Yubico

We welcome any question, comment or contribution to Yubico technology on forum.yubico.com, where you will find more detailed technical discussions.

Q. I have seen USB keys based on Smart Card components. What is different with the YubiKey?

A. The keys you have seen require client software. Client software installation is a well-known hassle for the end-user and a nightmare to administer in a larger setting. Yubico's technology requires no client software. In fact, you can use the YubiKey wherever you can plug in a standard USB keyboard.

Q: Is the Yubikey a memory stick?

A: No, It is a read-only crypto key that generates one-time passwords. Currently it only holds 4 k memory.

Q: My machine is on the ground. I can't reach down and press the button on the YubiKey.

A: You use a USB-cable to extend the USB-port.

Q: What about mobile phones?

A: All Windows and new Nokia, as well as all phones produced in China in 2008 will have a USB port.

Q: I already use a USB flash memory in another USB port. What happens if I use the YubiKey?

A: Nothing. Other USB devices, such as keyboards, mice, flash memory, etc., don't affect the YubiKey.

Q: When using YubiKey on my Mac machines, the keyboard setup assistant always pops up. How do I get rid of it?

A: You can do that with this guide.

Q: How come you don't use RFID or Bluetooth?

A: Among the available standards, USB is the only one that works on all hardware and operating systems. This may change as the other standards get more cross-plpatform accepted, implemented, and usable, and Yubico will make sure to update the YubiKey accordingly.

Q: Why does the YubiKey use symmetric encryption? Why not public key cryptography or even PKI?

A: Simplicity. Public key and associated infrastructures add complexity in key lifecycle management. Also, because in most applications, the service provider is a trusted partner, there is no need for third party verification.

Q: What can I do to enable YubiKey as an authentication mechanism?

A: There are two ways. You can use the YubiKey SDK to directly provision and verify OTP locally, or you can use the Yubico web service API to verify OTP on the internet.

Q. There are several types of OTP tokens out there. Which is the YubiKey?

A. Many OTP solutions today depend on time-synchronized tokens and verification service. Since each OTP is valid for only a limited time, this solution adds higher protection against phishing. Unfortunately the synchronization process is difficult to administer and out-of-synch tokens add frustration for users.

Other OTP solutions depend on a incremental internal sequence counter as the basis for the OTP generation. In this case an OTP does not expire, and thus the risks are higher, but at the same time it is generally an easier system to administer than time-based tokens.

YubiKeys combine the best of these two approaches. There is no need for the YubiKey tokens to be synchronized to a common server time. Each token has an internal sequence counter that is partly driven by its internal clock. YubiKey's unique design ensures that this counter is part of the generated OTP, so the system in effect lets the service check synchronization at the OTP validation time.

Q. Even client-less tokens can be a nightmare to administer! How does Yubico make it easier?

A. YubiKey's have a single verification point that can be reached by simple HTTP REST based APIs, both for general OTP validation, as well as for administration. For larger installations where multiple verification points exist, each verification service point propagate changes for administration simplicity.

Q. What IP rights do Yubico hold on this technology?

A. Yubico has filed several European and US pending patent applications on the underlying hardware inventions.

Q. For how long time does the YubiKey last?

A. We don't artificially limit the life-span of any YubiKey. The internals of the YubiKey's security algorithms currently limits each key to 30+ years of usage. The Yubikey is powered by the USB port and therefore requires no battery and there is no display on it that can break. The key itself will survive years of daily use.

Q: How does the YubiKey button work?

A: Touch gently and cover the light ring for one second. See the light ring go off, then release your finger. You will see the one-time password generated shown on your PC screen. Do not press hard on the Yubikey button.

Q: Does YubiKey work with an old OS?

A: If you have an older OS that does not support Universal Plug and Play, the 1st time you plug in a Yubikey you may be led to the driver installation process. In that case follow recommended steps in the pop-up box to install the HID (Human Interface Device) driver that is already inside Windows (or other OS) Updates. If you use a virtual machine like VMWare or a remote desktop, make sure that virtual machine has access to the USB port.

Q: Can YubiKey be used with own servers?

A: You can build your own in-house server using our basic SDK, click here for more info.
We don't have any open-source server ready for customer installation right now.

Q: Does YubiKey work with Radius

A: We do support Radius already, through our PAM module together with FreeRadius, see the installation instructions here.

Does auto-navigation work on all platforms?
Auto-navigation currently only works on Windows.

Q: Is Yubikey OATH-Compliant?

A: Not yet, but could be, though it requires some development job. Optionally a proxy solution could be used.

Q: How do you compare Yubikey to software tokens?

A: Yubikey as a read-only crypto key, is tamper-proof. Software and passive data stored on a PC are always vulnerable to tampering and virus. And the myth that software is free is incorrect, patching and release management, platform dependency, problem diagnosis all cost heavy technical support. Comparatively, Yubikey is the most worry-free no matter how the OS or browser providers upgrade or patch their software or how customers change their PC, Yubikey always work well with them securely and reliably.

How physically robust is Yubikey?
Yubikey's USB gold surface and connector is ten times more robust than smart card's metal part, allowing the YubiKey to be used for a practically unlimited time. It is water-proof and won't break even when it is run over by a truck.

Q: Do you have any documentation regarding the use of the YubiKey for authenticating Windows logins?

A: We are currently exploring different ways to make this work, but don't have any support for Windows login right now.

Q: What happens if a user randomly presses the Yubico button when the cursor is not on the password field? How can you keep the client and the authentication service in "sync" without an accurate time stamp?

A: If a user presses the Yubikey button, an OTP is always generated. The yubikey has a counter that is incremented monotonously on every powerup,so the server could notice that an OTP was missing. However, since our algorithm is not time-based, there is no need for any expensive server-side synchronization process when this happens.

Q: How do I integrate the YubiKey with my own servers