Backup, restore and U2F?

Can I use the backup and restore feature so that I can keep a physical onlykey backup copy, that I can still use for MFA with U2F? I haven’t used the backup/restore features yet and would like to have a physical backup that I can continue to use for MFA/U2F setups I have with my primary key, in case it gets lost or destroyed. I’ve been using my onlykey for a few years now, and it is awesome!

I think U2F would continue to work from a backup/restore on another physical onlykey, but am curious if I should update to latest firmware or anything before backing up and testing a restore on another key? I wanted to ask first before purchasing another one and attempting

You would follow instructions here to upgrade firmware - OnlyKey User's Guide | Docs

If you have firmware v0.2-beta.6 or earlier you would have to reregister U2F after upgrading. Backup devices will work for U2F.

@t11 Sorry I’m slow doing that and am working the nerve up to actually do this now. So when you say that I’d have to re-register U2F after upgrading, are you saying that my first key, which is on OnlyKey v0.2-beta.8c currently, that if I upgrade the firmware on it, that I’d then have to re-register it with every site and application it’s tied to currently?

What I’m trying to do is to in effect clone the U2F from my first onlykey over to this backup onlykey so that they are the same and that I can stick the backup in a safe.

I think I’m OK in upgrading the firmware on my original device, since it’s on OnlyKey v0.2-beta.8c and that I would not have to re-register U2F everywhere?

So when you say that I’d have to re-register U2F after upgrading, are you saying that my first key, which is on OnlyKey v0.2-beta.8c currently, that if I upgrade the firmware on it, that I’d then have to re-register it with every site and application it’s tied to currently?

Re-registering is required if you have firmware v0.2-beta.6 or earlier. Since you have v0.2-beta.8 you would just need to follow the upgrade guide which says you will need to do a backup before upgrading, upgrade firmware, then restore your backup - Upgrade Guide | Docs

Thanks @t11 for confirmation. I appreciate the help. I’ve taken a backup of primary OnlyKey, upgraded firmware successfully to latest OnlyKey v3.0.2-prodc on both physical keys, took an additional backup of my primary after firmware upgrade and restored this backup to my secondary OnlyKey, however in testing what I think is a duplicate/cloned OnlyKey and in testing it works with sites (like AWS), it doesn’t work with the backup OnlyKey.

Is there something I should check or dig on further to get this to work? I am currently testing from Windows 10 and am getting a Windows Security prompt - This security key doesn’t look familiar. Please try a different one. I’ve tried from FF, Chrome and Edge, all are the same.

Happy to dig through cli commands or troubleshoot further, just unsure what to do or try next here. Thanks!

It’s mean’t to be used in a primary and backup scenario so you shouldn’t use both keys one right after the other or things could get out of sync. One key after being connected to the OnlyKey app can be used to login and then that key is the primary.

My goal is to copy my primary onlykey I use for MFA on hundreds of things with the button tap when prompted from websites. I want to clone that functionality to the second onlykey I purchased via a backup=>restore, and be able to use the secondary onlykey for those U2F MFA prompts in case my first one is lost, stolen or destroyed. I want to clone the U2F MFA features and stick one in a physical safe in case I lose the primary one. I’d like to be able use either one for these U2F MFA prompts.

The steps I attempted were using 1 onlykey at a time. After restore to secondary key, I had it and only it connected to the onlykey app and tried to sign into an aws account, which web browser wise it didn’t recognize the secondary onlykey I had restored to during the U2F/MFA prompt and the secondary onlykey was blinking blue.

Should what I’m attempting to do be possible?

The way U2F works is there is a counter on the device that the website checks. If you switch back and forth between primary/backup the counter on one of the devices will be off so this isn’t recommended. If you want to regular switch between your devices you just need to register both of them on your U2F/FIDO2 accounts. You would have two security keys registered to each account.

@t11 Thanks for explaining that, I think I follow. So in the scenario a website only lets me use 1 security key per account, and say my primary onlykey is destroyed or lost. Is there any way to either sync the counter on the secondary device or somehow use it with the given website?

You’re saying to not switch between/back and forth using them, which isn’t really my plan other than testing restore worked. How exactly does that switching happen for the counters? Is it just a function of the restore process?

I’m mostly trying to cover myself with the second physical key in case the primary one I use is destroyed, so that I can continue accessing sites without having to swap/re-register the secondary key again across numerous websites. Is that possible to achieve, and if so, how?

I mainly just want a duplicate key I keep in a safe for break-glass emergency use if my primary one stops working or is destroyed, without the burden of having to re-register it across hundreds of sites and accounts. I’m not looking to regularly try to use both of these keys with 1 website.