Splashtop’s two-step verification accepts any authenticator that generates Time-based One-Time Passwords. This includes YubiKey Authenticator, which stores the secret inside a YubiKey for hardware-rooted MFA without changing your sign-in flow.
Prerequisites
- A Splashtop account with email/password sign-in
- A YubiKey that supports OATH-TOTP (YubiKey 5 Series, Security Key C NFC, etc.)
- Yubico Authenticator installed on your desktop or mobile device
1. Enable two-step verification in Splashtop
- Sign in at my.splashtop.com/my.splashtop.eu
- Go to Account Info → Two-Step Verification → Change.
- Click Get Started and follow the instructions
- A QR code and a secret key appear – leave this page open for the next step.
Tip – already using another authenticator? Click Change to switch to YubiKey.
2.Register the QR code in Yubico Authenticator
-
Insert or tap your YubiKey so Yubico Authenticator detects it.
▾
- Click + Add → Scan QR code (or Enter manually).
▾
- (Optional) tick Require touch, so a code is produced only after you tap the key.
- Click Save. The Splashtop credential is now stored in the key’s secure element.
▾
3.Verify and store backup codes
- Back on the Splashtop page, Yubico Authenticator shows a 6-digit code. Touch the key if prompted, enter the 6-digit code, click Check, and Next.
- Splashtop displays 10 emergency recovery codes. Save them securely; each works once if the key is lost.
- You are all set!
- Open the Splashtop Business app (or web console) and log in with your Splashtop credentials.
- When prompted for the verification code:
- Insert/tap your YubiKey.
- Open Yubico Authenticator, select the Splashtop entry, copy the 6-digit code.
- Paste or type it into Splashtop and log in.
To approve a WebAuthn/FIDO2 prompt on the remote machine, redirect your key:
- Make sure to install the Device Redirection Service in the Splashtop Business application
- Start a remote desktop access session.
- Open the Device Redirection tool from the toolbar.
-
Select your YubiKey, then Redirect.
Note – USB Device Redirection is available on specific plans. [More info]
What happens if I lose my YubiKey?
Use one of the Splashtop emergency recovery codes to log in, then disable two-step verification to register a replacement key.
Does the Splashtop application support tap-to-sign-in (FIDO2 / passkeys)?
Not at this time. You still need to enter a password along with a TOTP code. While you can redirect your security key using USB Device Redirection for use within a remote session, FIDO2 cannot currently be used to sign in to the Splashtop Business application. Keep an eye on our release notes for future updates.
Does an older YubiKey NEO work?
Any key that supports OATH-TOTP and the Yubico Authenticator app will work.
Where is the login code stored?
Inside the secure element of the YubiKey—never on the local disk or in the Authenticator app.
- “Invalid code” – ensure your device clock is correct.
- Key not detected – update Yubico Authenticator or try another USB port.
- USB redirection unavailable – The feature is available with Splashtop Enterprise, Remote Support Premium, and Remote Access Performance.
- Enable Require Touch on every OATH credential.
- Store Splashtop emergency recovery codes safely (encrypted vault or offline).
- Register a spare key to avoid lockouts.