Frequently Asked Questions

We have collected the most frequently asked questions from our customers. Click on the questions below to find the answer.

Still got questions? Please contact us.

The Basics

What is a YubiKey?

A YubiKey is a One-Time Password (OTP) generator device. It generates a unique sequence of characters as an OTP every time the button is touched. As the term suggests, a one-time-password is valid only for single use and cannot be used again for authentication. YubiKey is typically used in implementing strong two-factor authentication solutions that provides much stronger security compared to only username and password. The YubiKey has multiple configurations and can be used to generate one time passwords a as well as static passwords. Read more about the YubiKey here.

The YubiKey acts as a simple one-button USB keyboard which can be used from any computer platform or browser, without the need of installing any client software or special drivers.

The YubiKey has two configuration slots. When a YubiKey is configured to use both slots then to emit a one-time password (OTP) the user must select which OTP configuration that is desired:

Short press (0.3 – 1.5 seconds) and release – OTP from configuration slot #1 is yielded
Long press (2.5 – 5 seconds) and release – OTP from configuration slot #2 is yielded

What is two-factor authentication (2FA)?

Two-factor authentication is a strong authentication method where the user provides two types of identification. Two-factor authentication combines something you know (a PIN or a password) with a physical device (something you have) such as the YubiKey generating encrypted One-Time Passwords (the YubiKey USB-key).

What is a One-Time Password (OTP)?

A One-Time Password (OTP) is a password valid only for single use and cannot be used again for authentication. A OTP is unique sequence of characters generated every time the YubiKey button is touched. The Yubico OTP part comprises 128 bits AES-128 encrypted information encoded into 32 Modhex characters.

It consists of:

Private identity
Counter fields
Timer field
Random number
A closing CRC16 checksum of all fields

The YubiKey

Why does the YubiKey act as a keyboard?

To make it easy for users, the YubiKey acts as a USB keyboard to the OS. This design has several advantages including:

Virtually all mainstream Operating Systems these days has built-in USB keyboard support
As a result there is no special driver that needs to be installed to use the YubiKey
In most organizations where USB ports are blocked for security reasons they still allow use of USB keyboards
The user does not have to see the OTP generated by the device and re-enter it on the authentication screen by the application(s). The YubiKey user simply needs to focus the cursor in the input field that accepts the OTP and touch the YubiKey button briefly. Besides reducing the authentication time this also helps in avoiding potential human errors in typing the OTP.

What can I do with my YubiKey?

The YubiKey can be used in a large variety of ways. The most common YubiKey corporate use cases and applications are listed here. If you intend to have it for personal use, please read more here.

For even more information, please read more about the YubiKey or view the YubiKey Manual.

Can I use my YubiKey to log in to Windows?

Yes, you can use your YubiKey to log in to Windows with our partners Authlite , Rohos and Authanvil. Read more here.

Can I use the Yubikey with my Mac?

Yes, the YubiKey can be used with any computer (including Mac) that has a standard USB 2.0 port and supports USB keyboards. The YubiKey presents itself to the computer as a Keyboard, and is therefore OS independent. It works with Windows, Linux, OS X, iOS (iPad/iPad 2 only), PS3, Xbox360, Wii etc. and it doesn't need to install any device drivers.

Can I use my YubiKey with my PC?

Yes, the YubiKey can be used with any computer (including PC) that has a standard USB 2.0 port and supports USB keyboards. The YubiKey presents itself to the computer as a Keyboard, and is therefore OS independent. It works with Windows, Linux, OS X, iOS (iPad/iPad 2 only), PS3, Xbox360, Wii etc. and it doesn't need to install any device drivers.

My YubiKey is not working. What should I do?

Please try the following to identify the problem:

1. To make sure the problem is not related to the USB port on the computer, please check the YubiKey on another computer (if possible) or another USB port on the same computer. Please note the behaviour of the green LED both when you insert the YubiKey and when you touch the button.

2. If the problem still persists on another USB port/computer, please send the following details to support@yubico.com about your original order on Yubico Webstore and we will arrange a replacement YubiKey for you:

a. Name:
b. Shipping Address:
c. YubiKey Serial Number (YubiKey 2.2 and later versions have the serial number laser imprinted at the back of the key near the 2D barcode):
d. Yubico Order Number:
OR
e. Order Date and PayPal receipt number:

What happens if I don’t have my YubiKey with me?

It depends on what option each application vendor and service provider offer users to address such a situation. It is common that the application/service may offer options to temporarily fallback to one-factor authentication for certain duration (e.g. a day) or send temporary OTPs over other communication channels like SMS, email or even support backup mobile tokens. But again, all these options need to be implemented by the application vendor/service provider in a way that suits their security requirements.

Password Managers

How do I get a YubiKey to work with LastPass?

To enable the use of a YubiKey with LastPass you need to have a YubiKey and a LastPass premium account. Read more about how to order a discounted bundle at our web store and how to add and enable a YubiKey to your LastPass account.

How can I add a YubiKey to my LastPass account?

You can order YubiKey + LastPass bundles at our web store. Click here to view the different bundles including LastPass Premium Subscription. The most popular offer is two YubiKeys, one black and one white for $45 including LastPass Premium Subscription.

Get a YubiKey

How can I buy a YubiKey?

You can order YubiKeys online on our web store, store.yubico.com. You can order single YubiKeys or trays with 10 or 50 YubiKeys. Single standard YubiKey costs $25 each, YubiKeys in trays of 50 are $15 each.

How much is the shipping cost when ordering YubiKeys online?

The shipping costs depend on where you want your YubiKeys shipped and how many YubiKeys your order. For most countries, there is a US$5 postage option for up to 3 YubiKeys.

US & Canada:
1-5 YubiKeys: US$5
> 5 YubiKeys: USPS tracked from US$15, FedEx, from US$40

Europe, Asia, Africa and Australia*:
1 - 3 YubiKeys: US$5
> 3 YubiKeys: DHL Express shipment, from US$20

Americas (except US & Canada):
1 YubiKey: US$5
2-10 YubiKeys: US$10
> 10 YubiKeys: USPS tracked from US$40, FedEx shipment, from US$85

Russian Federation
1-100 Keys: US$54 via our delivery partner Mega Engineering

China
Please contact sales@yubico.com before ordering. We can only ship to companies and they have to supply a C/R code. DHL Express is the only service we offer.

Please note that VAT is charged on shipping and handling in European Union countries.

* We have disabled the $5-option without tracking for a few countries where we experienced a high rate of non-delivery. This is to make sure that you will receive your YubiKeys when you order them.

Security

What happens if I lose my YubiKey?

You can disable your YubiKey if you loose it or if it is stolen. For security reasons, no two YubiKeys are manufactured with identical configurations.

Yubico recommends customers to create a YubiRevoke account and enroll their YubiKeys as soon as they are received. The YubiRevoke service prevents potential misuse of your YubiKey(s) in case they are lost. The service provides the functionality to disable registered YubiKey(s) in case they are lost or stolen (or re-enable if later found).

If you are using your YubiKey with a service and/or application, it depends on each service/application how it deals with the situation when a user lost his/her YubiKey. e.g. LastPass Premium subscription allows users to configure up to 5 YubiKeys with a LastPass account so they can continue to log in using the other keys if one is lost. Read more on LastPass what happens if you lose your YubiKey.

Applications/services can also provide other mechanisms for users/administrators to assign a new YubiKey in case the user lost his/her original key.

Can a YubiKey be copied?

No, a Yubikey can not be copied as the computer recognizes the YubiKey as a keyboard. The YubiKey types a One-Time Password (OTP) when the button is pressed. Click here for a technical description of the YubiKey.

What kind of encryption is used for your server security?

Yubico Validation Server supports HTTPS for secure communication with validation clients. Additionally, the validation protocol also (optionally) uses HMAC-SHA1 signatures on request and response to verify message integrity. You can find more details about the Validation Protocol here.

Where are Yubico’s servers located?

Yubico currently have five YubiCloud OTP validation servers. They are located around the world, distributed and synchronized to ensure that there is no single point of failure. Read more about the YubiCloud service and servers.

Development

How do I get an API-Key for YubiKey development?

To get your API key, please click here and enter a valid email address and an OTP from any of your YubiKeys. The result page will show the generated Client ID (aka AuthID or API ID) and the generated API key (Secret Key). Make a note of both and use these two values in your client. Please wait 5 to 10 minutes after generating the key before testing so that the API key will be updated on all the YubiCloud servers. YubiKeys come with a lifetime subscription to our YubiCloud validation service, i.e. there are no other fees for using the YubiCloud validation service. Read more here about Web API & Clients.

YubiRADIUS

Is YubiRADIUS free?

What is the difference between the two YubiRADIUS Virtual Appliance image formats, OVF and VMware?

These are the two image formats supported by different virtualization platforms. e.g. If you are using VMWare Server or Player you will need image in VMWare format and if you use VMWare ESXi or Oracle VirtualBox you need to use the OVF format.

Can we install the YubiRADIUS Validation Server on windows platform?

Yes, if you install VMWare Server or VMWare Player on your Windows computer, you can use the YubiRADIUS image in VMWare format. If you install Oracle VirtualBox you can use the OVF image.

How much time does it take to complete the installation of the YubiRADIUS Validation server on a server for authentication?

This virtual appliance comes with a pre-loaded instance of Validation Server and can be up and running in less than a couple of hours. Read more about YubiRADIUS.

When choosing to use “Local Validation Server” with YubiRADIUS, what is a use of YubiKey records like AES Key and Private ID?

A short description is found under section 5.2.4 here. In order to perform the task of OTP validation, the selected validation server needs to maintain the AES Key, Private ID and other relevant parameters (like the counter values from the last successfully validated OTP etc.) for your YubiKeys. FYI, the AES keys are stored securely by a Key Storage Module (YK-KSM or YubiHSM).

If you select the "Local Validation Server" you will need to:

Reprogram your YubiKeys using the cross-platform personalization tool
The tool will generate a log file from your programming activity that has the details of the AES key, Public and Private IDs for the YubiKeys you programmed
Import the .csv log file generated by the tool so the AES keys and other related information is imported into the internal database of the Key Storage Module so the OTPs from your YubiKeys can be validated by the Validation Server.

YubiHSM

What is YubiHSM?

The YubiHSM is Yubico's take on a practical HSM with great security, great quality, and a low cost of ownership. It does not provide all the physical security of other HSM's - but protects your secrets from internet intrusion, such as someone gaining root access to the server.

Is the YubiHSM for symetric encryption only?

YES - the YubiHSM at the current level does not support assymmetric cryptography. We may introduce support for assymmetric operations in a later version

Is the YubiHSM security certified (FIPS 140 or similar)?

NO - we may consider this in the future for a premium version (due to cost). We will decide later on when the final functionality is fully defined and has been tested out thoroughly.

Is the YubiHSM protected against physical intrusion?

We don't make any guarantees, but there is no easy way to read out the contents of the YubiHSM even with physical access. On top of that, the key store can be stored encrypted with AES-256 (passphrase needed on startup).

Are keys deleted on intrusion events?

The YubiHSM does not currently have any means of detecting intrusion events, but see the response above.

Is the internal CPU a designated security CPU or just an ordinary COTS one?

It is currently an ordinary COTS CPU, obviously selected for cost reasons.

Isn't the above required to really protect the keys?

The main design objective with the YubiHSM is to protect keys from remote attacks. With that said, it is still non-trivial to retrieve keys from a YubiHSM even if it is stolen.

Why is USB CDC used rather than a custom driver?

Both Windows-, Linux- and Mac platforms support USB CDC and communication is very simple and straight-forward using normal file I/O functions.

The USB interface is only full-speed. Why not high-speed?

With the current design, the communication speed is not a practical performance limiting factor.

The internal Yubikey key storage is just 1024 entries. I want more!

We needed to set the limit somewhere and this is of course a cost driver. We may introduce a version with more internal storage later on.

Can the device firmware be upgraded via USB, a.k.a. DFU?

No, we explicitly decided to not have such a feature due to security concerns. The only interface and protocol available is USB CDC under firmware control.

Others

How can I become a partner and/or reseller of YubiKeys?

Is there any kind of simulator or software available for the hardware/USB kit?

There is no simulator/USB kit offered by Yubico

yubico

Frequently Asked Questions

The Basics

The YubiKey

Password Managers

Get a YubiKey

Security

Development

YubiRADIUS

YubiHSM

Others

The Basics

The YubiKey

Password Managers

Get a YubiKey

Security

Development

YubiRADIUS

YubiHSM

Others

Newsletter

YubiKey $25

2 YubiKeys
+ LastPass $45

yubico

Frequently Asked Questions

The Basics

The YubiKey

Password Managers

Get a YubiKey

Security

Development

YubiRADIUS

YubiHSM

Others

The Basics

The YubiKey

Password Managers

Get a YubiKey

Security

Development

YubiRADIUS

YubiHSM

Others

Newsletter

YubiKey $25

2 YubiKeys + LastPass $45

2 YubiKeys
+ LastPass $45