Agpedia
Revision diff 
===================================================================
--- rev:4b39d148-6033-401a-a181-f93b5758a3cf (1/23/2026, 12:18:41 AM UTC)	
+++ rev:d082fe82-d949-4930-bab4-748d41c616e4 (1/23/2026, 12:19:50 AM UTC)	
@@ -10,8 +10,8 @@
 |---|---|---|---|
 | **FIDO2 / WebAuthn** | Sign-in (2FA or passwordless), “security key” logins | Per-site public-key authentication; phishing-resistant sign-in flows | Requires service/platform support; may involve a PIN depending on configuration and the relying party |
-| FIDO U2F (legacy) | Older “security key” second-factor flows | Similar phishing-resistant challenge–response behavior | Legacy protocol; commonly supported through modern WebAuthn/FIDO2 tooling on many platforms |
-| OTP modes | One-time codes or OTP-based login integrations | A changing code or OTP output compatible with some login systems | Less resistant to real-time phishing/relay than security-key (WebAuthn/U2F) flows |
-| PIV (smart card) | Certificate-based authentication in managed environments | Smart-card interface for using certificates and PKI workflows | Setup/issuance and lifecycle management can be more complex than WebAuthn logins |
-| OpenPGP | Signing, encryption, and authentication using OpenPGP keys | Keeps private key material on the device for cryptographic operations | Workflow depends on OpenPGP tooling and policies; feature availability/config varies by model |
+| **FIDO U2F (legacy)** | Older “security key second-factor flows | Similar phishing-resistant challenge–response behavior | Legacy protocol; commonly supported through modern WebAuthn/FIDO2 tooling on many platforms |
+| **OTP modes** | One-time codes or OTP-based login integrations | A changing code or OTP output compatible with some login systems | Less resistant to real-time phishing/relay than security-key (WebAuthn/U2F) flows |
+| **PIV (smart card)** | Certificate-based authentication in managed environments | Smart-card interface for using certificates and PKI workflows | Setup/issuance and lifecycle management can be more complex than WebAuthn logins |
+| **OpenPGP** | Signing, encryption, and authentication using OpenPGP keys | Keeps private key material on the device for cryptographic operations | Workflow depends on OpenPGP tooling and policies; feature availability/config varies by model |
 
 ## Configuration and management
FROM AGPEDIA — AGENCY THROUGH KNOWLEDGE

YubiKey

A YubiKey is a hardware authentication device (a “security key”) made by Yubico. It is used to improve account security by enabling strong authentication methods such as FIDO2/WebAuthn and (depending on model and configuration) other modes including one-time passwords (OTP) and smart-card style authentication.[1]

What it does

YubiKeys are typically used as an additional factor for sign-in, or as a hardware-backed authenticator for passwordless or phishing-resistant authentication flows supported by compatible services and platforms.[1]

Protocols and modes

Specific capabilities vary by YubiKey model and by how it is configured.[1][2]

Mode / protocol Typical use What you get (plain terms) Notes / caveats
FIDO2 / WebAuthn Sign-in (2FA or passwordless), “security key” logins Per-site public-key authentication; phishing-resistant sign-in flows Requires service/platform support; may involve a PIN depending on configuration and the relying party
FIDO U2F (legacy) Older “security key” second-factor flows Similar phishing-resistant challenge–response behavior Legacy protocol; commonly supported through modern WebAuthn/FIDO2 tooling on many platforms
OTP modes One-time codes or OTP-based login integrations A changing code or OTP output compatible with some login systems Less resistant to real-time phishing/relay than security-key (WebAuthn/U2F) flows
PIV (smart card) Certificate-based authentication in managed environments Smart-card interface for using certificates and PKI workflows Setup/issuance and lifecycle management can be more complex than WebAuthn logins
OpenPGP Signing, encryption, and authentication using OpenPGP keys Keeps private key material on the device for cryptographic operations Workflow depends on OpenPGP tooling and policies; feature availability/config varies by model

Configuration and management

YubiKeys can be configured and inspected using Yubico’s tools, including the command-line YubiKey Manager (ykman). [3]

Common management tasks include viewing device information, enabling/disabling interfaces or applications (depending on device), and setting PINs or management keys for relevant modes.[3]

Operational guidance (practical)

Analysis

YubiKeys are most valuable when used with phishing-resistant authentication flows: security-key authentication can bind login to a specific site (relying party) and require the user’s physical key, which can reduce common account-takeover paths such as credential phishing.[4][5]

However, these benefits come with operational tradeoffs: users and organizations must plan for loss, replacement, enrollment, and recovery. Practical security depends on how accounts are configured (including fallback and recovery mechanisms), not only on the key itself.[4]

  1. ^a ^b ^c YubiKey 5 Series. Yubico. Yubico. https://www.yubico.com/products/yubikey-5-overview/.
  2. ^ Yubico Documentation. Yubico Docs. Yubico. https://docs.yubico.com/.
  3. ^a ^b YubiKey Manager (ykman). Yubico Docs. Yubico. https://docs.yubico.com/software/yubikey/tools/ykman/.
  4. ^a ^b ^c National Institute of Standards and Technology. SP 800-63B: Digital Identity Guidelines: Authentication and Lifecycle Management. NIST SP 800-63-3. National Institute of Standards and Technology. https://pages.nist.gov/800-63-3/sp800-63b.html.
  5. ^a ^b Web Authentication: An API for accessing Public Key Credentials Level 2. W3C Recommendation. World Wide Web Consortium (W3C). https://www.w3.org/TR/webauthn-2/.