Authenticating with a backup yubico key? about yubioath-android HOT 8 CLOSED

No, as the credentials themselves are stored on the actual YubiKey, you
would have to load each credential onto both keys to achieve this. An
alternative way to keep backups is to save the QR code (or textual secret)
in a safe location for each credential, so that you can re-add each
credential onto a new YubiKey if the primary one is lost or damaged.
On Oct 17, 2015 9:49 PM, "Carl Boettiger" [email protected] wrote:

Is there any way to configure this app such that a second Yubico key could
be used to retrieve the authentication codes if the original key is stolen
or destroyed?

—
Reply to this email directly or view it on GitHub
#22.

from yubioath-android.

Thanks for the reply. Not entirely sure how one would load each credential onto both keys; is that something this app could facilitate in future, or will that always require the computer-based toolkit? I'm a bit worried that if I did lose my primary key that I might not manage to load the stored credential manually. Could the App at least assist in caching the QR/textual secret, or would that a pose technical or security weakness?

For sites with U2F support it is always straight forward to add multiple keys; but many major services (looking at you AWS) still don't support U2F (or other Yubikey authentication). Seems like the regular google authenticator app might be preferable to the risk of losing my yubikey.

from yubioath-android.

Just store the QR/secret somewhere, like where you store your passwords. I store mine in LastPass. Then they can be added manually onto other keys (or into Google Authenticator again, come to that)

from yubioath-android.

As Dain said, if you don't have a second NEO to make a backup initially, you can simply take a screenshot of the QR code from your account, or there is an option under the QR code to display the secret key. Just copy this text and save it in a safe place. You can always add this same credential to another NEO later by selecting "Add account manually". The ideal solution is to have a second NEO as a backup, in which case, you would do the following for each account:

(1) Get to the page with QR code
(2) Go to the Yubico Authenticator for Android app, tap the top right, and select "Scan account QR code"
(3) Aim your phone's camera at the QR code in your account
(4) Hold the NEO to the NFC antenna when prompted - you will get "Credential added"
(5) Tap on the top right of the Yubico Authenticator for Android app and select "Scan account QR code"
(6) Aim your phone's camera at the QR code in your account
(7) Hold the 2nd NEO to the NFC antenna when prompted - you will get "Credential added"
(8) Use the current 6 digit OATH code showing in the Yubico Authenticator for Android app and enter this code into your account to confirm the code is correct.

Now both NEOs have the same credential.

from yubioath-android.

A slightly different approach, but is there a way to retrieve the secrets from the Yubikey? I have already added a few service's OATH secrets to the 'key but didn't make a backup at the time. (my bad!) I'm guessing there isn't a way, but just wanted to confirm.

from yubioath-android.

@ChrisHalos Thanks very much for these directions, that works like a charm using two neo keys. It would be great to have this documented somewhere obvious.

During the setup when the website asks you to confirm the pin, I was always worried that I wouldn't be able to enter the pin from two different keys. In retrospect I suppose it should have been clear that since I was storing the same credential on both keys that this would work, but this stuff gets confusing easily.

@evaryont Sounds like you'd have to start again by removing and re-adding those services, though clearly I'm not the expert on this.

from yubioath-android.

1. You can load TOTP (time-index) secrets into as many keys as you want, but you must capture the secret somewhere you believe is safe (e.g. LastPass notes or a pinpad-equipped hardware-encrypted usb drive).
2. Secrets cannot be extracted from the yubikey. So, record them first. Either record the image, convert the image to text and extract the secret, or use the optional text code that some services provide. Then load that into each key.
3. HOTP (counter-index) secrets can only be used in a single key, because the counter is also incremented in the key...but those are much more rare these days. Almost all services use TOTP instead.

from yubioath-android.

Closing this as it isn't really an issue.

from yubioath-android.