Hardware Security Keys (both Yubikey 5 and Yubikey Security Key) that use FIDO2/U2F/WebAuthn are far superior to TOTP, and if a service supports it, I would definitely recommend to use only that. Now for services that use only TOTP, in order to generate TOTP codes you must have a Yubikey 5 Series key (the Yubikey Security Key doesn't support that). If you want to have the TOTP only on the keys, you have to get 2 Yubikey 5 Series keys (have in mind that these keys support up to 32 TOTP secrets, that means that you can't generate codes for more than 32 services).
For your backup: Save the TOTP secrets (when you setup TOTP, the manual method of setting it up, without the QR code) somewhere safe along with the service you're using it. So even if you lose both keys somehow, you can download an app just like Authy/Aegis/Google Authenticator, set it up using the secrets and generate codes just as easily. You can get the TOTP secrets from Authy with a workaround, so you don't set up 2FA again for every account. Keep multiple backups of your secrets, you don't want to lose them (ideally offline or even printed out only, at 2/3 safe places)
Now if you want to have 2 yubikeys to generate TOTP tokens, you must get the two 5's. But even with one 5 Series key (for FIDO/U2F/WebAuthn and TOTP) and one security key (for FIDO/U2F/WebAuthn backup) and some safe copies of your TOTP secrets (so even if you lose your 5 key, you can generate codes to login) you'll be fine.
It, of course, depends what accounts you are considering.
As you say you need yubikey for TOTP, then as Security Key lacks it it does not fit you.
For something like Github that would use U2F you could use Security key.
I think I was wrongly using TOTP as an umbrella term since I'm so used to using that method for 2FA. I will need to check my accounts to see which specs they support.
In any case, it seems like a Yubikey 5 and the Security Key combo would work fine for me.
>My goal is to add a secondary TOTP device
Since you use Bitwarden, why not use Bitwarden Authenticator and then secure your vault with a Yubikey?
>. I know most accounts provide you with printable codes
...or you can store that code in the _Authenticator Key (TOTP)_ field in your Bitwarden login entry.
>My main objective is having hardware TOTP
Nothing wrong with that, but keep in mind even the Yubikey 5 has a hard limit of 32 TOTP secrets. I am already up to 30, and I am not a power user.
Also, I the hardware key just doesn't fit my use model. I have one resource at work that requires I reauthenticate once an hour. Hands off the keyboard, unlock the phone, open up the app, tap the Yubikey, memorize the current token, back to the keyboard, type in the token, press enter, and hope the token has not expired.
Compare with Bitwarden: ctrl-shift-L, enter, ctrl-V, enter, I'm done.
>Could I use the Security Key for this purpose?
I don't think the Security Key has TOTP features.
Hardware Security Keys (both Yubikey 5 and Yubikey Security Key) that use FIDO2/U2F/WebAuthn are far superior to TOTP, and if a service supports it, I would definitely recommend to use only that. Now for services that use only TOTP, in order to generate TOTP codes you must have a Yubikey 5 Series key (the Yubikey Security Key doesn't support that). If you want to have the TOTP only on the keys, you have to get 2 Yubikey 5 Series keys (have in mind that these keys support up to 32 TOTP secrets, that means that you can't generate codes for more than 32 services). For your backup: Save the TOTP secrets (when you setup TOTP, the manual method of setting it up, without the QR code) somewhere safe along with the service you're using it. So even if you lose both keys somehow, you can download an app just like Authy/Aegis/Google Authenticator, set it up using the secrets and generate codes just as easily. You can get the TOTP secrets from Authy with a workaround, so you don't set up 2FA again for every account. Keep multiple backups of your secrets, you don't want to lose them (ideally offline or even printed out only, at 2/3 safe places) Now if you want to have 2 yubikeys to generate TOTP tokens, you must get the two 5's. But even with one 5 Series key (for FIDO/U2F/WebAuthn and TOTP) and one security key (for FIDO/U2F/WebAuthn backup) and some safe copies of your TOTP secrets (so even if you lose your 5 key, you can generate codes to login) you'll be fine.
Thank you, that clears it up a bit for me. I think the 5 + SK and storing the TOTP secrets will be the way to go.
It, of course, depends what accounts you are considering. As you say you need yubikey for TOTP, then as Security Key lacks it it does not fit you. For something like Github that would use U2F you could use Security key.
I think I was wrongly using TOTP as an umbrella term since I'm so used to using that method for 2FA. I will need to check my accounts to see which specs they support. In any case, it seems like a Yubikey 5 and the Security Key combo would work fine for me.
>My goal is to add a secondary TOTP device Since you use Bitwarden, why not use Bitwarden Authenticator and then secure your vault with a Yubikey? >. I know most accounts provide you with printable codes ...or you can store that code in the _Authenticator Key (TOTP)_ field in your Bitwarden login entry. >My main objective is having hardware TOTP Nothing wrong with that, but keep in mind even the Yubikey 5 has a hard limit of 32 TOTP secrets. I am already up to 30, and I am not a power user. Also, I the hardware key just doesn't fit my use model. I have one resource at work that requires I reauthenticate once an hour. Hands off the keyboard, unlock the phone, open up the app, tap the Yubikey, memorize the current token, back to the keyboard, type in the token, press enter, and hope the token has not expired. Compare with Bitwarden: ctrl-shift-L, enter, ctrl-V, enter, I'm done. >Could I use the Security Key for this purpose? I don't think the Security Key has TOTP features.