How the YubiKey works (2024)

FAQs

How does YubiKey actually work? ›

Yubikeys are a type of security key made by Yubico that makes two-factor authentication easier. Yubikeys use U2F, which is based on public-key cryptography. Using a Yubikey allows you to do a one-touch login and have as many Yubikeys as you want.

OATH (Yubico Authenticator) - the YubiKey 5's OATH application can hold up to 32 OATH-TOTP credentials (AKA authenticator app codes).

A Yubikey can be used for an unlimited number of accounts if you're using WebAuthn. You also have an unlimited number of accounts for U2F.

Do I need to keep my yubikey plugged in all the time? A. No, you only need to insert your yubikey when you are prompted to do so during login. Leaving it plugged in could result in the yubikey being lost or damaged.

Mobile-free, secure authentication

Unlike SMS codes and mobile push authentication, YubiKeys do not require a cellular connection to operate. In fact, they don't even require batteries or have any other external dependency.

The YubiKey works with Password Safe to protect your passwords using two-factor authentication (2FA). Both a master password and a YubiKey are needed to enable access to your Password Safe file, which contains the usernames, websites, passwords and other information for all of your online accounts.

Using a Microsoft account with a YubiKey gives you quick and easy access to services such as Outlook.com, Office, Skype, OneDrive, Xbox Live, Bing and more. Just tap your YubiKey and you're in. No password required.

If you lose your Yubikey, you can still use your phone authenticator app, but you cannot create a backup Yubikey. However, Yubikey also provides methods to recover your account, so you can get a replacement. An advantage to Yubikey is that it comes on a USB that cannot be identified.

Staying safe online is a habit that needs to be nurtured, and using a password manager is the simplest way to upgrade your online account security. 1Password's YubiKey integration delivers strong password management to both personal users and organizations of all sizes.

The solution: YubiKey + password manager

Using a password manager application is the best way to create and maintain unique and strong passwords for all your account logins, and protecting your password manager with a YubiKey is the most secure way to manage multiple digital credentials.

Can I use one YubiKey for multiple devices? ›

Can I use one YubiKey with multiple devices? Yes! Just plug your YubiKey into any computer and log in the way you normally would. That's really it—you'll be able to log in to all of your accounts, same as before.

Feitian security keys come with most of the same security features and protocols as the Yubico options do, and they offer a variety of connectivity choices, including USB-C and NFC and even a fingerprint option. Feitian is also the company that makes Google's keys.

Q: How many spares should I get? A: Many of our customers actually purchase several spares for maximum security and peace of mind. This is not a bad idea when guarding extremely critical accounts. Starting off, you should be fine with 1-2 spare keys.

The counter starts at zero and is incremented each time the device is plugged in. Two bytes for the session counter allows for 2(2*8) = 65,536 sessions. In other words, you can plug in the Yubikey three times a day for almost 60 years before running out of session counters.

and add compatible services. It's easy to get started with your YubiKey Bio! Yubico Authenticator for Desktop 5.1 and later enables you to enroll and manage fingerprints on all supported operating systems. Use the Yubico Authenticator for Desktop on your Windows, Mac, or Linux computers.

How can I safely remove my YubiKey? The YubiKey identifies as a USB keyboard to your PC, and does not need to be ejected when removed – you can just pull it out!

Best all-round security key

The YubiKey USB authenticator has multi-protocol support, including FIDO2, FIDO U2F, Yubico OTP, OATH-TOTP, OATH-HOTP, smart card (PIV), OpenPGP, and challenge-response capabilities, providing solid hardware-based authentication.

YubiKey for Mobile

Securing the mobile experience with strong authentication for iOS, Android, and Windows 10.

YubiKeys can be easily numbered, tracked, and managed as a state asset. If a user leaves the organization, the YubiKey can be quickly and securely reassigned to another user.

The YubiKey secures remote access by enabling phishing-resistant 2FA or MFA for leading VPN applications such as Pulse Secure and Cisco AnyConnect, as well as other remote access applications, using smartcard (PIV), one-time password (OTP), FIDO U2F, or FIDO2 capabilities.

Can you store things on a YubiKey? ›

The YubiKey is designed to be a user authentication or identification device. The applications on the YubiKey hardware are limited to contain only authentication secrets and keys either generated internally or loaded by users; none of the functions on a YubiKey are designed for mass storage of data.

Owners can secure private keys with the YubiKey by importing them or, better yet, generating the private key directly on the YubiKey. Private keys cannot be exported or extracted from the YubiKey. The YubiKey supports various methods to enable hardware-backed SSH authentication.

Authenticator apps provide a layer of security and are a convenient option for use by many, but they are still vulnerable to phishing due to the 30-second window. Security keys, like the YubiKey, are considered to be both more convenient and more secure.

YubiKeys for AWS IAM satisfies strong authentication

AWS IAM and root users can use their YubiKey as a multi-factor authentication (MFA) device to add an extra layer of protection on top of their user name and password.

Static magnetic fields from permanent magnets does not affect the Yubikey.

The YubiKey is an easy to use extra layer of security for your online accounts. A single YubiKey has multiple functions for securing your login to email, online services, apps, computers, and even physical spaces. key to trust. Login with your login credentials and the YubiKey to prevent account takeovers virtually.

Yubico's YubiKey is built on a foundation of strong authentication. This robust resistance to phishing offers malware protection because it hinges on the ability to detect these attacks before they take place.

Why they appear. FIDO2 is made up of two components - WebAuthn on the service provider end, and CTAP2 on the YubiKey end. PIN prompts are a result of a WebAuthn setting known as User Verification.

Answer: The secret key aka AES key stored in the "yubikeys" table is actually the AES Key of your YubiKey. We hope this helps!

You can add up to five YubiKeys to your account.

Which password manager works best with YubiKey? ›

Therefore you cannot duplicate or back up a YubiKey or Security Key. For this reason, we recommend having a backup device and registering both with your accounts so that if one is lost or broken you can use the other to log in.

Yubico, the inventor of the YubiKey, is a global authentication leader that makes secure logins easy and available to everyone. YubiKeys are the gold standard for phishing-resistant multi-factor authentication (MFA), enabling one single device to work across any number of services.

To view the credential, tap and hold your YubiKey on the back of your phone where the NFC antenna is located. Yubico Authenticator displays the six digit code associated with this credential. This is the code you need to enter to authenticate when using two-factor authentication.

Should YubiKeys be reused? YubiKeys could be reused. There are a number of considerations that need to be taken into account when deciding on whether or not to reuse YubiKeys. Besides removing and reissuing credentials, tracking systems may need to be updated.

It is costly to design, mould, manufacture, sell and support a hardware product, even something as small as this. Since you don't want your 2FA company to go out of business there is good value in knowing they have a stable business model that can actually support a company rather than just burning capital.

Yubico is providing Security Keys at “Good for the Internet” pricing - as low as $10 per key. Yubico will ship the keys to customers directly.

We at Yubico always recommend having more than one YubiKey. This way, one key can be used as a primary key, and the other can be used as a spare. Please note that for security reasons, the firmware of our products does not allow stored secrets to be read, meaning it is not possible to “clone” or "duplicate" a YubiKey.

Our product's quality is top of mind for us and if your YubiKey is damaged we ask that you submit a support ticket with the following information. The order number or copy of invoice from when you purchased the YubiKey. A valid shipping address in the event we send a replacement YubiKey to you.

> A Yubikey can be hacked to send arbitrary keystrokes - but that's of limited usefulness.

Is YubiKey a one time purchase? ›

Buy YubiKeys at Yubico.com | Shop hardware authentication security keys. Opt for greater flexibility with subscription, compared to a one-time purchasing model. Businesses with 500+ users qualify for YubiEnterprise Subscription. YubiKeys as a service, via subscription, delivers peace of mind in an uncertain world.

If you lose your Yubikey, you can still use your phone authenticator app, but you cannot create a backup Yubikey. However, Yubikey also provides methods to recover your account, so you can get a replacement. An advantage to Yubikey is that it comes on a USB that cannot be identified.

In short, when using the YubiKey as a Touch-Triggered OTP authenticator with a computer, the end user will always follow these steps: Plug the YubiKey directly into the computer. Place the text cursor in the field where an OTP needs to be entered. Touch the gold contact on the YubiKey.

The passcode is generated by concatenating various YubiKey fields into a 128-bit long string and encrypting the string with the YubiKey configuration's unique 128-bit AES key.

Instead of a code being texted to you, or generated by an app on your phone, you press a button on your YubiKey. That's it. Each device has a unique code built on to it, which is used to generate codes that help confirm your identity. Press the button and you can log in.

FIDO2 offers expanded authentication options including strong single factor (passwordless), two factor, and multi-factor authentication. With these new capabilities, the YubiKey enables the replacement of weak username/password credentials with strong hardware-backed cryptographic key pair credentials.

Q: How long does the YubiKey last? A: We don't artificially limit the life-span of any YubiKey. The internals of the YubiKey's security algorithms currently limits each key to 30+ years of usage. The Yubikey is powered by the USB port and therefore requires no battery and there is no display on it that can break.

For security, the firmware on the YubiKey does not allow for secrets to be read from the device after they have been written to the device. Therefore you cannot duplicate or back up a YubiKey or Security Key.