Yubikey U2F – 2FA protection. Adding a second key. It’s ‘fairly‘ simple
Recently I started using a small wafer-thin USB key that gives me a secure 2AF – U2F protection to many programs or web sites. Like Google Gmail, Facebook, Dropbox etc with 2AF security. These days a must.
Setting one up isn’t that hard. Basically you choose the two-factor authentication (2FA) option on the site or the application that you want to use it with, follow the blah blah until you get to scan a QR code that you zap with your YubiKey authenticator app on your phone.
(you can also use another authenticator app, such as Google or Authy) but Authy or/and these apps will show you or anyone the 6 codes generated on the app just by opening it. So potentially dangerous.
Yubi’s authenticator app will only show the codes if you have a Yubi key next to the phone by NFC contact or plugging it into the phone. This is a tad safer.
The app like all authenticator apps will show a 6 digit code for 30 seconds. After 30 seconds this code changes.
On the website, after scanning the QR code it will be expecting you to insert the 6 figure code and hit enter, and voilà this will then ‘tie’ the app, or web site to your key and the authenticator app.
So that the authenticator app shows the codes. It needs to be next to the key if NFC. Or the key plugged in depending on the model you have bought. In my case the 5 NFC
Two keys or more
Now where it becomes a little complicated is if you want to have two keys or more (like me). A good idea if ever you lose a key.
I bought a second key couple of weeks later. Wanting one on my key-ring with my keys and another plugged into my computer at home.
I ordered the same one. YubiKey 5 NFC. Being naive. I thought it would just work, touch the authenticator app with the second key and it would work. It being the same key as the other one. Doh stupido… of course it didn’t.
Reading up quickly on the YubiKey site didn’t make any sense to me. So I spent some time playing around until I sussed it out
So let’s start again
Log in to one of the sites you have already done with the first key. Dropbox for example. Cancel the 2FA option and delete it from the YubiKey app. Then start all over again.
This time when you get to the QR code to be scanned. Scan it with the YubiKey authenticator app (as before) Save it by pressing the save button. You will also need to re touch the phone with one of the keys to save it.
Then RE SCAN it again
Rescan the QR code again. This time save it again using the other key. It won’t add another login (there will still only one instance Dropbox for instance on the app. But both keys will now work as they are both linked to the site. Don’t forget to validate the scanned QR with the 6 digit code shown on the app on your phone or PC.
So scan, add it to the app, re scan add it to the app and validate the scanned QR with the 6 digit code being shown.
Now when you open the YubiKey authenticator app again on the phone. Either key will open it and show the stocked codes, FB, Dropbox etc
Certain sites such a Gmail, BitWarden use these keys, and in the settings, you can add as many as 5 or 6 keys directly on the site (Twitter only one, or at the time of writing this post). Also some certain don’t even need the authenticator app when on your PC. Just relying on the key being connected directly the USB socket and being touched (there’s a little ‘gold touch pad’ on the key) to open the web site or app.
The authenticator app also works on a PC. In my case Arch Linux. (a page explain how to get the app to work in Linux on my previous post)
As above. The key just needs to be plugged into the USB socket and touched when you open the YubiKey authenticator program and that the codes are shown. the same principle as the app on your phone.
So now two keys are working
If ever you lose or break one. You have the other that can be used. Giving you time to buy another. For info they are not expensive at around 50 euros. Note that is quite important as some apps, like the Yubikey authenticator CANNOT be used / opened without a key.
Yubikey U2F – 2FA protection adding a second key. So now with a bit of luck? you’ve added more keys
Please don’t hesitate to leave any comments or critics. Or suggestions if you find anything wrong.