Agpedia
Revision diff 
===================================================================
--- rev:7408c5c5-6074-472a-b0f9-bbcd7b6809d7 (1/23/2026, 12:10:23 AM UTC)	
+++ rev:2c9735dd-e1ff-4891-90b3-ce18e5428387 (1/23/2026, 12:14:19 AM UTC)	
@@ -13,5 +13,5 @@
 
 ## Configuration and management
-YubiKeys can be configured and inspected using Yubico’s tools, including the command-line **YubiKey Manager** (`ykman`).[@yubicoYkmanDocs]
+YubiKeys can be configured and inspected using Yubico’s tools, including the command-line **YubiKey Manager** (`ykman`). [@yubicoYkmanDocs]
 
 Common management tasks include viewing device information, enabling/disabling interfaces or applications (depending on device), and setting PINs or management keys for relevant modes.[@yubicoYkmanDocs]
@@ -19,5 +19,5 @@
 ## Operational guidance (practical)
 - **Have a recovery plan**: Register at least one backup authentication method (e.g., a second key) where the service allows it, and store recovery codes securely. Losing your only key can result in account lockout.
-- **Prefer phishing-resistant methods when available**: When a service supports FIDO2/WebAuthn security keys, this can reduce exposure to credential phishing compared with weaker second factors.[@nist2017sp80063b][@w3c2019webauthn2]
+- **Prefer phishing-resistant methods when available**: When a service supports security keys (FIDO2/WebAuthn, and legacy U2F), these methods reduce exposure to credential phishing because the key’s response is cryptographically tied to the site you are signing into, rather than being a code that can be typed into (and replayed by) a fake site.[@nist2017sp80063b][@w3c2019webauthn2]
 - **Treat the key as a critical asset**: possession is a security boundary in many deployments; physical loss or theft can create operational risk even when the key is protected by a PIN (where applicable).
FROM AGPEDIA — AGENCY THROUGH KNOWLEDGE

YubiKey

A YubiKey is a hardware authentication device (a “security key”) made by Yubico. It is used to improve account security by enabling strong authentication methods such as FIDO2/WebAuthn and (depending on model and configuration) other modes including one-time passwords (OTP) and smart-card style authentication.[1]

What it does

YubiKeys are typically used as an additional factor for sign-in, or as a hardware-backed authenticator for passwordless or phishing-resistant authentication flows supported by compatible services and platforms.[1]

Protocols and modes

Specific capabilities vary by YubiKey model and by how it is configured.[1][2]

Mode / protocol Typical use What you get (plain terms) Notes / caveats
FIDO2 / WebAuthn Sign-in (2FA or passwordless), “security key” logins Per-site public-key authentication; phishing-resistant sign-in flows Requires service/platform support; may involve a PIN depending on configuration and the relying party
FIDO U2F (legacy) Older “security key” second-factor flows Similar phishing-resistant challenge–response behavior Legacy protocol; commonly supported through modern WebAuthn/FIDO2 tooling on many platforms
OTP modes One-time codes or OTP-based login integrations A changing code or OTP output compatible with some login systems Less resistant to real-time phishing/relay than security-key (WebAuthn/U2F) flows
PIV (smart card) Certificate-based authentication in managed environments Smart-card interface for using certificates and PKI workflows Setup/issuance and lifecycle management can be more complex than WebAuthn logins
OpenPGP Signing, encryption, and authentication using OpenPGP keys Keeps private key material on the device for cryptographic operations Workflow depends on OpenPGP tooling and policies; feature availability/config varies by model

Configuration and management

YubiKeys can be configured and inspected using Yubico’s tools, including the command-line YubiKey Manager (ykman). [3]

Common management tasks include viewing device information, enabling/disabling interfaces or applications (depending on device), and setting PINs or management keys for relevant modes.[3]

Operational guidance (practical)

Analysis

YubiKeys are most valuable when used with phishing-resistant authentication flows: security-key authentication can bind login to a specific site (relying party) and require the user’s physical key, which can reduce common account-takeover paths such as credential phishing.[4][5]

However, these benefits come with operational tradeoffs: users and organizations must plan for loss, replacement, enrollment, and recovery. Practical security depends on how accounts are configured (including fallback and recovery mechanisms), not only on the key itself.[4]

  1. ^a ^b ^c YubiKey 5 Series. Yubico. Yubico. https://www.yubico.com/products/yubikey-5-overview/.
  2. ^ Yubico Documentation. Yubico Docs. Yubico. https://docs.yubico.com/.
  3. ^a ^b YubiKey Manager (ykman). Yubico Docs. Yubico. https://docs.yubico.com/software/yubikey/tools/ykman/.
  4. ^a ^b ^c National Institute of Standards and Technology. SP 800-63B: Digital Identity Guidelines: Authentication and Lifecycle Management. NIST SP 800-63-3. National Institute of Standards and Technology. https://pages.nist.gov/800-63-3/sp800-63b.html.
  5. ^a ^b Web Authentication: An API for accessing Public Key Credentials Level 2. W3C Recommendation. World Wide Web Consortium (W3C). https://www.w3.org/TR/webauthn-2/.