There is no recovery if you have a single hardware token in use only. But that’s a structional issue with your concept.
Instead, it is recommended to have two (or more) identical Hardware Tokens to replace one that dies.
It is also smart to keep the seeds for things like 2fa in some secure backup with schizophrenic paranoia proof Security measures.
Rootiest@lemm.ee 1 year ago
Having a recovery process for the YubiKey world really just be a potential security hole.
Ideally you have a backup clone of the key in case yours is lost/broken.
Keeping a recovery seed or backup password instead would be inherently less secure as the YubiKey uses an HMAC challenge-response key for KeePass rather than a static password/key file.
A static password or key would be a better target for hackers as it would be easier to crack so having that option would lower your overall security.
Professor_Piddles@sh.itjust.works 1 year ago
Thank you for your detailed responses - I’m going to look into KeePass and maybe a Yubikey after reading your description of how it works. I hadn’t considered a Yubikey before mostly because I’m prone to lose things, but also because my encrypted file password is >12 characters and a fairly random mix of lower and uppercase letters, numbers and special characters.