Yubico Forum

Lost/damaged key replacement questions
Page 1 of 1

Author:  eduqate [ Mon Jul 12, 2010 12:24 pm ]
Post subject:  Lost/damaged key replacement questions

Sorry if some of these questions seem naive, I have tried RTFMing and couldn't find the answers, pointers would be appreciated.

I am thinking of deploying the Yubikey in a number of scenarios such as accessing encrypted volumes or login to local or web services.

Am I correct in believing that for accessing encrypted volumes I must use a static password? If the yubikey is lost or damaged is it sufficient to program another yubikey with the same password or do I need to somehow clone the old yubikey?

For login to online services it would be nice to consider a one time password usage however this will require extra processing at the server to validate the passwords, correct?.

Is replacing lost OTP yubikeys feasible or is it only realistic to issue a new yubikey to that user and revoke the old one. If this is the case then do all yubikey installations ultimately hinge on a static password as OTP devices are vulnerable to loss or damage and are thus not reliable for master key usage?

In brief, what is best practice for replacing lost or damaged yubikeys either static or OTP?

Author:  samir [ Thu Jul 22, 2010 12:00 pm ]
Post subject:  Re: Lost/damaged key replacement questions

Regarding the static password (Backup Key):
Two or more than two YubiKeys can be configured to emit a same static password by programming them using the same programming parameters like same AES Key, same Public ID and same Private ID. For more information please visit the following post:

For login to online services, Yubico provides the OTP validation service, the Web Service API and corresponding clients in various programming languages that can be easily integrated by application developers.

Regarding replacing the lost OTP, it really depends on the application if it provides the administrators to reassign a new key to the user. However, to avoid unauthorized use of the lost YubiKeys (OTP validation), Users/Client administrators can enroll their YubiKeys with the YubiRevoke Service (https://admin.yubico.com/yubirevoke/login.php ). YubiRevoke service allows to disable (or re-enable) specific YubiKeys on the Yubico Validation Service in case they are lost. This is very effective in preventing any potential misuse of YubiKeys if they fall in the wrong hands.

Page 1 of 1 All times are UTC + 1 hour
Powered by phpBB® Forum Software © phpBB Group