Frequently Asked Questions
Find answers to the most common questions about our products and services.
1. The Basics
Two-factor authentication is a strong authentication method where the user provides two types of identification. Two-factor authentication combines something you know (a PIN or a password) with something you have (a physical device like a YubiKey). The Physical device must be capable of interacting with a computer and transmit a unique ID. The YubiKey will work with any computer that can support a USB keyboard, and can uniquely identify itself with the one-time password it generates, making it an excellent device for two-factor authentication.
A One-Time Password (OTP) is a password valid only for a single use and, once used, cannot be used again for authentication. A Yubico OTP is unique sequence of characters generated every time the YubiKey button is touched. The Yubico OTP is comprised of a sequence of 32 Modhex characters representing information encrypted with a 128 bit AES-128 key.
The information that makes up a Yubico OTP consists of:
- The Private identity of the YubiKey
- Counter fields tracking how often the YubiKey has been used
- A Timer field tracking the time between generating each OTP
- A Random number to add additional security to the encryption
- A closing CRC16 checksum of all the fields
2. The YubiKey
It is not possible to create an exact copy of a YubiKey, but in some cases it is possible to make a copy of the credentials stored in the YubiKey.
YubiKeys are by design write-only, which means that secrets to the credential can only be written into and not read out of the device. If a credential is to be copied, it must thus been known before hand, either taken down while programming the YubiKey or by accessing the configuration log created during programming. Furthermore, only some credentials can be copied. Static Password and Challenge-Response credentials can be copied, Yubico OTP and OATH-HOTP credentials cannot.
To store a Static Password credential for later use, simply store the string entered if you intend to program it in scan code mode and the values in the “Password Parameters” window if you intend to program it in advanced mode. To store a Challenge-Response credential, store the values entered in their respective “Parameters” windows.
To use another YubiKey for a backup in a system that implements either Yubico OTP or OATH-HOTP credentials, you may be given the option to associate multiple YubiKeys with your account. If you do not find those options, please contact the administrator for that service directly.
Conductive lanyards should not be used with the YubiKey Nano as they might cause unwanted interference with the touch sensor. Other than that, there are no other restrictions.
Before using a lanyard with the YubiKey Nano, please note that YubiKey Nanos are not designed for frequent insertion and removal. Use of a lanyard is thus up to each user’s individual discretion.
Select organizations are internally using U2F compliant versions of the YubiKey NEO. However, U2F compliant YubiKey NEOs will not be publically available until later this year.
Current YubiKey NEOs sold do not support U2F and are not upgradable.
1. Turn off FastTrigger (Settings -> Extended Settings) – you will then need to touch the YubiKey Nano for at least half a second to emit an OTP.
2. For an even longer wait time, consider moving the configuration to the second slot.
3. For OS X users, the taskbar application YubiSwitch will turn off your YubiKey Nano automatically after a period of inactivity.
Please follow the following steps to troubleshoot your device.
1. Make sure that your device’s NFC is toggled on.
2. Position your YubiKey NEO as close to the NFC antenna (of your device) as you can and hold it there for two to three seconds. Due to the small size of the YubiKey NEO and its antenna, the YubiKey NEO needs to be a lot closer to the device’s NFC antenna.
3. If the YubiKey NEO registers but does not work, please download the android app TagInfo by NXP, scan your YubiKey NEO and attach the data (you can export it via email or other means) when you raise a ticket with email@example.com.
4. If this does not work, please attempt to test your YubiKey NEO with another NFC-capable device and/or test your NFC-capable device with a NFC tag before raising a ticket with firstname.lastname@example.org.
This depends on how you are planning to use the YubiKey.
For standard YubiKey functionality (Yubico OTP, OATH-HOTP, Challenge-Response, Static Password) over USB, YubiKeys use the same drivers as USB keyboards. If your device supports USB keyboards, it will work with the YubiKey. If your device does not load the driver, please try plugging in a USB keyboard first.
For standard YubiKey functionality over NFC, the YubiKey NEO uses the NDEF4 standard. If your device supports this standard, it will work with the YubiKey.
For SmartCard functions, the YubiKey NEO uses the ISO 7816-4 standard over USB and the ISO 14443-4 standard over NFC. If your device supports these standards, it will work with the YubiKey.
The YubiKey NEO is shipped with its NDEF4 tag programmed to emit a URI of the form https://my.yubico.com/neo/[OTP].
The following features are available over the YubiKey NEO’s NDEF interface.
- Yubico OTP
- Static Password (Advanced Mode)
A YubiKey is a One-Time Password (OTP) generator device. It generates a unique sequence of characters as an OTP every time its button is pressed. As the term suggests, a One-Time Password is valid only for a single use and cannot be used again for authentication. YubiKeys are typically used in implementing strong two-factor authentication solutions which provide much stronger security when compared to using only a username and password. The YubiKey supports multiple types of configurations and may be used to generate One-Time Passwords as well as static passwords.
The YubiKey acts as a simple one-button generic USB keyboard which may be used from any computer platform or browser without needing to install any client software or special drivers.
The YubiKey has two configuration slots. When a YubiKey is configured to use both slots the user may select between each configured output by pressing the button on the YubiKey for different lengths of time:
- Short press (0.3 – 1.5 seconds) and release – OTP from configuration slot #1 is yielded
- Long press (2.5 – 5 seconds) and release – OTP from configuration slot #2 is yielded
More information can be found in Section 4 of the YubiKey Manual.
No, It is currently not possible to upgrade YubiKey Firmware. To prevent attacks on the YubiKey which might compromise its security, the YubiKey does not permit its firmware to be accessed or altered.
Yubico is dedicated to providing a long-term two-factor authentication solution, we want your YubiKey to remain useful for the full extent of it’s lifetime. When we do release new firmware, we ensure the new YubiKey will function the same as with older versions, so there is no need to purchase new YubiKeys to ensure compatibly.
To allow the YubiKey to be compatible across multiple hardware platforms and Operating Systems, the YubiKey acts as a USB keyboard to the OS. This design provides several advantages including:
- Virtually all mainstream Operating Systems have built-in USB keyboard support.
- Since the YubiKey uses generic keyboard drivers, there are no special drivers that need to be installed to use the YubiKey.
- In organizations where USB ports are blocked for security concerns the use of USB keyboards, and thus the YubiKey, is still permitted.
- The user does not have to manually enter a OTP generated by the authentication device on the authentication screen by the application(s). The YubiKey user simply needs to click in the input field for the OTP and touch the YubiKey button briefly. In addition to reducing the time spent on authentication, this also assists in avoiding potential human errors while typing in the OTP.
The Cross Platform Personalization tool will list the firmware version of a YubiKey plugged into the computer it is running on. The Firmware Version is displayed on the right side of the Personalization tool screen, above the serial number of the YubiKey.
The YubiKey can be used in a large variety of ways. A non exhaustive list summary can be found on the Applications page.
Yes, the YubiKey can be used with any computer (including Mac) that has a standard USB 2.0 port and supports USB keyboards. The YubiKey identifies itself to the computer as a USB Keyboard, and is therefore OS independent. It works with Windows, Linux, OS X, iOS (iPad/iPad 2/iPad 3 only), PS3, Xbox360, Wii etc. without requiring the installation any device drivers.
Yes, the YubiKey can be used with any computer (including PCs) that has a standard USB 2.0 port and supports USB keyboards. The YubiKey identifies itself to the computer as a USB Keyboard, and is therefore OS independent. It works with Windows, Linux, OS X, iOS (iPad/iPad 2/iPad 3 only), PS3, Xbox360, Wii etc. without requiring the installation any device drivers.
Please attempt the following steps to troubleshoot your device.
In each of this steps, insert the YubiKey into the USB Port, open a text editor (such as Notepad) and press the button on the YubiKey.
1. Use the YubiKey in a different USB Port on the same computer.
2. Use the YubiKey in a different computer.
Please then write to us with the following.
1. The output you see on the text editor.
2. The behaviour of the green LED both when you insert the YubiKey and when you touch the button.
3. The operating systems that were running on your computers.
The answer depends on what option each application vendor and service provider offer users to address such a situation. It is common practice that the application/service may offer options to temporarily disable the need for the YubiKey Authentication and fallback to one-factor authentication for certain duration (such as a day). Other applications may provide temporary OTPs over other communication channels, like SMS or email. Some applications may even support backup mobile tokens. But again, all these options need to be implemented by the application vendor/service provider in a way that suits their security requirements. Please check with any application or service to see how they handle situation where a user’s YubiKey is unavailable.
3. Password Managers
Please follow the instructions linked below to associate your YubiKey to your LastPass account.
Any YubiKey can work with LastPass, including the standard YubiKey, YubiKey Nano and YubiKey NEO, as long as the YubiKey is configured with a Yubico OTP. Yubico and LastPass also offers a discounted bundle with YubiKey + LastPass Premium.
4. Get a YubiKey
You can order YubiKeys online on our web store. Options include purchasing single YubiKeys or trays of 10 or 50 YubiKeys. Single standard YubiKey costs $25 each, YubiKeys in trays of 50 are $15 each.
The shipping costs depend on where you want your YubiKeys shipped and how many YubiKeys in your order. For most countries, there is a US$5 postage option for up to 3 YubiKeys.
US & Canada:
1-5 YubiKeys: US$5
> 5 YubiKeys: USPS tracked from US$15, FedEx, from US$40
Europe, Asia, Africa and Australia*:
1 – 3 YubiKeys: US$5
> 3 YubiKeys: DHL Express shipment, from US$20
Americas (except US & Canada):
1 YubiKey: US$5
2-10 YubiKeys: US$10
> 10 YubiKeys: USPS tracked from US$40, FedEx shipment, from US$85
1-100 Keys: US$54 via our delivery partner Mega Engineering
Please contact email@example.com before ordering. We may only ship to companies and they must supply a C/R code. DHL Express is the only service we offer.
Please note that VAT is charged on shipping and handling in European Union countries.
* We have disabled the $5-option without tracking for a few countries where we experienced a high rate of non-delivery. This is to ensure that you will receive your YubiKeys when you order them.
We use the VIES service (linked below) to validate VAT numbers. If your number does not validate, we cannot accept it. Please check if your number validates on the service and check with your local VAT authority if it does not.
You can disable your YubiKey if it is lost or stolen. For security reasons, no two YubiKeys are manufactured with identical configurations.
Yubico recommends customers create a personal YubiRevoke account and enroll their YubiKeys in the service as soon as the keys are received. The YubiRevoke service prevents potential misuse of your YubiKey(s) in case they are lost. The service provides users with the option to disable registered YubiKey(s) in the event they are lost or stolen, as well as re-enable YubiKeys if they are found later.
If you are using your YubiKey with a service and/or application, the policy for lost or stolen YubiKeys depends on how the service/application deals with the situation. For instance, the LastPass Premium subscription allows users to configure up to 5 YubiKeys with a LastPass account, so they can continue to log in using other keys if one is lost. Read more on LastPass what happens if you lose your YubiKey.
Applications/services may also provide other mechanisms for users/administrators to assign a new YubiKey in the case the user lost his/her original key. Please inquire directly to applications or services supporting the YubiKey on their policies.
No, a YubiKey can not be copied as the computer recognizes the YubiKey as a keyboard. The YubiKey types a One-Time Password (OTP) when the button is pressed. Click here for a technical description of the YubiKey.
Yubico Validation Server supports HTTPS for secure communication with validation clients. Additionally, the validation protocol also (optionally) uses HMAC-SHA1 signatures on request and response to verify message integrity.
To get your API key, please click here and enter a valid email address in conjunction with a Yubico OTP from any of your YubiKeys. The resulting page will show the generated Client ID (aka AuthID or API ID) and the generated API key (Secret Key). Make a note of both and use these two values in your client. Please wait 5 to 10 minutes after generating the key before testing so that the API key will be updated on all the YubiCloud servers. YubiKeys come with a lifetime subscription to our YubiCloud validation service – there are no additional fees for using the YubiCloud validation service.
YubiRADIUS is a free offering with optional paid Support offered by Yubico.
YubiRADIUS has been tested with Microsoft Active Directory and OpenLDAP as these are the standard directories officially supported by Yubico. We expect it to be able to work with other popular directory services and products with little to no changes.
Yes, if you install VMWare Server or VMWare Player on your Windows computer, you can use the YubiRADIUS image in VMWare format. If you install Oracle VirtualBox you can use the OVF image.
Yubico customers have reported that various VPN – Firewall devices from the following vendors are successfully integrated with YubiRADIUS:
- Defender 5
YubiRADIUS 3.5.1 (and later) supports the Yubico software token, the YubiApp for Android platform with future support planned for the iPhone (iOS). The YubiApp acts like a backup to a physical YubiKey which is required to register the YubiApp for use.
These are the two image formats supported by different virtualization platforms. If you are using VMWare Server or Player you will need image in VMWare format and if you use VMWare ESXi or Oracle VirtualBox you need to use the OVF format.
Currently, Yubico releases YubiRADIUS Virtual Appliance images in VMware and OVF virtualization formats. We have heard of reports of people have used publicly available tools to successfully convert these images to Hyper-V format.
How much time does it take to complete the installation of the YubiRADIUS Validation server on a server for authentication?
This virtual appliance comes with a pre-loaded instance of Validation Server and can be up and running in less than a couple of hours.
There is no hard limit enforced on the number of users in YubiRADIUS software components. In practice, the limit of the total number of users supported would depend on your internal resources available for the YubiRADIUS Virtual Appliance.
YubiRADIUS Virtual Appliance is not explicitly hardened as the security requirements and policies are different for different customer. Further details can be found under section “Appendix: Security Considerations” of YubiRADIUS Configuration Guide, which is available from the YubiRADIUS Download Page. We highly recommend users to harden their YubiRADIUS instance according to their security requirements and company policy.
Yes, multiple YubiRADIUS Virtual Appliances (YRVA) can be set up in a redundancy configuration to help avoid a single point of failure when the local on-board validation server is used. Please note, only information about the OTP validation states and Username to YubiKey ID mappings are synchronized between the instances of YubiRADIUS configured for synchronization. The import of YubiKeys and the configuration of services on each image need to be performed separately on each YubiRADIUS instance. Further details can be found under section “‘Setting up the Global configuration parameters” (subsection-synchronization) of the YubiRADIUS Configuration Guide, which is available from the YubiRADIUS Download Page.
Our VPN client limits the number of characters that can be entered in the password field so it is not possible to append the OTP to normal password. Is there any solution?
YubiRADIUS 3.5.1 (and later versions) support the option to allow users to append the OTP to the username instead of their password. Further details can be found under section “Setting up the Global configuration parameters” of the YubiRADIUS Configuration Guide, which is available from the YubiRADIUS Download Page.
When choosing to use “Local Validation Server” with YubiRADIUS, what is a use of YubiKey records like AES Key and Private ID?
A short description is found in the YubiRADIUS Manual under section 5.2.4, here. In order to perform the task of OTP validation, the selected validation server needs to maintain the AES Key, Private ID and other relevant parameters (like the counter values from the last successfully validated OTP etc.) for your YubiKeys. The AES keys are stored securely by a Key Storage Module, which may be either the software solution YK-KSM or the hardware YubiHSM device.
If you select the “Local Validation Server” you will need to:
- Reprogram your YubiKeys using the cross-platform personalization tool
- The tool will generate a log file from your programming activity that has the details of the AES key, Public and Private IDs for each YubiKey programmed
- Import the .csv log file generated by the tool so the AES keys and other related information is imported into the internal database of the Key Storage Module. This will allow for the OTPs from your YubiKeys to be validated by the local Validation Server.
YubiRADIUS 3.5 and later has the ability to return user’s group membership information in RADIUS response. Further details can be found under section “Return user’s Group Membership information in RADIUS response” of the YubiRADIUS Configuration Guide, which is available from the YubiRADIUS Download Page.
A static IP address is recommended for any server/service. However, YubiRADIUS comes preconfigured for DHCP to allow users to get it up and running quickly and easily. Once YubiRADIUS is up and running we recommend that you change the address from the Debian OS menu.
Support for YubiRADIUS has been discontinued as of 27th December 2013. However, there are a number of 3rd party providers who provide a YubiKey-compatible RADIUS offering, including the following.
For more options, please check out our wiki page here.
The YubiHSM is Yubico’s take on a practical HSM with great security, great quality, and a low cost of ownership. It does not provide all the physical security of other HSM’s – but protects your secrets from internet intrusion, such as someone gaining root access to the server.
YES – the YubiHSM at the current level does not support asymmetric cryptography. We may introduce support for asymmetric operations in a later version.
NO – we may consider this in the future for a premium version (due to cost). We will decide later on when the final functionality is fully defined and has been tested out thoroughly.
We don’t make any guarantees, but there is no easy way to read out the contents of the YubiHSM even with physical access. On top of that, the key store can be stored encrypted with AES-256 (passphrase needed on startup).
The YubiHSM does not currently have any means of detecting intrusion events, but it may be configured to protect stored keys by encrypting them with an AES-256 encryption.
It is currently an ordinary COTS CPU, selected for cost reasons.
The main design objective with the YubiHSM is to protect keys from remote attacks. With that said, it is still non-trivial to retrieve keys from a YubiHSM even if it is stolen or physcially compromised.
This is because the Windows, Linux and Mac platforms all support USB CDC. USB CDC communication is very simple and straight-forward using normal file I/O functions.
With the current design, the communication speed is not a practical performance limiting factor.
We needed to set the limit somewhere and onboard storage represents a cost driver. We may introduce a version with more internal storage later on.
No, we explicitly decided to not include an upgrade feature due to security concerns. The only interface and protocol available is USB CDC under firmware control.
There is no simulator/USB kit offered by Yubico.
Having problems finding the answer to your question? Please contact us at firstname.lastname@example.org.
The Yubico Forum is a technical discussion forum for developers and YubiKey users who wants to learn, question, comment or contribute to Yubico’s technology.