Configure HMAC-SHA1 Challenge-Response on a YubiKey’s second OTP slot.

Check slot status

Use ykman otp info to make sure your second slot isn’t already used. Slot 1 is typically reserved for Yubico OTP.

ykman otp info
# Slot 1: programmed
# Slot 2: empty

Configure OTP slot 2

Generate a shared secret and program both YubiKeys (primary + backup) with the same secret so either can open the database.

SECRET=$(openssl rand -hex 20)
ykman otp chalresp --touch 2 $SECRET   # Key 1
ykman otp chalresp --touch 2 $SECRET   # Key 2
unset SECRET

The --touch flag is optional, but when you think about it, it absolutely makes sense — you want physical presence confirmation before the key responds.