1. The Basics

What is two-factor authentication (2FA)?

Two-factor authentication is a strong authentication method where the user provides two types of identification. Two-factor authentication combines something you know (a PIN or a password) with something you have (a physical device like a YubiKey). The Physical device must be capable of interacting with a computer and transmit a unique ID. The YubiKey will work with any computer that can support a USB keyboard, and can uniquely identify itself with the one-time password it generates, making it an excellent device for two-factor authentication.

What is a One-Time Password (OTP)?

A One-Time Password (OTP) is a password valid only for a single use and, once used, cannot be used again for authentication. A Yubico OTP is unique sequence of characters generated every time the YubiKey button is touched. The Yubico OTP is comprised of a sequence of 32 Modhex characters representing information encrypted with a 128 bit AES-128 key.

The information that makes up a Yubico OTP consists of:

  1. The Private identity of the YubiKey
  2. Counter fields tracking how often the YubiKey has been used
  3. A Timer field tracking the time between generating each OTP
  4. A Random number to add additional security to the encryption
  5. A closing CRC16 checksum of all the fields

Read more about the Yubico OTP

2. The YubiKey

How can I backup my Yubikey?

It is not possible to create an exact copy of a YubiKey, but in some cases it is possible to make a copy of the credentials stored in the YubiKey.

YubiKeys are by design write-only, which means that secrets to the credential can only be written into and not read out of the device. If a credential is to be copied, it must thus been known before hand, either taken down while programming the YubiKey or by accessing the configuration log created during programming. Furthermore, only some credentials can be copied. Static Password and Challenge-Response credentials can be copied, Yubico OTP and OATH-HOTP credentials cannot.

To store a Static Password credential for later use, simply store the string entered if you intend to program it in scan code mode and the values in the “Password Parameters” window if you intend to program it in advanced mode. To store a Challenge-Response credential, store the values entered in their respective “Parameters” windows.

To use another YubiKey for a backup in a system that implements either Yubico OTP or OATH-HOTP credentials, you may be given the option to associate multiple YubiKeys with your account. If you do not find those options, please contact the administrator for that service directly.

What lanyards can I use with my YubiKey?

Conductive lanyards should not be used with the YubiKey Nano as they might cause unwanted interference with the touch sensor. Other than that, there are no other restrictions.

Before using a lanyard with the YubiKey Nano, please note that YubiKey Nanos are not designed for frequent insertion and removal. Use of a lanyard is thus up to each user’s individual discretion.

When can I purchase a YubiKey NEO with U2F?

Select organizations are internally using U2F compliant versions of the YubiKey NEO.  However, U2F compliant YubiKey NEOs will not be publically available until later this year.

Are current YubiKey NEOs U2F upgradable?

Current YubiKey NEOs sold do not support U2F and are not upgradable.

Can I use the YubiKey with an iOS device (iPad, iPhone)?

Yes – the YubiKey can be connected to an iPad or iPhone using Apple’s Camera Connection Kit (iPhone 4) or Lightning to USB Camera Adapter (iPhone 5). For more information, please see: http://www.yubico.com/start/ipad/

Does the YubiKey work with USB3 Ports?

The Yubikey is a USB1/2 device (similar to any other USB keyboard) and it works with USB3 thanks to the backward compatibility support. If you are experiencing issue with your USB3 port, please try the following:
- Test that the Yubikey is working correctly on a USB2 port.
- Download and install the latest drivers for your USB3 interface. A common producer of the USB3 is NEC, please research what type of hardware you have and what are the right driver to use.
- Plug a USB hub in your USB3 port. Plug in the Yubykey in one of the USB hub exit. If the Yubikey works, then it could be a mechanical problem with the USB interface.

I keep triggering my Nano inadvertently. What should I do?

1. Turn off FastTrigger (Settings -> Extended Settings) – you will then need to touch the YubiKey Nano for at least half a second to emit an OTP.
2. For an even longer wait time, consider moving the configuration to the second slot.
3. For OS X users, the taskbar application YubiSwitch will turn off your YubiKey Nano automatically after a period of inactivity.

My YubiKey NEO is not being detected by my NFC-capable device. What should I do?

Please follow the following steps to troubleshoot your device.

1. Make sure that your device’s NFC is toggled on.

2. Position your YubiKey NEO as close to the NFC antenna (of your device) as you can and hold it there for two to three seconds. Due to the small size of the YubiKey NEO and its antenna, the YubiKey NEO needs to be a lot closer to the device’s NFC antenna.

3. If the YubiKey NEO registers but does not work, please download the android app TagInfo by NXP, scan your YubiKey NEO and attach the data (you can export it via email or other means) when you raise a ticket with support@yubico.com.

4. If this does not work, please attempt to test your YubiKey NEO with another NFC-capable device and/or test your NFC-capable device with a NFC tag before raising a ticket here.

Is my device compatible with the YubiKey?

This depends on how you are planning to use the YubiKey.

For standard YubiKey functionality (Yubico OTP, OATH-HOTP, Challenge-Response, Static Password) over USB, YubiKeys use the same drivers as USB keyboards. If your device supports USB keyboards, it will work with the YubiKey. If your device does not load the driver, please try plugging in a USB keyboard first.

For standard YubiKey functionality over NFC, the YubiKey NEO uses the NDEF4 standard. If your device supports this standard, it will work with the YubiKey.

For SmartCard functions, the YubiKey NEO uses the ISO 7816-4 standard over USB and the ISO 14443-4 standard over NFC. If your device supports these standards, it will work with the YubiKey.

What is the default NDEF4 tag of the YubiKey NEO?

The YubiKey NEO is shipped with its NDEF4 tag programmed to emit a URI of the form https://my.yubico.com/neo/[OTP].

What modes can I use with the YubiKey NEO’s NDEF interface?

The following features are available over the YubiKey NEO’s NDEF interface.

- Yubico OTP
- OATH-HOTP
- Static Password (Advanced Mode)

What is a YubiKey?

A YubiKey is a One-Time Password (OTP) generator device. It generates a unique sequence of characters as an OTP every time its button is pressed. As the term suggests, a One-Time Password is valid only for a single use and cannot be used again for authentication. YubiKeys are typically used in implementing strong two-factor authentication solutions which provide much stronger security when compared to using only a username and password. The YubiKey supports multiple types of configurations and may be used to generate One-Time Passwords as well as static passwords.

Read more about the YubiKey

The YubiKey acts as a simple one-button generic USB keyboard which may be used from any computer platform or browser without needing to install any client software or special drivers.

The YubiKey has two configuration slots. When a YubiKey is configured to use both slots the user may select between each configured output by pressing the button on the YubiKey for different lengths of time:

  1. Short press (0.3 – 1.5 seconds) and release – OTP from configuration slot #1 is yielded
  2. Long press (2.5 – 5 seconds) and release – OTP from configuration slot #2 is yielded

More information can be found in Section 4 of the YubiKey Manual.

Is it possible to upgrade the YubiKey firmware?

No, It is currently not possible to upgrade YubiKey Firmware. To prevent attacks on the YubiKey which might compromise its security, the YubiKey does not permit its firmware to be accessed or altered.

Yubico is dedicated to providing a long-term two-factor authentication solution, we want your YubiKey to remain useful for the full extent of it’s lifetime. When we do release new firmware, we ensure the new YubiKey will function the same as with older versions, so there is no need to purchase new YubiKeys to ensure compatibly.

Why does the YubiKey act as a keyboard?

To allow the YubiKey to be compatible across multiple hardware platforms and Operating Systems, the YubiKey acts as a USB keyboard to the OS. This design provides several advantages including:

  1. Virtually all mainstream Operating Systems have built-in USB keyboard support.
  2. Since the YubiKey uses generic keyboard drivers, there are no special drivers that need to be installed to use the YubiKey.
  3. In organizations where USB ports are blocked for security concerns the use of USB keyboards, and thus the YubiKey, is still permitted.
  4. The user does not have to manually enter a OTP generated by the authentication device on the authentication screen by the application(s). The YubiKey user simply needs to click in the input field for the OTP and touch the YubiKey button briefly. In addition to reducing the time spent on authentication, this also assists in avoiding potential human errors while typing in the OTP.

How can I check the firmware version of a YubiKey?

The Cross Platform Personalization tool will list the firmware version of a YubiKey plugged into the computer it is running on. The Firmware Version is displayed on the right side of the Personalization tool screen, above the serial number of the YubiKey.

What can I do with my YubiKey?

The YubiKey can be used in a large variety of ways. A non exhaustive list summary can be found on the Applications page.

Read more about YubiKey Applications

Can I use the Yubikey with my Mac?

Yes, the YubiKey can be used with any computer (including Mac) that has a standard USB 2.0 port and supports USB keyboards. The YubiKey identifies itself to the computer as a USB Keyboard, and is therefore OS independent. It works with Windows, Linux, OS X, iOS (iPad/iPad 2/iPad 3 only), PS3, Xbox360, Wii etc. without requiring the installation any device drivers.

Can I use my YubiKey with my PC?

Yes, the YubiKey can be used with any computer (including PCs) that has a standard USB 2.0 port and supports USB keyboards. The YubiKey identifies itself to the computer as a USB Keyboard, and is therefore OS independent. It works with Windows, Linux, OS X, iOS (iPad/iPad 2/iPad 3 only), PS3, Xbox360, Wii etc. without requiring the installation any device drivers.

My YubiKey is not working. What should I do?

Please attempt the following steps to troubleshoot your device.

In each of this steps, insert the YubiKey into the USB Port, open a text editor (such as Notepad) and press the button on the YubiKey.

1. Use the YubiKey in a different USB Port on the same computer.
2. Use the YubiKey in a different computer.

Please then write to us with the following.

1. The output you see on the text editor.
2. The behaviour of the green LED both when you insert the YubiKey and when you touch the button.
3. The operating systems that were running on your computers.

What happens if I don’t have my YubiKey with me?

The answer depends on what option each application vendor and service provider offer users to address such a situation. It is common practice that the application/service may offer options to temporarily disable the need for the YubiKey Authentication and  fallback to one-factor authentication for certain duration (such as a day). Other applications may provide temporary OTPs over other communication channels, like SMS or email. Some applications may even support backup mobile tokens. But again, all these options need to be implemented by the application vendor/service provider in a way that suits their security requirements. Please check with any application or service to see how they handle situation where a user’s YubiKey is unavailable.

3. Password Managers

How can I add a YubiKey to my LastPass account?

Please follow the instructions linked below to associate your YubiKey to your LastPass account.

YubiKey Authentication with LastPass

Where can I find my activation URL?

If you bought a LastPass Bundle from our store, your LastPass Premium subscription will be mailed to you in the form of an activation URL. This URL should be mailed to you from our store – if you do not find it, please log in to your account on the store and access your order history.

Which YubiKeys work with LastPass?

Any YubiKey can work with LastPass, including the standard YubiKey, YubiKey Nano and YubiKey NEO, as long as the YubiKey is configured with a Yubico OTP. Yubico and LastPass also offers a discounted bundle with YubiKey + LastPass Premium.

Read more about the discounted bundles

Does the YubiKey work with the LastPass Mobile Device Application?

The LastPass Mobile Device Application supports the YubiKey two-factor authentication at this time using the YubiKey NEO, except on the iPad/iPhone due to hardware limitations.

Read more on LastPass Mobile Support for the YubiKey NEO

How do I get a YubiKey to work with LastPass?

To enable the use of a YubiKey with LastPass you need to have a YubiKey and a LastPass premium account.

Read more about it

4. Get a YubiKey

How can I buy a YubiKey?

You can order YubiKeys online on our web store. Options include purchasing single YubiKeys or trays of 10 or 50 YubiKeys. Single standard YubiKey costs $25 each, YubiKeys in trays of 50 are $15 each.

Yubico Web Store

How much is the shipping cost when ordering YubiKeys online?

The shipping costs depend on where you want your YubiKeys shipped and how many YubiKeys in your order. For most countries, there is a US$5 postage option for up to 3 YubiKeys.

US & Canada:
1-5 YubiKeys: US$5
> 5 YubiKeys: USPS tracked from US$15, FedEx, from US$40

Europe, Asia, Africa and Australia*:
1 – 3 YubiKeys: US$5
> 3 YubiKeys: DHL Express shipment, from US$20

Americas (except US & Canada):
1 YubiKey: US$5
2-10 YubiKeys: US$10
> 10 YubiKeys: USPS tracked from US$40, FedEx shipment, from US$85

Russian Federation:
1-100 Keys: US$54 via our delivery partner Mega Engineering

China:
Please contact sales@yubico.com before ordering. We may only ship to companies and they must supply a C/R code. DHL Express is the only service we offer.

Please note that VAT is charged on shipping and handling in European Union countries.

Please make sure your shipping address is correct. If a shipment fails to arrive due to an incorrectly entered shipping address**, the appropriate shipping fee will be re-charged before the order is re-shipped.

* We have disabled the $5-option without tracking for a few countries where we experienced a high rate of non-delivery. This is to ensure that you will receive your YubiKeys when you order them.
** As the shipment might take up to 4 weeks to arrive, please do not use an address that will not be valid at least for that time. We will not be responsible for unsuccessful deliveries in such cases.

Why does the store show that my VAT number is invalid?

We use the VIES service (linked below) to validate VAT numbers. If your number does not validate, we cannot accept it. Please check if your number validates on the service and check with your local VAT authority if it does not.

http://ec.europa.eu/taxation_customs/vies/vatResponse.html

5. Security

What happens if I lose my YubiKey?

If you are using your YubiKey with a service and/or application, the policy for lost or stolen YubiKeys depends on how the service/application deals with the situation.

The simplest is if the site supports alternative authentication mechanisms, so that you can regain access to the account and can de-associate the lost YubiKey from your account, and associate your new YubiKey to the account.

For example, the LastPass Premium subscription allows users to configure up to 5 YubiKeys with a LastPass account, so they can continue to log in using other keys if one is lost. Read more about it here.

If you cannot regain access, typical sites have an authentication credential recovery mechanism. You would use that to regain access to your account, and to dissociate the YubiKey and then re-associate it again.

Applications/services may also provide other mechanisms for users/administrators to assign a new YubiKey in the case the user lost his/her original key. Please inquire directly to applications or services supporting the YubiKey on their policies.

Please see also our blog post on this topic.

Can a YubiKey be copied?

No, a YubiKey can not be copied as the computer recognizes the YubiKey as a keyboard. The YubiKey types a One-Time Password (OTP) when the button is pressed. Click here for a technical description of the YubiKey.

What kind of encryption is used for your server security?

Yubico Validation Server supports HTTPS for secure communication with validation clients. Additionally, the validation protocol also (optionally) uses HMAC-SHA1 signatures on request and response to verify message integrity.

Read more about it

Where are Yubico’s servers located?

Yubico currently have five YubiCloud OTP validation servers. They are located around the world, distributed and synchronized to ensure that there is no single point of failure. Read more about the YubiCloud service and servers.

6. Development

How do I get an API-Key for YubiKey development?

To get your API key, please click here and enter a valid email address in conjunction with a Yubico OTP from any of your YubiKeys. The resulting page will show the generated Client ID (aka AuthID or API ID) and the generated API key (Secret Key). Make a note of both and use these two values in your client. Please wait 5 to 10 minutes after generating the key before testing so that the API key will be updated on all the YubiCloud servers. YubiKeys come with a lifetime subscription to our YubiCloud validation service – there are no additional fees for using the YubiCloud validation service.

Read more about Web API Clients

7. YubiRADIUS

What is the cost of YubiRADIUS Virtual Appliance?

YubiRADIUS is a free offering with optional paid Support offered by Yubico.

What popular directory services/products are known to work with YubiRADIUS?

YubiRADIUS has been tested with Microsoft Active Directory and OpenLDAP as these are the standard directories officially supported by Yubico. We expect it to be able to work with other popular directory services and products with little to no changes.

Can we install the YubiRADIUS Validation Server on windows platform?

Yes, if you install VMWare Server or VMWare Player on your Windows computer, you can use the YubiRADIUS image in VMWare format. If you install Oracle VirtualBox you can use the OVF image.

What popular VPN and Firewall devices are known to work with YubiRADIUS?

Yubico customers have reported that various VPN – Firewall devices from the following vendors are successfully integrated with YubiRADIUS:

  • Cisco
  • Juniper
  • WatchGuard
  • Barracuda
  • Nortel
  • Defender 5

Does YubiRADIUS Virtual Appliance support software tokens?

YubiRADIUS 3.5.1 (and later) supports the Yubico software token, the YubiApp for Android platform with future support planned for the iPhone (iOS). The YubiApp acts like a backup to a physical YubiKey which is required to register the YubiApp for use.

What is the difference between the two YubiRADIUS Virtual Appliance image formats, OVF and VMware?

These are the two image formats supported by different virtualization platforms. If you are using VMWare Server or Player you will need image in VMWare format and if you use VMWare ESXi or Oracle VirtualBox you need to use the OVF format.

Is YubiRADIUS Virtual Appliance available for Microsoft Hyper-V?

Currently, Yubico releases YubiRADIUS Virtual Appliance images in VMware and OVF virtualization formats. We have heard of reports of people have used publicly available tools to successfully convert these images to Hyper-V format.

How much time does it take to complete the installation of the YubiRADIUS Validation server on a server for authentication?

This virtual appliance comes with a pre-loaded instance of Validation Server and can be up and running in less than a couple of hours.

Read more about YubiRADIUS

Is there a limit on the number of users supported by YubiRADIUS?

There is no hard limit enforced on the number of users in YubiRADIUS software components. In practice, the limit of the total number of users supported would depend on your internal resources available for the YubiRADIUS Virtual Appliance.

Is the YubiRADIUS Virtual Appliance hardened?

YubiRADIUS Virtual Appliance is not explicitly hardened as the security requirements and policies are different for different customer. Further details can be found under section “Appendix: Security Considerations” of YubiRADIUS Configuration Guide, which is available from the YubiRADIUS Download Page. We highly recommend users to harden their YubiRADIUS instance according to their security requirements and company policy.

The YubiRADIUS Download Page

Does YubiRADIUS Virtual Appliance offer redundancy support?

Yes, multiple YubiRADIUS Virtual Appliances (YRVA) can be set up in a redundancy configuration to help avoid a single point of failure when the local on-board validation server is used. Please note, only information about the OTP validation states and Username to YubiKey ID mappings are synchronized between the instances of YubiRADIUS configured for synchronization. The import of YubiKeys and the configuration of services on each image need to be performed separately on each YubiRADIUS instance. Further details can be found under section “‘Setting up the Global configuration parameters” (subsection-synchronization) of the YubiRADIUS Configuration Guide, which is available from the YubiRADIUS Download Page.

The YubiRADIUS Download Page

Our VPN client limits the number of characters that can be entered in the password field so it is not possible to append the OTP to normal password. Is there any solution?

YubiRADIUS 3.5.1 (and later versions) support the option to allow users to append the OTP to the username instead of their password. Further details can be found under section “Setting up the Global configuration parameters” of the YubiRADIUS Configuration Guide, which is available from the YubiRADIUS Download Page.

The YubiRADIUS Download Page

When choosing to use “Local Validation Server” with YubiRADIUS, what is a use of YubiKey records like AES Key and Private ID?

A short description is found in the YubiRADIUS Manual under section 5.2.4, here. In order to perform the task of OTP validation, the selected validation server needs to maintain the AES Key, Private ID and other relevant parameters (like the counter values from the last successfully validated OTP etc.) for your YubiKeys. The AES keys are stored securely by a Key Storage Module, which may be either the software solution YK-KSM or the hardware YubiHSM device.

If you select the “Local Validation Server” you will need to:

  • Reprogram your YubiKeys using the cross-platform personalization tool
  • The tool will generate a log file from your programming activity that has the details of the AES key, Public and Private IDs for each YubiKey programmed
  • Import the .csv log file generated by the tool so the AES keys and other related information is imported into the internal database of the Key Storage Module. This will allow for the OTPs from your YubiKeys to be validated by the local Validation Server.

How can I return user’s group membership information in RADIUS response from YubiRADIUS?

YubiRADIUS 3.5 and later has the ability to return user’s group membership information in RADIUS response. Further details can be found under section “Return user’s Group Membership information in RADIUS response” of the YubiRADIUS Configuration Guide, which is available from the YubiRADIUS Download Page.

The YubiRADIUS Download Page

YubiRADIUS comes with DHCP but I need a Static IP address?

A static IP address is recommended for any server/service. However, YubiRADIUS comes preconfigured for DHCP to allow users to get it up and running quickly and easily. Once YubiRADIUS is up and running we recommend that you change the address from the Debian OS menu.

I want to use the YubiKey in a RADIUS setup with dedicated support. What options do I have?

Support for YubiRADIUS has been discontinued as of 27th December 2013. However, there are a number of 3rd party providers who provide a YubiKey-compatible RADIUS offering, including the following.

For more options, please check out our partner page here.

8. YubiHSM

What is the YubiHSM?

The YubiHSM is Yubico’s take on a practical HSM with great security, great quality, and a low cost of ownership. It does not provide all the physical security of other HSM’s – but protects your secrets from internet intrusion, such as someone gaining root access to the server.

Is the YubiHSM for symmetric encryption only?

YES – the YubiHSM at the current level does not support asymmetric cryptography. We may introduce support for asymmetric operations in a later version.

Is the YubiHSM security certified (FIPS 140 or similar)?

NO – we may consider this in the future for a premium version (due to cost). We will decide later on when the final functionality is fully defined and has been tested out thoroughly.

Is the YubiHSM protected against physical intrusion?

We don’t make any guarantees, but there is no easy way to read out the contents of the YubiHSM even with physical access. On top of that, the key store can be stored encrypted with AES-256 (passphrase needed on startup).

Are keys deleted on intrusion events?

The YubiHSM does not currently have any means of detecting intrusion events, but it may be configured to protect stored keys by encrypting them with an AES-256 encryption.

Is the internal CPU a designated security CPU or just an ordinary COTS one?

It is currently an ordinary COTS CPU, selected for cost reasons.

Isn’t the above required to really protect the keys?

The main design objective with the YubiHSM is to protect keys from remote attacks. With that said, it is still non-trivial to retrieve keys from a YubiHSM even if it is stolen or physcially compromised.

Why is USB CDC used rather than a custom driver?

This is because the Windows, Linux and Mac platforms all support USB CDC. USB CDC communication is very simple and straight-forward using normal file I/O functions.

The USB interface is only full-speed. Why not high-speed?

With the current design, the communication speed is not a practical performance limiting factor.

The internal Yubikey key storage is just 1024 entries. I want more!

We needed to set the limit somewhere and onboard storage represents a cost driver. We may introduce a version with more internal storage later on.

Can the device firmware be upgraded via USB, a.k.a. DFU?

No, we explicitly decided to not include an upgrade feature due to security concerns. The only interface and protocol available is USB CDC under firmware control.

9. Others

How can I partner with Yubico?

There are two schemes available – the Yubico Authorized Reseller Program and the Yubico Online Affiliate Program.

Read more on Yubico’s Authorized Reseller Program
Read more on Yubico’s Online Affiliate Program