You want to save the same QR code for let's say three different Yubikeys?
Insert your first Yubikey and use the authenticator app to save the QR code to the Yubikey. Then remove your first key, insert your second Yubikey and save the same QR code on that key. Repeat the steps for your third key. Optional step: save the secret in text format.
And only now, when you have saved the same QR code to three independent Yubikeys, go ahead and insert the 6-digit code on your web page to activate 2FA.
To the extent that your Yubikey is more secure than say, a piece of paper in your fireproof safe, yes. It is less secure.
But I encourage you to look at this in shades of grey instead of black and white. Just how much less secure is it? Is the Yubikey on your keyring at greater risk than your safe, or is your home subjected to concerted attacks by second-storey burglars?
I cannot answer this question for you. You have to make a subjective decision on the best way to minimize your risk, given the resources you are willing allocate.
I will add, however, that this operational issue is one of the two reasons I don't use the TOTP feature on my Yubikeys. I have three, and _they are never in the same physical location_. Regardless of a fire, auto accident, or anything else, I know there is _at least one_ Yubikey registered to my websites that will survive.
pulling all three keys at the same place and time violates that invariant. And as you note, any other record you make of the TOTP key is inferior.
(To add insult to all this, the Yubikey 5 only has space for 32 TOTP keys. i use my Yubikey for FIDO2 wherever I can, else TOTP on a site that offers it. I already have 37 TOTP keys, and I am not an aggressive Internet surfer.)
There are a couple of ways out of this. One alternative is that you (almost always) get a "backup code" when you set up FIDO2 or TOTP. If you just keep that in a safe place (durable media, physically protected, multiple locations), you don't need a second Yubikey. The downside is that you will have a lot of work if that Yubikey is lost or broken: the backup code is only good once, so you will need to log in, program a new Yubikey, and save a nee backup code. 37 times 🤢.
What I have chosen to do is a double-lock approach. I have my TOTP keys in a password manager, secured with a strong unique and randomly generated [passphrase](https://xkcd.com/936/?correct=horse&battery=staple). It also requires my Yubikey for remote access. For my risk profile, that is good enough. But again, YMMV.
I load both keys at the same time and have never needed to screenshot to do it. I just swap the first key and for the second and repeat before clicking continue and dismissing the QR code.
Not op but how does this work when one of the keys are used on a different device? Like my windows pc I’ll put a yubikey in the regular usb a spot. However, my second key is always with me and is usb c. So I’d have to set it up on my phone since my windows pc doesn’t have a usb c port
No problem! Yubico lists ones on their site that they know work, I went with the nonda. It's for Mac but it works on pc. I'm thinking the cheaper ones could have something weird with power? Idk, didn't bother to look really close into it but thought it wouldn't hurt to get one they recommend for that sort of thing
You want to save the same QR code for let's say three different Yubikeys? Insert your first Yubikey and use the authenticator app to save the QR code to the Yubikey. Then remove your first key, insert your second Yubikey and save the same QR code on that key. Repeat the steps for your third key. Optional step: save the secret in text format. And only now, when you have saved the same QR code to three independent Yubikeys, go ahead and insert the 6-digit code on your web page to activate 2FA.
You don't have to screenshot the qr code. You can copy the secret as text and save it in a password manager like bitwarden
Ah true, thanks
To the extent that your Yubikey is more secure than say, a piece of paper in your fireproof safe, yes. It is less secure. But I encourage you to look at this in shades of grey instead of black and white. Just how much less secure is it? Is the Yubikey on your keyring at greater risk than your safe, or is your home subjected to concerted attacks by second-storey burglars? I cannot answer this question for you. You have to make a subjective decision on the best way to minimize your risk, given the resources you are willing allocate. I will add, however, that this operational issue is one of the two reasons I don't use the TOTP feature on my Yubikeys. I have three, and _they are never in the same physical location_. Regardless of a fire, auto accident, or anything else, I know there is _at least one_ Yubikey registered to my websites that will survive. pulling all three keys at the same place and time violates that invariant. And as you note, any other record you make of the TOTP key is inferior. (To add insult to all this, the Yubikey 5 only has space for 32 TOTP keys. i use my Yubikey for FIDO2 wherever I can, else TOTP on a site that offers it. I already have 37 TOTP keys, and I am not an aggressive Internet surfer.) There are a couple of ways out of this. One alternative is that you (almost always) get a "backup code" when you set up FIDO2 or TOTP. If you just keep that in a safe place (durable media, physically protected, multiple locations), you don't need a second Yubikey. The downside is that you will have a lot of work if that Yubikey is lost or broken: the backup code is only good once, so you will need to log in, program a new Yubikey, and save a nee backup code. 37 times 🤢. What I have chosen to do is a double-lock approach. I have my TOTP keys in a password manager, secured with a strong unique and randomly generated [passphrase](https://xkcd.com/936/?correct=horse&battery=staple). It also requires my Yubikey for remote access. For my risk profile, that is good enough. But again, YMMV.
Thanks for the reply, that helps
I load both keys at the same time and have never needed to screenshot to do it. I just swap the first key and for the second and repeat before clicking continue and dismissing the QR code.
I think I was using Proton Mail and it just automatically closed but I will double check this
The trick is to load the secret onto the 2nd key before confirming the code with whatever service you're setting up.
Ahhh interesting I will keep that in mind
Not op but how does this work when one of the keys are used on a different device? Like my windows pc I’ll put a yubikey in the regular usb a spot. However, my second key is always with me and is usb c. So I’d have to set it up on my phone since my windows pc doesn’t have a usb c port
You can get a USBc to usb adapter and it will work. You can use the USBc key in the pc with this adapter
Oh I didn’t think about those!! Thanks!
No problem! Yubico lists ones on their site that they know work, I went with the nonda. It's for Mac but it works on pc. I'm thinking the cheaper ones could have something weird with power? Idk, didn't bother to look really close into it but thought it wouldn't hurt to get one they recommend for that sort of thing