January 19, 2021

Question: when I use a YubiKey but keep an authenticator app for the same service, is it still more secure?

I am considering using a YubiKey. For example, 1Password recommends it:

https://support.1password.com/security-key/

However when reading that, it basically says I need to have an authenticator app and can use a YubiKey “on top” of that:

> **If you lose access to your security key**
> If you lose access to your security key, you can still sign in to your 1Password account:
> When you’re asked for your security key, click Cancel. Then click “Use your authenticator app instead” and enter a six-digit authentication code from your authenticator app.

Or, similarly, for Fastmail:

https://www.fastmail.com/help/account/2fa.html

> **Why do I have to add a recovery phone number to set up two-step verification?**
> (…) Requiring a phone as a backup option balances security (no one else can read your data) and availability (you can read your data). For most users, the risk of losing their two-step verification device is far greater than the risk of someone hacking their SMS.

(to be fair, Fastmail allows you to remove your phone number and just use the YubiKey)

So, if I use these services as recommended, basically I can authenticate to them using the YubiKey, but *also using a code from the authenticator code or sms*.

So how does that improve my security? Any hacker who steals my credentials can just go to 1Password or Fastmail, use them, then select the authenticator app/sms option and completely bypass the YubiKey, right?

Leave a Reply

Your email address will not be published. Required fields are marked *

Note: By filling this form and submitting your commen, you acknowledge, agree and comply with our terms of service. In addition you acknowledge that you are willingly sharing your email address with AiOWikis and you might receive notification emails from AiOWikis for comment notifications. AiOWiksi guarantees that your email address WILL NOT be used for advertisement or email marketting purposes.

This site uses Akismet to reduce spam. Learn how your comment data is processed.