If you grab a TOTP secret at setup time, you can do whatever you please with it, but this is of course extremely perilous, because access to the secret equals full control of that factor. The Yubikey's one-way storage is trying to save you from that danger.
So one strategy for maintaining multiple authenticators or yubikeys would be to save all the secrets away and call them up when it's time to load up the alternate factor.
What I do is register both keys at the same time, one after the other so the QR code doesn't leave my screen. Can't do it this way if the one key is in cold storage, of course.
So one strategy for maintaining multiple authenticators or yubikeys would be to save all the secrets away and call them up when it's time to load up the alternate factor.
What I do is register both keys at the same time, one after the other so the QR code doesn't leave my screen. Can't do it this way if the one key is in cold storage, of course.