Yubico Forum

Backing Up Yubikey OTP?
Page 1 of 1

Author:  fickleferret [ Wed Jun 17, 2015 2:34 am ]
Post subject:  Backing Up Yubikey OTP?


I've been poking around looking for how to back up the Yubikey. Most of what I've read stated that you basically cannot backup the OTP portion of it. Seeing as I have a paranoia of setting strong security then breaking or losing the device, I'm looking for a way to accomplish this. I similarly would like a means that does not involve having multiple Yubikey, as presumably an incident or defect could cause multiple of them to go bad at the same time.

My question is this: In the personalization tool, could I not initially generate my own Secret Key value, write it down and save that value in a safe? This way, if I have an issue with my Yubkey, I could get a new one, retrieve the the secret key from my safe, and re-enter the same information into the new key? That way, I now have two mediums upon which this security information is based and is less likely that both will have difficulties at the same time.

Author:  erikie [ Mon Jun 22, 2015 10:18 am ]
Post subject:  Re: Backing Up Yubikey OTP?

Well - actually you can generate your own key with the yubikey personalization tool and upload it on the yubico servers, of course you can back up the generated secrets & identities.
However there is one caveat: the yubikey also implements 2 counters in the OTP (insertion & timer counter) in order to foil replay attacks.
And these counters (to the best of my knowledge) cannot be set in said personalization tool nor on the yubico servers.
As a consequence if you implement the backup on another key in case the old one is unusable the counters are reset to zero again so the new OTP start over again and will not be accepted by the server due to the anti-replay check (i.e. the old counters are used again).
This is not so much of an issue if you hardly use the yubikey as you just need to keep on generating OTP until the old counters are overtaken however in reality you will use the key quite often and therefore you may need generate hundreds if not thousands of times in order to overtake the old counters which may not be very useful.
In short it is possible to back up newly generated secrets&identities for your yubico OTP but I fear it may prove not to be very useful (I have tied this myself).
If you want a back up in case your yubikey malfunctions it would IMHO much better to use (and perhaps generate a new key) and add it to your service - when the old key is dysfunctional you would then have a fresh key you can then use.

Hope this advice provides a usefull explanation for you...

Kind regards, Erik...

Page 1 of 1 All times are UTC + 1 hour
Powered by phpBB® Forum Software © phpBB Group