Losing your Yubikey can be a nightmare, potentially leaving you locked out of your accounts away from money, emails or messaging apps. But if you've got proper backups in place, recovery should be a relatively painless process to regain access to all your accounts. Preparing for losing a Yubikey does need to be done in advance, but there are still some things you can do if you haven't got backups.
These steps make reference to a Yubikey, but there are plenty of great Yubikey alternatives that this will also be relevant to.
Related
How to travel safely with your YubiKey
Traveling adds a new set of challenges for YubiKey users
Recover your backups
Having secured backups is essential.
Source: Wikimedia Commons
The first thing to do if you've lost your Yubikey is recover your backups. These might be stored elsewhere, with family or friends, or at home. If you're traveling with your Yubikey, this might be harder, and you may need to ask a friend or member of family to access your backups on your behalf to regain access to your essential services.
What your backups look like may change depending on how you have set up your Yubikey. This might be 2FA recovery codes, a completely separate Yubikey, an alternative method of two-factor authentication or a hard copy of your TOTP seeds. What's important is that you have a backup, and have it somewhere secure, but accessible in an emergency. Ideally, you'd store at least two backups, with one away from your home, either in your office or with a friend or family member.
What to do if you don't have backups
If you don't have any backups and have lost your Yubikey, this can pose a more serious problem. Unfortunately, it is possible that you may end up locked entirely out of some accounts. We'd recommend going through these steps for each of your essential accounts.
- Check for any other alternative means of two-factor authentication, i.e. via email, mobile phone. Make use of these if you can to regain access to your account.
- If that fails, access the service on any device that may already be logged in. You may be able to add a new 2FA device (or remove your old one) using an existing session.
- If you are still locked out of your account, contact support and explain the situation. They may be able to authenticate you separately to recover your account.
If none of these options work, you may be locked out of your account. If you're having difficulty getting a reply from support, try reaching out on social media or through other means. Whether you can access a locked account if you don't have your recovery codes and have lost your 2FA method will vary from service to service. Highly-secured applications like password managers are likely impossible to recover once you've lost all methods of two-factor authentication.
Regain access to essential services
Focus on your most essential services, like email, first.
Once you've accessed your backups, the first thing to do is ensure you've got access to your most essential services. If you're using a password manager, I would make this your first priority, and I would then prioritize services that act as gateways to other accounts, either via email 2FA or magic sign-on links, as these might be useful for recovering other accounts later.
While it's highly unlikely that someone has compromised your accounts directly through your Yubikey, we'd still recommend checking any sign-in logs or security alerts on your essential accounts, just to be sure you've covered all your bases. You're still protected by your password, so there's not a serious concern here that your accounts might've been compromised.
Remove your old Yubikey from all your accounts
Ensure your lost hardware key is removed and disabled
Once you're into all your accounts, you can remove your Yubikey as a 2FA code from each. If you're using FIDO2, we'd recommend removing the key entirely and setting up a new 2FA code. Similarly, if you're using TOTP via the Yubico authenticator, you'll want to remove your old 2FA set up and generate a new TOTP code. In theory, all of this data should be secured on your Yubikey if you've got a PIN set, but it's still best practice to start fresh with new codes here.
If you're using backup Yubikeys, there's no need to remove and re-add them to any accounts that you've removed your lost Yubikey from.
Be sure to replace your backups when generating new 2FA options!
Order a new Yubikey and start setting up again
We'd recommend using TOTP or an alternative 2FA method in the interim.
Source: Yubico
Now that you've accessed all of your accounts, it's time to order a new Yubikey. Once it's arrived, start re-setting up your accounts for use with U2F/FIDO. We'd recommend not falling into the trap of using your backup key while you're waiting for a new key - it's easy to postpone buying and setting up a new key only to forget and end up losing your backup key with no easy fallback. Once you've got access to your accounts, we'd suggest ordering a key straight away and using alternative forms of 2FA until it arrives - whether that's email, your mobile or TOTP.
It's important to stress again here that it's essential that you update your backups - especially if you've removed 2FA devices from your accounts and added new methods as this can invalidate your existing recovery codes. This can also be a good opportunity to change how you're storing or tracking what accounts are accessed with your Yubikey, optionally by keeping your seeds or TOTP data in a password manager that supports FIDO2. This is also a good opportunity to review your backups, and save any new backups if you require them.
Losing your Yubikey isn't the end of the world, but it can be very inconvenient
The nature of how Yubikeys are implemented for second-factor authentication greatly improves your online security without exposing you to significant risk when you lose your key. That said, it is a faff to lose your key, and it's important to properly remove it from every relevant account.
We also find that keeping track of accounts where your Yubikey is set up, in a password manager or similar, can greatly help the recovery process.
- NAS, IOT, and everything else
- hardware key
- 2fa
Your changes have been saved
Email is sent
Email has already been sent
Please verify your email address.
You’ve reached your account maximum for followed topics.
Manage Your List
Follow
Followed
Follow with Notifications
Follow
Unfollow
Readers like you help support XDA. When you make a purchase using links on our site, we may earn an affiliate commission. Read More.
