YubiKeys can enhance the security of your devices, networks, and online accounts without adding friction to the user experience. To keep your YubiKey and associated accounts secure, here are some best practices to abide by:
1. Secure Your Physical YubiKey
Treat your YubiKey as you would any other physical key. Anyone who possesses the key will be able to complete authentication if they’ve also compromised your other credentials, such as your password or PIN.
If you need it to access systems and accounts at work, it may be worthwhile to attach it to a lanyard and wear it around your neck with your ID badge or other necessary credentials. If you use it for your personal accounts, keep it somewhere safe where others cannot access it.
2. Enable PIN Protection
You can enable PIN protection for YubiKeys to add an extra layer of security and prevent unauthorized access to your account or device. Within the YubiKey Manager application, you can navigate to the Personal Identity Verification (PIV) optionand set a new PIN of six to eight digits.
Test that it’s properly set by removing and reinserting the YubiKey to see if you are prompted to enter your new PIN before accessing your account.
3. Create Backups
It’s recommended to use backup YubiKeys, just like you typically have a backup house or car key.
You can register one key as your primary and the other as the spare, allowing you to access critical accounts and devices even if your primary key is lost or damaged. Thus, you can avoid getting locked out of your accounts and going through the lengthy account recovery process.
4. Use Two-Factor Authentication (2FA)
In some cases, you can use a hardware authenticator like YubiKey as your single factor for authentication. However, you should enhance the security of your accounts, networks, and devices by enabling two-factor authentication (2FA).
Depending on the service provider, the steps to set up 2FA with YubiKey may differ. Oftentimes, you can do so in a few steps within your security preferences under account settings and follow the steps we listed above to pair the key with your account.
5. Record Recovery Codes
During the YubiKey setup process, you will have the option to generate recovery codes. If you no longer possess your security key, these codes are the only way to access your account, so record them accurately and keep them in a safe storage location. Once you've finished configuring your key, it will be impossible to retrieve the codes.
You may choose to store the codes in an encrypted file on your device. Or, you can print them off and store them in a locked safe or security deposit box that only you have access to.
6. Be Cautious with U2F
If you use YubiKey for U2F authentication, always verify website URLs, ensuring they match what you expect when prompted to insert your YubiKey. If you notice an abnormal or unusual URL, it could be a sign that a bad actor is trying to redirect you and compromise your credentials through a phishing attempt.
The YubiKey’s LED blinking pattern should also match your expectations during U2F authentication.
7. Lock Devices
If you leave the YubiKey attached, like if you’re using a nano model, always set up a lock screen and password protection to prevent unauthorized access to your device and accounts.
Otherwise, anyone who could access your laptop, mobile device, or desktop computer would be able to view, change, or steal its contents.
8. Segregate Keys
Consider using unique YubiKeys for different accounts and devices to minimize potential security risks if one of your keys is compromised.
For instance, if one of your keys is stolen but you’ve only registered it to access your personal email account, the thief could not use it to access your laptop, work email, password manager, Facebook account, or other YubiKey-protected devices and applications.
