Pro Tip! Use YubiStyle Covers instead of writing the userPrincipalName or Domain Name on your YubiKeys

Reading Time: 2 minutes


Windows Hello for Business Security Keys are Microsoft’s name to FIDO2-based security keys, when you use them with Windows Hello for Business on a Windows 10-based device.

Fido Alliance LogoAs the FIDO alliance strives to develop and promote authentication standards, FIDO2-based security keys work in many passwordless scenarios.

Yubico, one of the founding members of the FIDO Alliance, offers great Windows Hello for Business security keys with many options: YubiKeys. YubiKeys are designed and made to be resilient. However, sometimes, you may encounter a key from a bad batch (like with the early YubiKeys Bio) or you might just put a little too much strain on one. In that case, you might be wondering if the YubiKey is still alive.

As in the old days with smart cards, it's unwise to write any identifying information on YubiKeys, too. However, as one YubiKey can serve many accounts, the challenge is not as big as it used to be. Today, when an organization has applied the Active Directory Tiered Admin model in their production, acceptance, test and development environments, all the credentials can be stored on a single YubiKey, while smartcards were typically limited to four accounts and admins had to carry around four smart cards. Vanilla smart cards can be hard to distinguish, so typically something was written on them. It's not the brightest idea to tag a userPrincipalName or domain name on a smart card, but it happened.

As we typically distribute two YubiKeys per break-glass account to our customers, we needed a way to distuingish between those keys and the typical YubiKeys that admins at these organizations carry. In the heat of the moment, during incident response, you don't want people breathing down your neck to correctly enter a 128-character password at the first try. You don't want to fumble with YubiKeys either.


YubiStyle Covers

To avoid not being able to distinguish between YubiKeys, we use YubiStyle Covers.

YubiStyle Covers

Organizations can purchase these covers at an incredible premium at Yubico resellers, but typically buying one or two makes it easy to have them duplicated at your favorite sticker partner.

The original YubiStyle covers are printed on premium 3M paper and their print doesn't tend to fade over time due to UV exposure. This is typically not something we worry about for YubiKeys that we store in vaults for the emergency access accounts.


Pro Tip! Use YubiStyle Covers

Instead of writing any information on YubiKeys, use the YubiStyle Cover stickers.

2 Responses to Pro Tip! Use YubiStyle Covers instead of writing the userPrincipalName or Domain Name on your YubiKeys

    'The Security Key NFC – Enterprise Edition includes a serial number for asset tracking, both accessible via software and laser marked on the back.'
    Guess if you order in bulk you can have them engraved with a serial/qr code. Guess out of the scope for just some breakglass sticks 😉

    • Nah. All Yubikeys (except the FIDO2-only ones) show the serial number on the outside.


leave your comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.