Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

I don't know why, but I'm still a bit afraid of using security key everywhere. I have an irrational fear of losing/breaking my security key. Even though I know my phone is fine and always with me (as a comparison).

I just set up a whole backup solution for my many self hosted applications, all encrypted with the keys safely in my password manager. Even uploaded to S3, because I figured if I'm paying for it, I could ID-and-support ticket my way to my data even if I lost my AWS credentials.

I don't know how to integrate a security key into this scheme. What to do if it actually gets lost ?

Will I have to use emergency codes for all the accounts ?

Can I make a backup of it somewhere ?

Would that defeat the purpose ?

I'll buy one someday, when I'll have all this figured out.



I think that worry makes sense. It is a good idea to keep a backup. For example, you could get two YubiKeys, use one as your primary, and put the other in a safe place as your backup.

It is a little bit of a hassle. But changing 200 passwords because LastPass was breached is also a hassle.


One option is to have two identical security keys. In general, you can't easily read the secrets from an existing key, but you can overwrite/initialize them to get two with identical data.


Most services allow you to enrol two or more security keys, so you wouldn't need to overwrite one.


The problem with that is that it requires to have all these security keys available in order to enrol them, which is not possible if you want to store one of them in a different secure location. If you have two keys in your pocket, that's not much of a backup; having two identical keys means that you can enrol the one in your pocket and if it gets lost, the copy from your safe works.


Do you sign up to new services daily? I'm thinking of it more like sign up today, store the second elsewhere and don't think about it again.


Not daily, but something like weekly - I certainly signed up for more than 50 new accounts/systems in this last year, and a few of them had 2FA.


Is this possible with Yubikeys? I'd be very interested if so. "Two identical Yubikeys" is something I've wanted for a long time.


IIRC https://www.yubico.com/support/download/yubikey-personalizat... could be used for that.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: