• English
    • Français
    • Deutsch
    • 日本語
    • Español
    • Svenska
  • Contact sales
  • Reseller locator
  • English English English en
  • Français Français French fr
  • Deutsch Deutsch German de
  • 日本語 日本語 Japanese ja
  • Español Español Spanish es
  • Svenska Svenska Swedish sv
Yubico
  • Why Yubico
    • For business
    • For individuals
    • For developers
  • Products
    • YubiKeys
    • YubiHSM
    • YubiEnterprise services
    • Services & software
    • Works with YubiKey
    • Find the right YubiKey
  • Solutions
    • Use Cases
      • Remote Workers
      • Passwordless
      • Microsoft 365
      • MFA modernization
      • Account takeovers
      • Compliance
      • Privileged users
      • Mobile restricted environments
      • Call centers
      • Secure password managers
    • Industries
      • Technology
      • Financial services
      • Cryptocurrency
      • Retail
      • Federal Government
      • State and Local Government
      • Elections and Political Campaigns
      • Education
      • Healthcare
  • Resources
    • Getting Started
    • COVID-19 Resources
    • White papers
    • Webinars
    • Product briefs
    • Case studies
    • Infographics
    • Yubico blog
    • Authentication standards
    • Videos
    • Developer program
    • Cybersecurity Glossary
  • Company
    • About us
    • The team
    • Innovation history
    • Careers & culture
    • Press room
    • Contact us
    • Partners
    • Events
    • Our customers
    • Free Speech program
    • Affiliate program
  • Support
    • Support services
    • Professional Services
    • Set up your YubiKey
    • Help
    • Documentation
    • Downloads
    • Buying and shipping
    • Security advisories
  • 
      • X
        Quick Links
        Find the Right YubiKey Set Up Your YubiKey Contact Us
        Knowledge Base
      • Search Yubico
  • Search
Store

What is a root of trust?

A root of trust is an external hardware authenticator that can be used with any computer or mobile device to identify that the person accessing an account is the rightful owner.

Share     

Why is a root of trust important?

Today, you may have several devices that you use on a day-to-day basis to log into websites, services and applications. A WebAuthn root of trust, such as the one offered by a hardware security key, ensures that you can always authenticate to any website or service, across any platform, rapidly and securely.

Account access and recovery

2 devices lost

Every 3 years, an average user will lose two devices which they never see again.*

10.9 hours

Overall, the average user spends 10.9 hours per year** managing passwords.

$5.2M lost

The average company loses $5.2M annually** in lost productivity due to account lockouts.

* Source: https://mozy.com/about/news/reports/lost-and-found/

** Source: Ponemon Report – 2019 State of Password and Authentication Security Behaviors Report

How a root of trust works
Powered by WebAuthn

Easy and fast user registration

When a user registers on a website the device platform offers the user several options to start their journey.

The user may be offered to use either an external authenticator, such as a hardware security key, or an internal authenticator built into the OS platform itself, such as a fingerprint touchpad on the user’s laptop, to secure their new account. The best practice is first use the external authenticator before enabling the internal authenticator.

Greater user choice and control

During the registration process, a credential is created which is stored on the authenticator of choice. For fast recovery and bootstrapping of a new device it is recommended that the user always first register using the external authenticator, such as a hardware security key, and then bootstrap the internal authenticator using the external key. If a device is lost the security key credential is still usable on a replacement device, unlike the built-in authenticator which is no longer accessible if the device is lost.

Once this has been completed, the user can authenticate to the web service or other resources using whichever authenticator they prefer on a day-to-day basis.

Fast-track onboarding a new device or account recovery

If the user wants to add a new device to authenticate to the web service, or in the event of a lost or stolen device, having a portable root of trust, such as a security key, greatly accelerates the onboarding and account recovery process.

The user no longer needs cellular connectivity, or to wait for SMS codes to be sent from each web service, or to enter multi-digit codes one by one for each web service. With a security key a user can quickly insert the key into the USB port of a laptop or desktop, simply tap a mobile device and instantly be re-authenticated to a variety of web services quickly and efficiently, without any need for cellular connectivity or calls to the helpdesk.

A security key root of trust delivers high security

A root of trust, such as a hardware security key, offers a physical and cryptographic guarantee of possession of a unique hardware device. The private key material or “secret” cannot be extracted as the external authenticator cannot be cloned or tampered with, and the privacy secrets cannot be revealed.

A root of trust can be used for step-up authentication. With an external portable root of trust, a user can be easily and quickly re-authenticated when initiating sensitive transactions such as making a large financial transaction, or when submitting a prescription.

User experience:

User gets a new device and is trying to log into a mobile app using 2FA

NO PORTABLE ROOT OF TRUST

User Installs mobile application

User signs in using username and password

User is prompted on which phone number to receive SMS OTP

User waits for the SMS OTP

User receives message

User taps on message

User memorizes or copies the code in the message

User switches to mobile app

User enters OTP into mobile app

User submits the code

User gains access to the service

WITH PORTABLE ROOT OF TRUST

User Installs mobile application

User signs in using username and password

User inserts the YubiKey into device and touches the key

Gains access to the service

Streamlined User Experience

Say hello to the YubiKey, goodbye to account takeovers.

Contact Sales
Buy Online

Find
Take product finder quiz

Set up
Find set-up guides

Buy
Buy online
Contact sales
Find resellers

Stay connected
Sign up for email

RSS FeedTwitterLinkedInFacebookInstagramYoutubeGithub

Products
YubiKeys
YubiHSM
YubiEnterprise services
Services & software
Works with YubiKey
Find the right YubiKey

Why Yubico

For personal use
For businesses
For developers
Solutions
Remote Workers
Passwordless
Microsoft 365
Call centers
Cryptocurrency
Financial services
Federal Government
State & Local Government
More…
Resources
Getting Started
COVID-19 Resources
White papers
Webinars
Case studies
Product briefs
Infographics
Yubico blog
Authentication standards
Videos
Developer program
Company
About us
Trust in Yubico
The team
Innovation history
Careers & culture
Press room
Contact us
Partners
Events
Our customers
Affiliate program
Support
Support services
Professional Services
Set up your YubiKey
Knowledge base
Documentation
Downloads
Security advisories

Cookies Legal Trust Privacy Terms of Use

Yubico © 2021. All Rights Reserved.

We use cookies to ensure that you get the best experience on our site and to present relevant content and advertising. By browsing this site without restricting the use of cookies, you consent to our and third party use of cookies as set out in our Cookie Notice.
Accept Settings
Yubico Privacy and Cookies Policy

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may have an effect on your browsing experience.
Necessary
Always Enabled

Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.

Uncategorized

Undefined cookies are those that are being analyzed and have not been classified into a category as yet.

Analytics

Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.

Advertisement

Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.

Performance

Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.

Preferences

Preference cookies are used to store user preferences to provide content that is customized and convenient for the users, like the language of the website or the location of the visitor.

Functional

Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.

Save & Accept
Scroll to top