Frequently Asked Questions
Find answers to the most common questions about our products and services.
1. The Basics
Two-factor authentication is a strong authentication method where the user provides two types of identification. Two-factor authentication combines something you know (a PIN or a password) with something you have (a physical device like a YubiKey). The Physical device must be capable of interacting with a computer and transmit a unique ID. The YubiKey will work with any computer that can support a USB keyboard, and can uniquely identify itself with the one-time password it generates, making it an excellent device for two-factor authentication.
A One-Time Password (OTP) is a password valid only for a single use and, once used, cannot be used again for authentication. A Yubico OTP is unique sequence of characters generated every time the YubiKey button is touched. The Yubico OTP is comprised of a sequence of 32 Modhex characters representing information encrypted with a 128 bit AES-128 key.
The information that makes up a Yubico OTP consists of:
- The Private identity of the YubiKey
- Counter fields tracking how often the YubiKey has been used
- A Timer field tracking the time between generating each OTP
- A Random number to add additional security to the encryption
- A closing CRC16 checksum of all the fields
2. The YubiKey
A YubiKey is a One-Time Password (OTP) generator device. It generates a unique sequence of characters as an OTP every time its button is pressed. As the term suggests, a One-Time Password is valid only for a single use and cannot be used again for authentication. YubiKeys are typically used in implementing strong two-factor authentication solutions which provide much stronger security when compared to using only a username and password. The YubiKey supports multiple types of configurations and may be used to generate One-Time Passwords as well as static passwords.
The YubiKey acts as a simple one-button generic USB keyboard which may be used from any computer platform or browser without needing to install any client software or special drivers.
The YubiKey has two configuration slots. When a YubiKey is configured to use both slots the user may select between each configured output by pressing the button on the YubiKey for different lengths of time:
- Short press (0.3 – 1.5 seconds) and release – OTP from configuration slot #1 is yielded
- Long press (2.5 – 5 seconds) and release – OTP from configuration slot #2 is yielded
More information can be found in Section 4 of the YubiKey Manual.
To allow the YubiKey to be compatible across multiple hardware platforms and Operating Systems, the YubiKey acts as a USB keyboard to the OS. This design provides several advantages including:
- Virtually all mainstream Operating Systems have built-in USB keyboard support.
- Since the YubiKey uses generic keyboard drivers, there are no special drivers that need to be installed to use the YubiKey.
- In organizations where USB ports are blocked for security concerns the use of USB keyboards, and thus the YubiKey, is still permitted.
- The user does not have to manually enter a OTP generated by the authentication device on the authentication screen by the application(s). The YubiKey user simply needs to click in the input field for the OTP and touch the YubiKey button briefly. In addition to reducing the time spent on authentication, this also assists in avoiding potential human errors while typing in the OTP.
The YubiKey can be used in a large variety of ways. A non exhaustive list summary can be found on the Applications page.
Yes, the YubiKey can be used with any computer (including Mac) that has a standard USB 2.0 port and supports USB keyboards. The YubiKey identifies itself to the computer as a USB Keyboard, and is therefore OS independent. It works with Windows, Linux, OS X, iOS (iPad/iPad 2/iPad 3 only), PS3, Xbox360, Wii etc. without requiring the installation any device drivers.
Yes, the YubiKey can be used with any computer (including PCs) that has a standard USB 2.0 port and supports USB keyboards. The YubiKey identifies itself to the computer as a USB Keyboard, and is therefore OS independent. It works with Windows, Linux, OS X, iOS (iPad/iPad 2/iPad 3 only), PS3, Xbox360, Wii etc. without requiring the installation any device drivers.
To make sure the problem is not related to the USB port on the computer, please check the YubiKey on another computer (if possible) or another USB port on the same computer. Please note the behavior of the green LED both when you insert the YubiKey and when you touch the button.
If the problem still persists on another USB port/computer, please send the following details to email@example.com about your original order on Yubico Webstore and we will arrange a replacement YubiKey for you:
b. Shipping Address:
c. YubiKey Serial Number (YubiKey 2.2 and later versions have the serial number laser imprinted at the back of the key near the 2D barcode):
d. Yubico Order Number:
e. Order Date and PayPal receipt number:
The answer depends on what option each application vendor and service provider offer users to address such a situation. It is common practice that the application/service may offer options to temporarily disable the need for the YubiKey Authentication and fallback to one-factor authentication for certain duration (such as a day). Other applications may provide temporary OTPs over other communication channels, like SMS or email. Some applications may even support backup mobile tokens. But again, all these options need to be implemented by the application vendor/service provider in a way that suits their security requirements. Please check with any application or service to see how they handle situation where a user’s YubiKey is unavailable.
No, It is currently not possible to upgrade YubiKey Firmware. To prevent attacks on the YubiKey which might compromise it’s security, the YubiKey does not permit its firmware to be accessed or altered.
Yubico is dedicated to providing a long-term two-factor authentication solution, we want your YubiKey to remain useful for the full extent of it’s lifetime. When we do release new firmware, we ensure the new YubiKey will function the same as with older versions, so there is no need to purchase new YubiKeys to ensure compatibly.
The Cross Platform Personalization tool will list the firmware version of a YubiKey plugged into the computer it is running on. The Firmware Version is displayed on the right side of the Personalization tool screen, above the serial number of the YubiKey.
3. Password Managers
To enable the use of a YubiKey with LastPass you need to have a YubiKey and a LastPass premium account.
Please follow the instructions linked below to associate your YubiKey to your LastPass account.
Any YubiKey can work with LastPass, including the standard YubiKey, YubiKey Nano and YubiKey NEO, as long as the YubiKey is configured with a Yubico OTP. Yubico and LastPass also offers a discounted bundle with YubiKey + LastPass Premium.
4. Get a YubiKey
You can order YubiKeys online on our web store. Options include purchasing single YubiKeys or trays of 10 or 50 YubiKeys. Single standard YubiKey costs $25 each, YubiKeys in trays of 50 are $15 each.
The shipping costs depend on where you want your YubiKeys shipped and how many YubiKeys in your order. For most countries, there is a US$5 postage option for up to 3 YubiKeys.
US & Canada:
1-5 YubiKeys: US$5
> 5 YubiKeys: USPS tracked from US$15, FedEx, from US$40
Europe, Asia, Africa and Australia*:
1 – 3 YubiKeys: US$5
> 3 YubiKeys: DHL Express shipment, from US$20
Americas (except US & Canada):
1 YubiKey: US$5
2-10 YubiKeys: US$10
> 10 YubiKeys: USPS tracked from US$40, FedEx shipment, from US$85
1-100 Keys: US$54 via our delivery partner Mega Engineering
Please contact firstname.lastname@example.org before ordering. We may only ship to companies and they must supply a C/R code. DHL Express is the only service we offer.
Please note that VAT is charged on shipping and handling in European Union countries.
* We have disabled the $5-option without tracking for a few countries where we experienced a high rate of non-delivery. This is to ensure that you will receive your YubiKeys when you order them.
You can disable your YubiKey if it is lost or stolen. For security reasons, no two YubiKeys are manufactured with identical configurations.
Yubico recommends customers create a personal YubiRevoke account and enroll their YubiKeys in the service as soon as the keys are received. The YubiRevoke service prevents potential misuse of your YubiKey(s) in case they are lost. The service provides users with the option to disable registered YubiKey(s) in the event they are lost or stolen, as well as re-enable YubiKeys if they are found later.
If you are using your YubiKey with a service and/or application, the policy for lost or stolen YubiKeys depends on how the service/application deals with the situation. For instance, the LastPass Premium subscription allows users to configure up to 5 YubiKeys with a LastPass account, so they can continue to log in using other keys if one is lost. Read more on LastPass what happens if you lose your YubiKey.
Applications/services may also provide other mechanisms for users/administrators to assign a new YubiKey in the case the user lost his/her original key. Please inquire directly to applications or services supporting the YubiKey on their policies.
No, a YubiKey can not be copied as the computer recognizes the YubiKey as a keyboard. The YubiKey types a One-Time Password (OTP) when the button is pressed. Click here for a technical description of the YubiKey.
Yubico Validation Server supports HTTPS for secure communication with validation clients. Additionally, the validation protocol also (optionally) uses HMAC-SHA1 signatures on request and response to verify message integrity.
Yubico currently have five YubiCloud OTP validation servers. They are located around the world, distributed and synchronized to ensure that there is no single point of failure. Read more about the YubiCloud service and servers.
To get your API key, please click here and enter a valid email address in conjunction with a Yubico OTP from any of your YubiKeys. The resulting page will show the generated Client ID (aka AuthID or API ID) and the generated API key (Secret Key). Make a note of both and use these two values in your client. Please wait 5 to 10 minutes after generating the key before testing so that the API key will be updated on all the YubiCloud servers. YubiKeys come with a lifetime subscription to our YubiCloud validation service – there are no additional fees for using the YubiCloud validation service.
YubiRADIUS is a free offering with optional paid Support offered by Yubico.
YubiRADIUS has been tested with Microsoft Active Directory and OpenLDAP as these are the standard directories officially supported by Yubico. We expect it to be able to work with other popular directory services and products with little to no changes.
Yes, if you install VMWare Server or VMWare Player on your Windows computer, you can use the YubiRADIUS image in VMWare format. If you install Oracle VirtualBox you can use the OVF image.
Yubico customers have reported that various VPN – Firewall devices from the following vendors are successfully integrated with YubiRADIUS:
- Defender 5
YubiRADIUS 3.5.1 (and later) supports the Yubico software token, the YubiApp for Android platform with future support planned for the iPhone (iOS). The YubiApp acts like a backup to a physical YubiKey which is required to register the YubiApp for use.
These are the two image formats supported by different virtualization platforms. If you are using VMWare Server or Player you will need image in VMWare format and if you use VMWare ESXi or Oracle VirtualBox you need to use the OVF format.
Currently, Yubico releases YubiRADIUS Virtual Appliance images in VMware and OVF virtualization formats. We have heard of reports of people have used publicly available tools to successfully convert these images to Hyper-V format.
How much time does it take to complete the installation of the YubiRADIUS Validation server on a server for authentication?
This virtual appliance comes with a pre-loaded instance of Validation Server and can be up and running in less than a couple of hours.
There is no hard limit enforced on the number of users in YubiRADIUS software components. In practice, the limit of the total number of users supported would depend on your internal resources available for the YubiRADIUS Virtual Appliance.
YubiRADIUS Virtual Appliance is not explicitly hardened as the security requirements and policies are different for different customer. Further details can be found under section “Appendix: Security Considerations” of YubiRADIUS Configuration Guide, which is available from the YubiRADIUS Download Page. We highly recommend users to harden their YubiRADIUS instance according to their security requirements and company policy.
Yes, multiple YubiRADIUS Virtual Appliances (YRVA) can be set up in a redundancy configuration to help avoid a single point of failure when the local on-board validation server is used. Please note, only information about the OTP validation states and Username to YubiKey ID mappings are synchronized between the instances of YubiRADIUS configured for synchronization. The import of YubiKeys and the configuration of services on each image need to be performed separately on each YubiRADIUS instance. Further details can be found under section “‘Setting up the Global configuration parameters” (subsection-synchronization) of the YubiRADIUS Configuration Guide, which is available from the YubiRADIUS Download Page.
Our VPN client limits the number of characters that can be entered in the password field so it is not possible to append the OTP to normal password. Is there any solution?
YubiRADIUS 3.5.1 (and later versions) support the option to allow users to append the OTP to the username instead of their password. Further details can be found under section “Setting up the Global configuration parameters” of the YubiRADIUS Configuration Guide, which is available from the YubiRADIUS Download Page.
When choosing to use “Local Validation Server” with YubiRADIUS, what is a use of YubiKey records like AES Key and Private ID?
A short description is found in the YubiRADIUS Manual under section 5.2.4, here. In order to perform the task of OTP validation, the selected validation server needs to maintain the AES Key, Private ID and other relevant parameters (like the counter values from the last successfully validated OTP etc.) for your YubiKeys. The AES keys are stored securely by a Key Storage Module, which may be either the software solution YK-KSM or the hardware YubiHSM device.
If you select the “Local Validation Server” you will need to:
- Reprogram your YubiKeys using the cross-platform personalization tool
- The tool will generate a log file from your programming activity that has the details of the AES key, Public and Private IDs for each YubiKey programmed
- Import the .csv log file generated by the tool so the AES keys and other related information is imported into the internal database of the Key Storage Module. This will allow for the OTPs from your YubiKeys to be validated by the local Validation Server.
YubiRADIUS 3.5 and later has the ability to return user’s group membership information in RADIUS response. Further details can be found under section “Return user’s Group Membership information in RADIUS response” of the YubiRADIUS Configuration Guide, which is available from the YubiRADIUS Download Page.
A static IP address is recommended for any server/service. However, YubiRADIUS comes preconfigured for DHCP to allow users to get it up and running quickly and easily. Once YubiRADIUS is up and running we recommend that you change the address from the Debian OS menu.
The YubiHSM is Yubico’s take on a practical HSM with great security, great quality, and a low cost of ownership. It does not provide all the physical security of other HSM’s – but protects your secrets from internet intrusion, such as someone gaining root access to the server.
YES – the YubiHSM at the current level does not support asymmetric cryptography. We may introduce support for asymmetric operations in a later version.
NO – we may consider this in the future for a premium version (due to cost). We will decide later on when the final functionality is fully defined and has been tested out thoroughly.
We don’t make any guarantees, but there is no easy way to read out the contents of the YubiHSM even with physical access. On top of that, the key store can be stored encrypted with AES-256 (passphrase needed on startup).
The YubiHSM does not currently have any means of detecting intrusion events, but it may be configured to protect stored keys by encrypting them with an AES-256 encryption.
It is currently an ordinary COTS CPU, selected for cost reasons.
The main design objective with the YubiHSM is to protect keys from remote attacks. With that said, it is still non-trivial to retrieve keys from a YubiHSM even if it is stolen or physcially compromised.
This is because the Windows, Linux and Mac platforms all support USB CDC. USB CDC communication is very simple and straight-forward using normal file I/O functions.
With the current design, the communication speed is not a practical performance limiting factor.
We needed to set the limit somewhere and onboard storage represents a cost driver. We may introduce a version with more internal storage later on.
No, we explicitly decided to not include an upgrade feature due to security concerns. The only interface and protocol available is USB CDC under firmware control.
There is no simulator/USB kit offered by Yubico.
Having problems finding the answer to your question? Please contact us at email@example.com.
The Yubico Forum is a technical discussion forum for developers and YubiKey users who wants to learn, question, comment or contribute to Yubico’s technology.