With the rise of 2FA (two-factor authentication) we’re seeing an increase in people wanting to use physical keys, or Yubikey’s as they called, more and more.
Since Yubikey’s are so new to people, they may wonder if they can use it for multiple online accounts? They may even have people telling them they need to use two YubiKeys, and that can get confusing.
In this post, we’ll go over all this and more.
What Is A Yubikey?
A Yubikey is a physical device that is used as a way to authorize yourself with a website or service.
A Yubikey can be a second factor, the thing you enter after your password when logging in. Some websites do this with a text or email code, but if you have a Yubikey and the website supports it, you can use a Yubikey instead of a text message or an email.
Yubikeys can also replace passwords altogether and make for a passwordless login with the WebAuthn standard.
Think of a Yubikey like a house key. It’s small enough to fit on your keychain and looks like a USB thumb drive.
Can You Use A Yubikey For Multiple Accounts?
A Yubikey can be used for an unlimited number of accounts if you’re using WebAuthn. You also have an unlimited number of accounts for U2F.
If you’re using your Yubikey for TOTP, you can only hold 32 accounts.
What Is WebAuthn?
WebAuthn (also known as FIDO Alliance) is a new standard for authentication that allows users to log in to websites and applications using a security key.
It’s designed to be more secure than traditional username and password login, and it’s already supported by major browsers like Chrome, Firefox, and Edge.
It’s basically a bunch of companies coming together to agree on a standard of logging in with physical security keys.
What Is TOTP?
TOTP or Time-Based One-Time Passwords is another form of 2FA.
The current universal time and a secret (basically a random password) is used to create a 6-digit code. Since you and the server know the secret and use the same universal time, you both can come up with the same 6-digits and prove you’re the right person.
TOTP 6-digit codes change every 30 seconds, which makes them great for security as the codes expire.
TOTP and WebAuthn both can be used for 2FA, but they’re both very different, and WebAuthn is vastly more secure.
Why Is There No Limit On WebAuthn, Unlike TOTP?
Yubikey and every security key that supports TOTP, will have a limit on how many accounts they can store on one key.
This limit is because of a storage capacity of the key and how TOTP works.
When you set up TOTP 2FA, the service gives you a secret key, which is a randomly generated password, that you and the server know. That secret key is combined with the current universal time and with some math, it creates the 6-didgit code.
For TOTP to work the secret key needs to be stored somewhere and the small keys only have so much storage on them. So a limit is placed on security keys on how many TOTP 2FA secrets they can store.
WebAuthn is different in that it use public and private keys. Let’s go over how WebAuthn works next.
How WebAuthn Works
The reason why you can have unlimited WebAuthn accounts for your Yubikey is that nothing is added to the key.
Inside your Yubikey is a private key that never leaves the device, it’s what makes it so secure. There is also a public key, and it does leave, and you can freely share it with anyone.
Think of the public key as an open padlock that you have an infinite amount of, and the private key is the key that unlocks the many padlocks, but the key never leaves your device.
When you authorize your Yubikey with a website, you only give them a public key. So the only people storing things is the website and not you, so no need for storage concern for the user.
When you try to log in, the website sends you a challenge using your public key. To keep it simple for explaining, the challenge is a number, and they take your public key, which is a number too, and multiply it.
When you get the challenge, the server is expecting the correct response, or the right answer to the math problem, and you can get the right answer if you have the correct private key. The public key is made from the private key, and using math you can prove you’re the correct person because you can give the correct answer because you have the private key.
Why Is WebAuthn More Secure Than TOTP?
WebAuthn is more secure than TOTP because the only thing you’re giving the server is a public key.
You can give the public key to anyone, it’s no worse than giving a bunch of people an unlocked padlock. They can lock a message inside a box, but they can’t unlock it. Only the person with the key (private key) can open the boxes.
WebAuthn is even more complex than my description talked about earlier. The website’s URL is also added into the mix to better protect people from phishing attacks.
This also means every service will have a different public key, so one service getting hacked won’t tie you to other services you used that Yubikey on.
Why Do You Need Two Security Keys?
Yubikeys and WebAuthn are a huge improvement to security, but they do have drawbacks.
One drawback is that you need two keys or two devices.
Windows, Mac, Android and iOS are joining the standard so many of your phones and computers can be the main device, but you should still get a backup.
If the service you’re using doesn’t have a recovery option, and you don’t have a backup security key, you could be locked out.
Recovery brings up another problem with WebAuthn.
WebAuthn is super secure, but if the recovery process is too weak it won’t matter how secure WebAuthn is as you can get around it. People goof up all the time, services need a recovery process, so it’s a balancing act.
The private key in a security key doesn’t leave the device, and the makers of security keys don’t want it to. The private key being buried and nonrecoverable is a feature, but it’s a negative for backups. If you could export your private key to paper, you could get a new key and import the old key and be back to normal. But if it was easy to export the key, then it would be easy for thieves to do the same too.
The only good solution is to have multiple security keys for backup.