Explain the process of Yubikey backup?
I bought a YubiKey 5 NFC this week and have started using 2FA and U2F where I can but am deathly allergic to the idea of losing access.
For backing up U2F access I'm going to buy a second U2F token (probably a YubiKey depending upon the answer to this question) and register it to all my services. But I am not sure how to back up all of my YubiKey-backed TOTP-based authentication codes. I have the recovery codes for all of these services, but I would like to have a second TOTP generating mechanism.
I have read that YubiKey-backed TOTP is phone-independent in an article titled YubiKey for SSH, Login, 2FA, GPG and Git Signing:
One very nice (and unclear, at first) advantage of having a YubiKey seeded with 2FA codes is that we can now generate 2FA codes on any phone, as long as we have our YubiKey with us.
I already had to remote-lock and remote-erase a phone in the past, and losing the Google Authenticator settings is not fun. If you handle your YubiKey with care, you shouldn't have that problem anymore.
But I am unsure how this would work. Furthermore, that is the case if I lose the phone, but not the YubiKey.
So my question is two-fold:
How do I ensure I can use the same TOTP tokens if I lose my phone? That is to say, if I have a YubiKey seeded with TOTP authentication for n services, would simply installing Yubico Authenticator on a new phone and then tapping the YubiKey to the new phone's NFC antenna generate the same TOTP tokens? If not, how would I access them on the new phone?
How can I ensure back up TOTP authentication with a second YubiKey in case I lose my first YubiKey? That is to say, it is easy to register a second YubiKey in, say, GitHub, by simply going to the two-factor authentication management screen and clicking Register New Device, but there is no clear way to register a second authenticator app, which is how I registered the TOTP passwords for the YubiKey. I have read on the Yubico website that "if you backup the secret (or QR code) at the time of programming, you can later program the same secret onto a second YubiKey and it will work identically as the first." Can this be done at the time of 2FA registration in the Yubico Authenticator app? That is to say, I register two YubiKey's with the same 2FA QR code simultaneously?
While anyone using a OTP token should allow you to configure more than one token source (at least two so you can have a secured yubikey backup), not all do. If all of your places will let you enroll two authenticator apps, then just enroll one on each YubiKey (I'd recommend sticking with a 5 for the backup as well, so you can use FIDO2 on sites that support it -- also every site supporting FIDO/FIDO2 will allow multiple tokens to enroll).
For the sites that don't let you enroll a second token I'll take a different approach. I've been using the LastPass Authenticator app to store my TOTP codes. The bonus for using LastPass Authenticator is that the TOTP secrets are stored in your LastPass vault (so if you lose a phone/computer you can still recover). And LastPass will allow you to secure your account with YubiKeys, you can enroll in several of them. So you launch the LastPass authenticator and perform your 2FA on it (password plus YubiKey), then use the TOTP right there to auth to the web site.
If you are using the YubiKey NFC and your phone supports NFC, then you can still use this in virtually the same way as the Yubi Authenticator. The difference is that the secret keys are stored in your LastPass vault and the Yubi-OTP (from either key) is used to unlock that; as opposed to all the secret keys being loaded onto individual Yubi sticks.