The YubiKey

The YubiKey is in essence a second authentication method based on a unique physical token which cannot be duplicated or recorded, providing a credential based on something only an authorized user possesses. Used with a standard username and password, the YubiKey provides a strong, two-factor authentication to any site, service or application.

Any System, Any OS

Any computer which can use a USB keyboard can also use the YubiKey, regardless of the computer hardware, operating system or system drivers. The YubiKey AES Key information can never be extracted from a YubiKey device – only programmed to it. Further, only the YubiKey security related codes are directly read from the YubiKey when in use. No transfer of non-security related data means the YubiKey will never be a vector for viruses, Trojans or other malware.

Durable, Rugged, Secure

The YubiKey hardware itself consists of injection molded plastic encasing the circuitry which makes up the YubiKey while the exposed elements consist of military grade hardened gold. The YubiKey does not contain an internal battery or any moving parts – Meaning that a YubiKey will never stop functioning due to lack of power, mechanical issues or internal damage due to exposure.

Technical Description

YubiKey One Time Password

The YubiKey One Time Password (OTP) is a 44-character, one use, secure, 128-bit encrypted Public ID and Password, near impossible to spoof. The OTP is comprised of two major parts; the first 12 characters remain constant and represent the Public ID of the YubiKey token itself.  The remaining 32 characters make up a unique Passcode for each OTP generated. The Passcode is generated from a multitude of random sources, including counters for both YubiKey sessions and OTPs generated. When a YubiKey is validated, the Session and OTP Counter values are compared to last values submitted. If the counters are less then the previously used values the OTP is rejected. Copying an OTP will not allow another user to spoof a YubiKey – the counter value will allow the validation server to know which OTPs have already been used.

Legacy Authentication Methods Support

For services that don’t yet support the YubiKey OTP authentication, the YubiKey still offers a number of options to enhance security. The YubiKey may be used in conjunction with a password manager application, such as LastPass to create long, complex, unique passwords for other services protected with the YubiKey. Alternatively, either of the two slots in the YubiKey may be configured to hold a 38-character static password, an OATH Open Authentication standard passcode or a challenge-response dialog. There are a number of applications, provided both by Yubico as well as by YubiKey users themselves which take advantage of the security, usability and reliability of the YubiKey. Yubico provides all the code necessary for validating a YubiKey OTP in an open source format to encourage development and support for the YubiKey!