Best practice is to always have more than one YubiKey. This way, one key can be used as a primary key, and the other can be used as a spare. For security reasons, YubiKey firmware does not allow stored secrets to be read, meaning it is not possible to “clone” or "duplicate" a YubiKey. In general, the process of creating a backup involves manually registering the spare key with all services the first is registered with. There are a few ways to register a spare key/backup, and the process is different depending on if the service supports the FIDO security protocols, OATH-TOTP (time-based one-time passwords calculated by Yubico Authenticator), or other protocols.
To see which security protocols the services you use support, refer to the Works with YubiKey catalog.
For any services that use FIDO security protocols, register the second key exactly as you registered the first (essentially follow the steps documented for the service in the Works with YubiKey catalog twice.
It is important to note that keys are not linked together in any way. Instead, both keys need to be registered separately to the account, and then either can be used for authentication in most scenarios.
If the service uses OATH-TOTP, meaning you use Yubico Authenticator to generate codes to login, then the process is a bit different.
When registering your first YubiKey, you will be given a secret from the service in the form of a QR code:
- Save this QR code! This will be essential to creating a spare key for this particular account in the future. Take a picture of the QR code and store it someplace safe.
- Then, you will scan the QR code with Yubico Authenticator, and then scan your YubiKey to link the two.
- Next, to create a spare key for this account, you will need to scan the same QR code generated from the initial registration and then scan your spare YubiKey. Now, either key can be used to authenticate.
Note: If you did not save the QR code generated the first time and you want to create a spare key for this particular account, you will need to delete your primary key from the account and restart the registration process again. This time, be sure to save the QR code generated! This article goes over how to use your YubiKey with authenticator codes and may be useful.
For services that use challenge response, or if you use the YubiKey's static password function, the backup process is similar to OATH-TOTP in that you will program the same credential into your backup YubiKeys in most scenarios. For most configurations, you should be able to use the Slots menu in Yubico Authenticator to accomplish this.
For challenge response, you will need to have a backup of the secret that was programmed into your primary YubiKey in order to program the same credential into other YubiKeys. If you don't have this, you will need to restart the setup process again with the service(s) you use challenge response with, making sure to save a copy of the secret key in the process.
For static passwords, you likely will not need a backup of the original credential, but will be able to use the YubiKey's output (the static password it "types") to program your backup key(s). However, if you programmed a static password that is greater than 38 characters, you will need a copy of the parameters of your static password credential in order to program it into another key. Similar to challenge response, if you do not have these parameters, you will need to reconfigure your primary YubiKey and the services you use its static password with, saving a copy of the new parameters if your new static password also exceeds 38 characters.