If you rely on a YubiKey for two-factor or passwordless sign-in, a checklist helps you configure it correctly and avoid lockouts.
This guide explains how to create a checklist with YubiKey, from enrollment and backups to recovery planning and team rollout.
Why a YubiKey checklist matters
YubiKey hardware security keys from Yubico are widely used for FIDO2, WebAuthn, U2F, and PIV-based authentication.
A checklist turns a one-time setup into a repeatable process, which is especially useful when you manage multiple accounts, devices, or users.
Without a checklist, common mistakes include registering only one key, skipping backup codes, misplacing recovery options, and forgetting which services support passwordless login.
A structured checklist reduces these errors and makes your authentication setup easier to audit.
What to include in your YubiKey checklist
Your checklist should cover hardware selection, account enrollment, backup strategy, recovery methods, and maintenance.
If you are creating one for a business, include ownership, assignment, and revocation steps as well.
Core checklist categories
- YubiKey model and compatibility
- Primary account enrollment
- Secondary key registration
- Recovery codes and alternate methods
- Device storage and labeling
- Verification after setup
- Update and replacement schedule
How to create a checklist with YubiKey step by step
1. Inventory the accounts you want to protect
Start by listing every service where you want to use your YubiKey.
Common examples include Google Workspace, Microsoft 365, GitHub, GitLab, Dropbox, 1Password, Okta, and banking portals that support security keys.
For each account, note whether it supports FIDO2/WebAuthn, security key login, or only two-factor authentication.
This helps you avoid planning for features the service does not offer.
2. Choose the right YubiKey model
Different YubiKey models support different interfaces and protocols.
YubiKey 5 Series devices typically support FIDO2, U2F, OTP, smart card, and PIV features, while security-focused workflows may only need FIDO2 and WebAuthn.
Include a checklist item for connector type, such as USB-C, USB-A, Lightning, or NFC, so the key works with your phone, laptop, and tablet.
If you use managed endpoints, verify compatibility with operating systems such as Windows, macOS, Linux, iOS, and Android.
3. Register at least two keys
One of the most important checklist items is redundancy.
Register a primary YubiKey and a backup YubiKey for every critical account that allows multiple security keys.
This reduces the risk of being locked out if the main device is lost, damaged, or left behind.
Store the backup key separately from the primary key, ideally in a secure location such as a safe or locked cabinet.
4. Add fallback recovery options
Many platforms provide backup codes, recovery emails, recovery phone numbers, or administrator-assisted recovery.
Your checklist should require you to save those options before relying on the YubiKey alone.
When possible, print or securely store recovery codes offline.
For enterprise environments, document who can approve account recovery and what identity verification steps are required.
5. Enable FIDO2 or WebAuthn where available
FIDO2 and WebAuthn are the strongest and most phishing-resistant methods commonly used with YubiKey.
Make a checklist item to enable these options first, especially on high-value accounts such as email, password managers, source control, and cloud administration portals.
If a service offers both app-based one-time passwords and security keys, prioritize the hardware key.
This lowers the chance of phishing attacks and SIM-swap-related compromises.
6. Test sign-in and recovery before you need it
Do not stop at registration.
Your checklist should include a real login test on each important account, followed by a recovery test using the backup key or recovery code path.
Testing confirms that the key is recognized correctly and that you understand the account’s fallback process.
It is much easier to fix setup issues immediately than during an emergency.
7. Label and store the keys consistently
Create a labeling system for your YubiKeys, such as Primary, Backup, or Admin.
If you manage multiple users, record the serial number, assigned person, issue date, and storage location.
Consistent labeling helps you match the right key to the right account and speeds up replacement if a key is lost or deactivated.
For privacy and security, avoid exposing labels that reveal sensitive roles publicly.
Sample checklist template for YubiKey setup
You can adapt the following template for personal use or team deployment:
- Confirm the target account supports security keys
- Select the correct YubiKey model and connector
- Update the device firmware if required by your policy
- Register the primary YubiKey
- Register a backup YubiKey
- Save backup codes securely offline
- Set up recovery email and phone as allowed
- Test login from a trusted device
- Test account recovery with a backup method
- Record the key serial number and storage location
- Review and update the checklist every 6 to 12 months
Checklist items for teams and businesses
If you are building a checklist for a company, add process controls that support security and compliance.
This is important for organizations that use single sign-on, privileged access, or shared administrative accounts.
Include role-based controls
- Define who can issue YubiKeys
- Track which employee receives which key
- Require two registered keys for administrators
- Document offboarding and key revocation steps
- Audit account recovery requests
Document policy requirements
Organizations often pair YubiKeys with identity providers such as Microsoft Entra ID, Okta, Duo, or Google Cloud Identity.
Your checklist should reference internal policies for password requirements, device trust, acceptable use, and incident response.
Also include guidance on what happens when a key is lost, an employee leaves, or a device is replaced.
Clear rules prevent shadow IT and reduce authentication gaps.
Common mistakes to avoid when building a YubiKey checklist
A checklist is only effective if it reflects real failure points.
These are the most common mistakes to watch for:
- Registering only one key for critical accounts
- Skipping recovery codes or storing them insecurely
- Not testing backup sign-in before deployment
- Assuming every website supports FIDO2 or WebAuthn
- Using the wrong connector for mobile or desktop devices
- Failing to document ownership and replacement steps
Another common issue is treating the YubiKey as a complete replacement for account hygiene.
Strong passwords, up-to-date recovery information, and endpoint security still matter.
How to keep the checklist current
Authentication needs change as services update their login methods and your devices evolve.
Review your checklist after major events such as buying a new phone, changing laptops, moving to a new identity provider, or enrolling a new critical account.
Set a recurring review interval, such as every six months, to confirm the keys still work and recovery options remain valid.
If you are managing a team, tie this review to onboarding, offboarding, and annual access audits.
Where a YubiKey checklist adds the most value
A well-built checklist is most useful for people protecting email, password managers, code repositories, finance tools, and cloud admin portals.
It is also valuable for security teams standardizing enrollment across departments.
By documenting the setup process, you make YubiKey adoption more reliable, more scalable, and less dependent on memory.
That consistency is what turns a strong security key into a dependable security workflow.