YubiKey
A YubiKey is a hardware authentication device (a “security key”) made by Yubico. It is used to improve account security by enabling strong authentication methods such as FIDO2/WebAuthn and (depending on model and configuration) other modes including one-time passwords (OTP) and smart-card style authentication.[1]
What it does
YubiKeys are typically used as an additional factor for sign-in, or as a hardware-backed authenticator for passwordless or phishing-resistant authentication flows supported by compatible services and platforms.[1]
Protocols and modes
Specific capabilities vary by YubiKey model and by how it is configured.[1][2]
| Mode / protocol | Typical use | What you get (plain terms) | Notes / caveats |
|---|---|---|---|
| FIDO2 / WebAuthn | Sign-in (2FA or passwordless), “security key” logins | Per-site public-key authentication; phishing-resistant sign-in flows | Requires service/platform support; may involve a PIN depending on configuration and the relying party |
| FIDO U2F (legacy) | Older “security key” second-factor flows | Similar phishing-resistant challenge–response behavior | Legacy protocol; commonly supported through modern WebAuthn/FIDO2 tooling on many platforms |
| OTP modes | One-time codes or OTP-based login integrations | A changing code or OTP output compatible with some login systems | Less resistant to real-time phishing/relay than security-key (WebAuthn/U2F) flows |
| PIV (smart card) | Certificate-based authentication in managed environments | Smart-card interface for using certificates and PKI workflows | Setup/issuance and lifecycle management can be more complex than WebAuthn logins |
| OpenPGP | Signing, encryption, and authentication using OpenPGP keys | Keeps private key material on the device for cryptographic operations | Workflow depends on OpenPGP tooling and policies; feature availability/config varies by model |
Configuration and management
YubiKeys can be configured and inspected using Yubico’s tools, including the command-line YubiKey Manager (ykman). [3]
Common management tasks include viewing device information, enabling/disabling interfaces or applications (depending on device), and setting PINs or management keys for relevant modes.[3]
Operational guidance (practical)
- Have a recovery plan: Register at least one backup authentication method (e.g., a second key) where the service allows it, and store recovery codes securely. Losing your only key can result in account lockout.
- Prefer phishing-resistant methods when available: When a service supports security keys (FIDO2/WebAuthn, and legacy U2F), these methods reduce exposure to credential phishing because the key’s response is cryptographically tied to the site you are signing into, rather than being a code that can be typed into (and replayed by) a fake site.[4][5]
- Treat the key as a critical asset: possession is a security boundary in many deployments; physical loss or theft can create operational risk even when the key is protected by a PIN (where applicable).
Analysis
YubiKeys are most valuable when used with phishing-resistant authentication flows: security-key authentication can bind login to a specific site (relying party) and require the user’s physical key, which can reduce common account-takeover paths such as credential phishing.[4][5]
However, these benefits come with operational tradeoffs: users and organizations must plan for loss, replacement, enrollment, and recovery. Practical security depends on how accounts are configured (including fallback and recovery mechanisms), not only on the key itself.[4]
- ^a ^b ^c YubiKey 5 Series. Yubico. Yubico. https://www.yubico.com/products/yubikey-5-overview/.
- ^ Yubico Documentation. Yubico Docs. Yubico. https://docs.yubico.com/.
- ^a ^b YubiKey Manager (ykman). Yubico Docs. Yubico. https://docs.yubico.com/software/yubikey/tools/ykman/.
- ^a ^b ^c National Institute of Standards and Technology. SP 800-63B: Digital Identity Guidelines: Authentication and Lifecycle Management. NIST SP 800-63-3. National Institute of Standards and Technology. https://pages.nist.gov/800-63-3/sp800-63b.html.
- ^a ^b Web Authentication: An API for accessing Public Key Credentials Level 2. W3C Recommendation. World Wide Web Consortium (W3C). https://www.w3.org/TR/webauthn-2/.