FROM AGPEDIA — AGENCY THROUGH KNOWLEDGE

YubiKey

A YubiKey is a hardware authentication device (a “security key”) made by Yubico. It is used to improve account security by enabling strong authentication methods such as FIDO2/WebAuthn and (depending on model and configuration) other modes including one-time passwords (OTP) and smart-card style authentication.^[1]

What it does

YubiKeys are typically used as an additional factor for sign-in, or as a hardware-backed authenticator for passwordless or phishing-resistant authentication flows supported by compatible services and platforms.^[1]

Protocols and modes (overview)

Specific capabilities vary by YubiKey model and by how it is configured, but commonly referenced modes include:^[1]^[2]

FIDO2 / WebAuthn: public-key based authentication used by modern browsers and services via the WebAuthn standard.^[3]^[1]
FIDO U2F: an older FIDO security key protocol still supported by some services and devices.^[1]
OTP modes: one-time-password mechanisms supported by YubiKey configurations and compatible services.^[1]^[2]
Smart card modes (PIV) and OpenPGP: some YubiKey models can present smart-card style credentials for certificate-based authentication or OpenPGP use cases.^[1]^[2]

Configuration and management

YubiKeys can be configured and inspected using Yubico’s tools, including the command-line YubiKey Manager (ykman). ^[4]

Common management tasks include viewing device information, enabling/disabling interfaces or applications (depending on device), and setting PINs or management keys for relevant modes.^[4]

Operational guidance (practical)

Have a recovery plan: Register at least one backup authentication method (e.g., a second key) where the service allows it, and store recovery codes securely. Losing your only key can result in account lockout.
Prefer phishing-resistant methods when available: When a service supports security keys (FIDO2/WebAuthn, and legacy U2F), these methods reduce exposure to credential phishing because the key’s response is cryptographically tied to the site you are signing into, rather than being a code that can be typed into (and replayed by) a fake site.^[5]^[3]
Treat the key as a critical asset: possession is a security boundary in many deployments; physical loss or theft can create operational risk even when the key is protected by a PIN (where applicable).

Analysis

YubiKeys are most valuable when used with phishing-resistant authentication flows: security-key authentication can bind login to a specific site (relying party) and require the user’s physical key, which can reduce common account-takeover paths such as credential phishing.^[5]^[3]

However, these benefits come with operational tradeoffs: users and organizations must plan for loss, replacement, enrollment, and recovery. Practical security depends on how accounts are configured (including fallback and recovery mechanisms), not only on the key itself.^[5]

^a ^b ^c ^d ^e ^f ^g YubiKey 5 Series. Yubico. Yubico. https://www.yubico.com/products/yubikey-5-overview/.
^a ^b ^c Yubico Documentation. Yubico Docs. Yubico. https://docs.yubico.com/.
^a ^b ^c Web Authentication: An API for accessing Public Key Credentials Level 2. W3C Recommendation. World Wide Web Consortium (W3C). https://www.w3.org/TR/webauthn-2/.
^a ^b YubiKey Manager (ykman). Yubico Docs. Yubico. https://docs.yubico.com/software/yubikey/tools/ykman/.
^a ^b ^c National Institute of Standards and Technology. SP 800-63B: Digital Identity Guidelines: Authentication and Lifecycle Management. NIST SP 800-63-3. National Institute of Standards and Technology. https://pages.nist.gov/800-63-3/sp800-63b.html.