Security

---

The YubiKey has been designed to combat common concerns compromising the security when logging onto on-line services.

Weak passwords – compromise by guessing

The YubiKey generates a cryptographically secured, 32 character long time-variant pass code. Therefore, guessing, analyzing the codes or by other means trying to gain access without being in possession of the physical YubiKey is not practically possible.

Identity theft - eavesdropping

The pass code generated by YubiKey changes every time so intercepting a code and replay it won't give access as one code cannot be used twice.

Identity theft – social engineering

An attacker needs to have physical access to the YubiKey in order to generate pass codes. Simply asking for information known by the key holder is not enough to compromise the security.

Phishing

As there is a time-variant aspect of the pass code, gaining one code to be used later does not compromise the security as the attacker can't control the time-variant aspect.

Key-loggers

As with eavesdropping, simply logging what pass codes have been generated by the YubiKey won't help as a pass code can only be used once.

Other Trojans and viruses

Unlike software based security solutions, the YubiKey's secrets reside outside the computer and are therefore out of reach for the attacker. As the pass code is generated by physically pressing the YubiKey, a Trojan cannot trigger the release of the code.

Non-repudiation

As the physical YubiKey is needed to generate a pass code, it is difficult for a fraudulent user to deny having conducted a transaction.


» Download YubiKey Security Review.pdf