Stolen YubiKey: What to do in the next 10 minutes
Your YubiKey has been stolen. Or you’ve lost it. Or you simply can’t find it and don’t know if it’s in your jacket pocket or in someone else's hands.
You have a window of time. Not much. This is what you need to do.
Immediate Action Plan
The order matters. Start with what can cause the most damage if someone accesses it before you do.
Before anything else. If your phone is stolen with open sessions, revoking the YubiKey does nothing—the session remains active. In Google, go to "Manage devices" and sign out of all of them. In other services, look for "Sign out of all devices." This always comes first.
This is the master key. Whoever controls your email can reset almost any account. Go to security settings, remove the YubiKey as an authentication method, and temporarily activate another one—an authenticator app or a verification code.
Revolut, PayPal, Wise, Monzo. Log in from another device and revoke the YubiKey in the security settings. If you cannot access it, call the bank directly and block digital access.
Binance, Coinbase, Kraken. If you have funds, this is a top priority. Log in, revoke the YubiKey, and activate an alternative 2FA. If you can’t log in, immediately use the exchange's account recovery process.
Bitwarden, 1Password, KeePass. If your manager uses the YubiKey as a second factor, revoke it from another device or use the emergency recovery codes you generated when setting it up.
Google, GitHub, social media, and any other service where you have the YubiKey registered. Revoke access account by account from each service's security settings.
If you don't keep a record, the fastest way is to search your email for notifications from when you set it up. Search for "security key," "2FA," or "YubiKey" in your inbox.
If you have a backup YubiKey
This is the ideal situation. You have a second key configured—you activate it and remain operational.
The process is the same for every service: log in with your alternative second factor (the backup key or emergency codes), go to the security settings, and remove the stolen key from the list of trusted devices.
Once revoked across all services, the stolen key is useless—even if someone has it, they cannot authenticate with it on any of your accounts.
Revoking the specific key removes that device from your account. Disabling 2FA removes all protection. Make sure you do the former, not the latter.
If you don't have a backup
It's more inconvenient, but there is a solution.
Most services have alternative recovery methods that you configured when you activated the YubiKey. The problem is that many people set them up and then forget about them.
Google, GitHub, and many other services generate one-time codes when activating 2FA. If you saved them—in a password manager, on paper, or in a file—use them now.
If you set up an authenticator app (Google Authenticator, Aegis, Authy) in addition to the YubiKey, use it to log in and revoke the stolen key.
If you have no alternative method, every service has an account recovery process. It usually requires identity verification and can take anywhere from a few hours to several days. It is the slowest route—another reason to have a backup configured beforehand.
Only those that have the YubiKey as the sole second factor and no alternative method configured. If you have an authenticator app or emergency codes as a backup, the risk is minimal—the stolen key is useless without your other credentials.
Recommendation: Set your PIN before it’s too late
If your YubiKey does not have a PIN configured, anyone who finds it can use it directly to authenticate your accounts—if they also know your password. With a PIN activated, the key becomes locked after several failed attempts and becomes useless to anyone who doesn't know the code.
Setting up a PIN takes less than 2 minutes using YubiKey Manager. If you haven't done it yet, do it now—before you actually need this post.
→ How to set up a PIN in YubiKey Manager
Card Format Tray
Carry your YubiKey in your wallet—always on you, always located. Standard credit card format.
Slim Wallet with RFID Blocking
Minimalist wallet with a slot for YubiKey and integrated AirTag holder. If you lose it, you can find it.
Losing a YubiKey is solvable. Losing access to your accounts is not always.
If you have a backup configured and a PIN activated, losing the key is a minor inconvenience—you revoke it, activate the second one, and carry on. Without either, the process is arduous and could cost you access to critical accounts.
Real prevention isn't just knowing what to do when it happens—it's keeping it on you at all times and keeping it protected so you don't lose it in the first place.
Frequently Asked Questions
Can my YubiKey be used without a PIN?
Yes. If you don't have a PIN set up, anyone who has the key can use it directly—provided they also know your password. With a PIN activated, the key will lock itself after several failed attempts.
Can my YubiKey be cloned?
No. The YubiKey is designed to be impossible to clone—private keys never leave the physical device. To authenticate with it, you must have the actual object in hand. No copy is possible.
What happens if I don't have a backup configured?
You will have to use the recovery methods for each service—emergency codes, alternative factors, or the provider's account recovery process. This can be slow. That is why setting up a second backup YubiKey is the most important recommendation of this post.
What if I forget my PIN?
If you enter the PIN incorrectly a set number of times, the YubiKey will lock. To unlock it, you need the PUK (PIN Unblocking Key) generated during the PIN setup. If you don't have the PUK either, the key becomes unusable and must be reset (which wipes all data on it). Always store your PUK in a safe place—like your password manager.
