Background

Because security is never stronger than its weakest link, we have considered the full life-cycle of two-factor authentication, from the manufacturing to working in a system. The core security components of YubiKey are summarized below.

FIPS certification

Third party validation of implemented security is very important. We are in the process of FIPS 140-2 certification, validating that the design and security functionality meets the highest security standard.

Hardware two-factor authentication

With the YubiKey, sensitive key information is moved out from the computer providing the user with strong two-factor authentication, combining something you know (a PIN or password) with a physical device generating encrypted one time passwords which cannot be hacked remotely. The concept of an external physical device offers a significantly higher level of security compared to a software authentication token, independent if the software is stored in a mobile device or a computer.

AES encryption

The YubiKey OTP utilizes 128 bit strong key and the AES state-of-the-art encryption algorithm, same algorithm as used by the U.S. military and governments around the world.

Full strength pass code

Standard LCD tokens are limited to a truncated 8 digit pass code as it is not feasible for users to re-type longer passwords read from a display. Because the YubiKey automatically enters the pass code for you, the pass code can be much longer. We have chosen the full 128 bit key strength, represented by 32 modhex characters one time pass code, offering several magnitudes higher level of security compared to 8 digits. (As a comparison in strength to resist brute force attacks, 8 digits represents 100 million combinations to brute force while 128bit offers a “whopping” 3,402,823,669,209,384,634,633,746,074,317.7 times 100 million combinations to try!)

Unique time variant code

The YubiKey has no battery but features a built in clock that uses the power from the USB-port. This clock can be used to measure the time between two OTPs, verifying user presence and that pre-recorded OTPs cannot be used.

Technical transparency

All Yubico server software components are open source, with no hidden weaknesses and available to be scrutinised by the public.

Secure manufacturing process

The YubiKey is manufactured in Sweden, in a fully access automated process, using YubiHSM technology to ensure that no staff or IT administrators can have access to encryption keys.

Easy to program own secrets

The YubiKey requires no special hardware for programming, enabling you to easily program and control your own encryption keys. If required, Yubico offer optional password write protection of the settings, but all YubiKeys sold on our web store can be re-programmed. For security reasons Yubico firmware is not upgradable, it’s a write only device and the encryption key can never be read out from the device.

Tamper proof casing

The YubiKey is based on standard components, high-pressure moulded into plastic, making it practically impossible to tamper. If tampered, it will require sophisticated equipment to read out the secrets and cannot be done without physically destroying the device. Each YubiKey is seeded individually, so any breach would be for that unique Yubikey only, there is no systemic breach. If lost or stolen, the user administrator can easily disable the YubiKey so that it no longer can be used.

For more information on Yubico security, see Yubico Documentation.