Possible to use *only* U2F authentication?

If the service you are using support multiple different U2F devices you may add more than one to the service. In the Google case I belive they support more than one device linked. To dissable the backup security codes you may simply use them all.

You can not duplicate your U2F device, but there may be manufacturers selling pairs. By design the U2F device should be write-only i.e. only returning replies to challanges, not the secret stored. Allowing the secret to be read (in order to create a duplicate after creation) may pose a security risk since someone obtaining your U2F device may create a duplicate without your knowledge.


Having two distinct security keys (which is the most suggested method of backup) is not convenient at all, because I have to add both of my keys every time I register on a new service, and it means that I can't keep the backup key stored very securely (as it needs to be easily accessible).

But the truth is: it is totally possible to have a pair of U2F keys which are set up in the following way:

  • When I register the primary token on some service, the backup automatically becomes valid for this service as well;
  • Just when I use the backup token on some service for the first time, the primary one is invalidated for that service.

(Read the technical details in the article linked below)

This way, I could store my backup key somewhere really secure and hard to reach, and whenever I register my primary key on some service, I have peace in mind knowing that I'm covered by the backup automatically.

For that, manufacturers would have to sell matched pairs of tokens set up in this way. At the moment of writing it, the only way to do that is to use U2F-zero or its successor Solo. I personally only used U2F-zero so far.

See all the details in the article Reliable, Secure and Universal Backup for U2F Token