Skip to content

Yubikey

Two YubiKey 5 devices for hardware 2FA — one stays at the desk, one on the keychain as backup.

YubiKey 5C NFC YubiKey 5 NFC

The two keys

Key Form factor Where it lives Primary use
Key 1 YubiKey 5C NFC (USB-C) Plugged into the PC (or nearby) Day-to-day logins — Cloudflare, Bitwarden, Windows Hello
Key 2 YubiKey 5 NFC Keychain Backup when Key 1 is unavailable; NFC tap on phone

Both keys should be registered everywhere critical so losing one key does not lock you out. PINs and recovery codes live in Vaultwarden — not in SaxDocs.

Where each key is used

Cloudflare 2FA

  • dash.cloudflare.com requires the Yubikey at login — see Cloudflare
  • Register both keys under Cloudflare account security settings
  • Backup codes: store in Vaultwarden

Bitwarden (Vaultwarden)

  • Master vault unlock and 2FA for Bitwarden can use FIDO2 / security key
  • Register both keys in Bitwarden account settings at vault.saxobroko.com
  • If the desk key is unplugged, use the keychain key + NFC on phone

Other services

Add other sites that require these keys — GitHub, Google, etc.

Backup key policy

  • Keychain key is the backup for day-to-day; keep it on you when traveling
  • Desk key is convenience — do not travel with only the desk key registered
  • If one key is lost: revoke it in Cloudflare / Bitwarden / every service immediately, then register a replacement
  • YubiKey PIN: required on each use; too many wrong PINs can block the key — recovery details in Vaultwarden

How to use when authenticating

Windows

  1. A popup asks you to insert Security Key or enter the PIN
  2. If the security key is not inserted, insert it (USB-C desk key)
  3. Enter the PIN
  4. Touch the gold circle
  5. You should be authenticated

iOS

  1. A popup asks you to hold the phone near the security key
  2. Enter the PIN
  3. Tap the keychain key (NFC) to the back of the phone
  4. You should be authenticated