We at Yubico always recommend having more than one YubiKey. This way, one key can be used as a primary key, and the other can be used as a spare. Please note that for security reasons, the firmware of our products does not allow stored secrets to be read, meaning it is not possible to “clone” or "duplicate" a YubiKey. In general, the process of creating a backup involves manually registering the spare key with all services the first is registered with. There are a few ways to register a spare key/backup, and the process is different depending on if the service supports Yubico OTP and FIDO security protocols, or OATH-TOTP protocol.
To see which security protocols the services you use support, you can check our Works with YubiKey Catalog.
For any services that use Yubico OTP or FIDO security protocols, you'll just need to register the second key exactly as you registered the first. So you can follow the same setup instructions listed in our Works with YubiKey Catalog.
It's important to note that keys are not linked together in any way. Instead, both keys need to be registered separately to the account, and then either can be used to authenticate with.
If the service uses OATH-TOTP protocol, meaning you use the Yubico Authenticator app to generate codes to login, then the process is a bit different.
When registering your first YubiKey, you will be given a secret from the service in the form of a QR code:
- Save this QR code! This will be essential to creating a spare key for this particular account in the future. We recommend taking a picture of the QR code and storing it someplace safe.
- Then you will scan the QR code, with the Yubico Authenticator app, and then scan your YubiKey, to link the two.
- Next, to create a spare key for this account, you will need to scan the same QR code generated from the initial registration and then scan your spare YubiKey. Now either key can be used to authenticate.
Please note that if you did not save the QR code generated the first time, and you want to create a spare key for this particular account, you will need to delete your primary key from the account and restart the registration process again. This time, be sure to save the QR code generated! This article goes over how to use your YubiKey with authenticator codes and may be useful.
For services that use Challenge-Response, or if you use the YubiKey's static password function, the backup process is similar to OATH-TOTP in that you will program the same credential into your backup YubiKeys. For most configurations, you should be able to use the Applications > OTP menu in YubiKey Manager to accomplish this.
Note that for Challenge-Response, you will need to have a backup of the secret that was programmed into your primary YubiKey in order to program the same credential into other YubiKeys. If you don't have this, you will need to re-set up your primary YubiKey with the service(s) you use Challenge-Response with, making sure to save a copy of the secret key in the process.
For static passwords, you likely will not need a backup of the original credential, but will be able to use the YubiKey's output (the static password it "types") to program your backup key(s). However, if you programmed a static password that is greater than 38 characters using the Static Password > Advanced menu in the YubiKey Personalization Tool, you will need a copy of the parameters of your static password credential (public ID, private ID and secret key) in order to program it into another key (you will also need to use the Personalization Tool). Similar to Challenge-Response, if you do not have these parameters, you will need to reconfigure your primary YubiKey and the services you use its static password with, saving a copy of the new parameters if your new static password also exceeds 38 characters and was programmed using the Static Password > Advanced menu.