Security Keys - which one and how to backup them?

Hello everyone I am looking for a suitable security key with which I can additionally secure my PW Manager. My threat model doesn’t need this, but better safe than sorry.

Which key (Yubikey?) would be suitable for this? I don’t want to log in anywhere without a password, only for the above purpose this comes into question.
In addition, there is the question of how exactly to make a backup key of it. Wouldn’t a copy of the key compromise security?

Thank you for your opinions and tips in this regard.

I often see YubiKey security keys recommended, and NitroKey as a second choice. Generally, I see that YubiKey is more commonly recommended.

The one you might choose depends on your devices. If you have a PC with a USB-C port (in addition to the charging one) and don’t have an iPad, one with USB-C and NFC is fine.

There are various scenarios where a YubiKey with USB-A or C is more suitable, but it depends on the person. I would recommend taking YubiKey’s official test, which helps determine the best option for you.

It asks questions like which devices you have, whether you’ll use it for a business, if you need one with fingerprint recognition, etc.

Regarding which one to get, if you have a normal threat model and don’t need it for work, I wouldn’t go beyond their YubiKey 5 NFC models.

They practically have everything a regular person might want compared to the basic version, such as the ability to use it for their YubiCo Authenticator app and much broader support for more security protocols.

The guide from Privacy Guides says that the basic Security Key supports most password managers, but I don’t know if it specifically works with KeePassDX/XC and Proton Pass.

From YubiCo’s website, there’s a table comparing the various keys, and they say Bitwarden Premium supports them (both the security key and yubikey models)

If you only want to use it for password managers and not for logins, the basic Security Key should be fine, but it depends on which password manager you use.

It’s worth noting that the firmware of YubiKeys (all models) cannot be updated, so if a vulnerability is discovered, the only solution is to buy a new one.

However, for 99% of people, this isn’t a problem as they don’t have such a high threat model.

If you really want to, you can stay updated on any vulnerabilities, but YubiKeys are very strong anyway, and very few people need to worry about them being cracked.

For those with a high threat model, it would already be worth considering buying a new one. NitroKey, on the other hand, can be updated.

For a more detailed description, in addition to the Privacy Guides article.

I would also recommend a video by Naomi Brockwell that specifically talks about YubiCo keys, the differences, and various tips.

Regarding backing up the key, the solution is simply to get two.

Even if you’re not an international target who might want to steal your YubiKey, there’s still a risk of losing it or having it stolen if it’s, for example, in a bag.

If you lose your YubiKey, you would be locked out of many accounts, which is why it’s strongly recommended to get two and always register both.

That said, if you don’t need it and it’s just a passing whim from watching YouTubers saying you need to have it, ask yourself if you really need it and if you would actually use it.

I got two myself last year and have really never used them because passkeys and authentication apps are more convenient and still quite secure for my threat model.

It depends which password manager you’re using and how you’re securing it. I assume all recommended cloud-based password managers support FIDO2 passkeys which are the most secure form of 2FA and all recommended security keys could be used for that purpose. But if you want to use KeePassXC or TOTP, you’re stuck with YubiKey. As @Moc pointed out, which specific model you should buy depends on what devices you have and how you want to use it, take the Yubico quiz to help decide.

You cannot backup YubiKey passkeys, instead you have to create multiple forms of authentication. For convenience, it’s recommended to buy at least 2-3 security keys and add them to all your accounts, ideally storing at least one of them in an off-site location. If that’s too expensive for you, most services will allow you to use both passkeys and TOTP authentication.

You can use the passkeys as your primary 2FA method and store the TOTP seeds in a VeraCrypt vault on flash drives or SD cards, which would be cheaper than buying more keys. Some devices (I believe most modern smartphones?) should be able to store passkeys themselves, which adds more redundancy and convenience.

Which password manager? Proton Pass still requires TOTP to be enabled before you can add a security key. It doesn’t make sense, but I feel companies are internally making the decision to save them the headaches when someone loses access to their account.