're doing though—if you need to add a new account later, how do you manage that? It could be tricky if your backup key is far away!
For my setup, I prefer to have three keys: one on-site, one off-site, and one that's always with me on my keychain. When I set up something new, I register the on-site and keychain ones from the start. After that, when I visit my off-site key, I just register it for any new services I've started using since the last time I collected it.
Actually, with FIDO2 keys, you don’t need all the keys in the same place to register them. For example, I have three Yubikeys. I usually register the first two keys and then just make a note to register the third key later when I visit it again. I keep my recovery codes stored separately to use in the meantime, which helps a lot!
That’s super helpful! It’s good to know I can still register keys at different times, especially since TOTP can complicate things further. I've had issues managing TOTP alongside FIDO2.
Having multiple recovery options is key! Most services offer backup codes or TOTP for recovery, which can be more straightforward than trying to manage multiple YubiKeys all the time. They’re handy for recovery but aren’t usually needed for daily use, as you pointed out.
That’s a good point! Usually, if I need to add another account, I try to plan a trip to where my offsite key is or just sync everything next time I’m there.