FROM AGPEDIA — AGENCY THROUGH KNOWLEDGE

YubiKey

A YubiKey is a hardware authentication device (a “security key”) made by Yubico. It is used to improve account security by enabling strong authentication methods such as FIDO2/WebAuthn and (depending on model and configuration) other modes including one-time passwords (OTP) and smart-card style authentication.^[1]^[2]

What it does

YubiKeys are typically used as an additional factor for sign-in, or as a hardware-backed credential for passwordless or phishing-resistant authentication flows supported by compatible services and platforms.^[1]^[3]

Protocols and modes (overview)

Specific capabilities vary by YubiKey model and by how it is configured, but commonly referenced modes include:^[1]^[4]

FIDO2 / WebAuthn: public-key based authentication used by modern browsers and services via the WebAuthn standard.^[2]^[1]
FIDO U2F: an older FIDO security key protocol still supported by some services and devices.^[1]
OTP modes: one-time-password mechanisms supported by YubiKey configurations and compatible services.^[1]^[4]
Smart card modes (PIV) and OpenPGP: some YubiKey models can present smart-card style credentials for certificate-based authentication or OpenPGP use cases.^[1]^[4]

Configuration and management

YubiKeys can be configured and inspected using Yubico’s tools, including the command-line YubiKey Manager (ykman).^[5]

Common management tasks include viewing device information, enabling/disabling interfaces or applications (depending on device), and setting PINs or management keys for relevant modes.^[5]

Operational guidance (practical)

Have a recovery plan: Register at least one backup authentication method (e.g., a second key) where the service allows it, and store recovery codes securely. Losing your only key can result in account lockout.
Prefer phishing-resistant methods when available: When a service supports FIDO2/WebAuthn security keys, this can reduce exposure to credential phishing compared with weaker second factors.^[3]^[2]
Treat the key as a critical asset: possession is a security boundary in many deployments; physical loss or theft can create operational risk even when the key is protected by a PIN (where applicable).

Analysis

YubiKeys are most valuable when they change the failure mode of authentication: instead of relying on reusable secrets (passwords) or interceptable codes (some OTP and telephony-based factors), security-key authentication can bind login to a specific site and require the user’s physical key, which can materially reduce certain common account-takeover paths such as phishing.^[3]^[2]

However, the benefits are partly traded for operational fragility: users and organizations must plan for loss, replacement, enrollment, and recovery. In practice, the security improvement is highest when a YubiKey is used for FIDO2/WebAuthn and when account recovery is designed so that losing a key does not force users into weaker, easily-abused fallback mechanisms.^[3]^[4]

External links

Yubico documentation: https://docs.yubico.com/[@yubicoDocsPortal]
YubiKey 5 Series overview: https://www.yubico.com/products/yubikey-5-overview/[@yubicoYubiKey5Overview]

^a ^b ^c ^d ^e ^f ^g YubiKey 5 Series. Yubico. Yubico. https://www.yubico.com/products/yubikey-5-overview/.
^a ^b ^c ^d ^e Web Authentication: An API for accessing Public Key Credentials Level 2. W3C Recommendation. World Wide Web Consortium (W3C). https://www.w3.org/TR/webauthn-2/.
^a ^b ^c ^d National Institute of Standards and Technology. SP 800-63B: Digital Identity Guidelines: Authentication and Lifecycle Management. NIST SP 800-63-3. National Institute of Standards and Technology. https://pages.nist.gov/800-63-3/sp800-63b.html.
^a ^b ^c ^d Yubico Documentation. Yubico Docs. Yubico. https://docs.yubico.com/.
^a ^b YubiKey Manager (ykman). Yubico Docs. Yubico. https://docs.yubico.com/software/yubikey/tools/ykman/.