Hardware tokens are an important part of your digital identity within the online world, a physical embodiment of your access to services, data, money, and communications. Depending on how you're using your YubiKey, it might be the only thing standing in the way of someone who is attempting to access your machine and your online identity.

Best practices for YubiKey management can be difficult, especially if you’re traveling regularly. Keeping your services secure, while also retaining emergency access if you need it, can be challenging. Here are some of our tips for managing the balance between security and flexibility when traveling.

Backups, backups, backups…

Having multiple YubiKeys is essential

YubiKeys, and hardware keys in general, present a novel problem for online security. Access to an account or service is only as secure as its weakest factor, meaning that the benefits of having a passkey are at least partially negated if you then use TOTP or email verification in addition to your YubiKey as a second factor. For this reason, many services will only allow a single form of 2FA.

However, maintaining a single YubiKey as your only authentication method leaves you exposed to the very real risk of being entirely locked out of an essential account if you were to lose or damage your YubiKey and it becomes unusable.

There are a couple of ways around this, but the fundamental best practice is to have multiple copies of your YubiKey. You should have at least one backup key at home while you are traveling. We'd recommend keeping a second copy secure at home, ideally in a lockbox or safe of some kind. Also, consider leaving a third key in an office or with a trusted family member. You may also want to include hard copies of recovery codes as part of this backup plan.

Backup your TOTP seeds

While having a backup of your YubiKey is important for FIDO2, it is equally important to back up your TOTP seeds, especially if they're only stored on your YubiKey. There are several ways to do this. For example:

• You could store your TOTP codes and seeds in your password manager, and secure that with your YubiKey.
• You could store your TOTP codes on your YubiKey, and back them up elsewhere (i.e. on a USB drive kept securely at home).

Ensure your backups aren't self-reliant

One classic mistake to make when backing up your tokens, seeds, backup codes, or passwords is to store them somewhere that relies on your YubiKey to access it. For example, don't store your backup codes in Google Drive, the password for which is kept in a password manager secured by your YubiKey.

It can be a good exercise to periodically open a private window (so you're not logged into any accounts), and then test out access to your backups and services without making use of your YubiKey (or access by phone authenticator method). This is known as disaster recovery, and is a great exercise to ensure that you've not unintentionally created self-referencing loops in your backups.

Set a pin on your YubiKey

Add an extra layer of security to FIDO2/U2F on your key

One essential step you should take on all your YubiKeys, especially on keys that you'll be taking on the road, is to set a FIDO2/U2F pin. This pin will be needed to set up or authenticate with any FIDO2/U2F service with your key.

You can set a unique PIN for each method of authentication in the YubiKey manager app. Be sure that this pin is a memorable number though, as you'll need to completely reset your key to clear it.

We'd recommend you set a pin both for FIDO2 and OTP authentication methods separately.

How to carry your YubiKey

Traveling presents a unique problem for carrying your YubiKey👁 yubikey-keyring

I have several YubiKeys, and they tend to live in one of a few places, depending on their use. They are typically either in a machine permanently (whether laptop or desktop) or on my key ring. The first method works fine for traveling with a laptop. I keep my nano key on my laptop while traveling and it works great. However, the second method isn't ideal because you might not be carrying your keys while traveling, so alternative options might be needed.

YubiKeys are extremely durable, so don't be afraid to wear them as a dog-tag or store them in your clothing. Ideally, you want to keep your key somewhere out of sight and on your person, where it will be secure. You shouldn't need to worry about x-rays or security checks for your YubiKey either, and there is no concern about getting them wet (as YubiKeys are not powered). If it gets wet, just allow your key to dry properly before inserting it into a machine, of course.

Consider removing your keys from devices while traveling

I'll now proceed to immediately contradict myself. You might want to consider removing your key from devices while actively traveling, instead storing them away from your main laptop/device. This makes it far less likely that you'll either be forced by security personnel to unlock your YubiKey. Or in the more likely scenario of loss or theft, if they are stored separately then you won't lose both devices at once. Your laptop, tablet, or phone are easy and high-value targets for potential thieves, but if your hardware key disappears at the same time, that might make an unfortunate incident far more difficult to navigate. For this reason, we'd suggest storing your key elsewhere in your bag (or on your person) while actively traveling.

Don't lock your devices with a YubiKey

This one is a personal preference, but I would steer away from locking devices with a YubiKey while traveling. If you do decide to lock down access to your devices to require a second (or even single factor) authentication, ensure that you also have your backup codes or recovery data available and secured.

Understand and follow best practices to keep yourself safe while traveling

Traveling with your YubiKey can be intimidating, and can quickly devolve into a nightmare if the worst were to happen. But by following some basic best practices, and ensuring you've adequately secured copies of your important data, you can protect yourself and have some peace of mind.

All of this can sound a bit extreme, but it really comes down to having effective strategies for backing up and accessing your data. Depending on your threat profile, this can mean different things (i.e. a secure password manager, secured TOTP on your key, etc.), but what's truly important is being able to recover access to your accounts from abroad in case of an emergency. The last thing you want is to lose access to tickets, money, or communications while abroad in an unfamiliar country!