A worn-out USB Type-A security key (a Feitian ePass) laying next to a newer YubiKey USB Type-C model still in its packaging. 🅭

The trouble with decommissioning a used FIDO security key

Five years ago, I wrote about adopting security keys — small second-factor authentication token devices — to secure some of my most precious online accounts. In that article, I foresaw a future problem and detailed how I planned to mitigate it. The future is now, and I did not heed my own advice. 🤦‍♂️

My advice to others and myself from five years ago:

You should maintain a record of which security keys you register on which websites. If you lose or want to decommission a key, you’ll need this record to know where you need to log in and replace the key.

In the intervening years, I’ve worn out the security key I always keep with me on my key chain. Over the last five years, the gold plating on the contact pins has worn off, and the copper alloy underneath has corroded. The key is still functional, but it requires some hefty jiggling after insertion before it works. It’s time to replace it.

The failing security key was a budget ePass model from Feitian. My other Feitian security key, the MultiPass with Bluetooth, was recalled due to security problems. I bought a key from the — at the time — relatively unknown Feitian instead of the more well-known Yubico. Yubico prices their YubiKey products with a hefty market-leading premium, so they could really need some more competition.

In my experience, Yubico’s keys don’t corrode as easily, though. Therefore, I bought a YubiKey 5C NFC to replace the worn-out Feitian key. This new security key is my first USB Type-C key. All my devices have Type-C connectors now, and it’s time to say goodbye to Type-A.

The problem I have now, which I foresaw five years ago, is that I can never throw away my old key. I’ve logged in and replaced it everywhere I remember adding it, but I’m sure there are plenty more that I’ve forgotten.

Many services have neither let me add multiple keys, nor allowed me to remove my key once added. Essentially, the hardware I now want to decommission is the only way to log in to these services.

These services haven’t done a particularly good job of implementing two-factor authentication. Nothing prevents websites from letting users register multiple security keys to their accounts. For end users, it’s best practice to always register at least two different keys with each service. Then, you’ll have a backup if you lose your primary key.

I intended this article to serve as a reminder: security keys don’t last forever! Plan for when you need to decommission them, especially when using the same key for multiple services across the web. Keep a list of where you register your keys!

I hope I’ve learned my lesson now; maybe you have too. I’m keeping track of where I’ve registered my new security key. At least, this time, I’ve created and put some entries in a list inside my password manager!