This article applies to all YubiKey and Security Key devices.
For security, the firmware on the YubiKey does not allow for secrets to be read from the device after they have been written to the device. In effect, this means that you cannot duplicate or back up a YubiKey or Security Key. For this reason, we recommend having a backup device and registering both with your accounts so that if one is lost or broken you can use the other to log in.
The only exceptions to this are the few features on the YubiKey where if you backup the secret (or QR code) at the time of programming, you can later program the same secret onto a second YubiKey and it will work identically as the first. These features are listed below.
OATH-TOTP (Yubico Authenticator)
Note: When the Yubico PAM module is used in challenge-response mode (this is the way the Mac Logon Tool works), it uses the device serial to lookup the expected response, which prevents the module from working unless each YubiKey is registered ahead of time. Backing up the HMAC-SHA1 secret and restoring to a different YubiKey later does not work for this scenario as it will have a different serial.