Ashton Tupper

Internet security myth-busters: Debunking 3 common misconceptions about two-factor authentication

October is National Cyber Security Awareness Month and this year, it comes at a time when we are using online services more than ever. The pandemic has forced many of us to almost entirely rely on our digital identities to work, shop, learn, and generally keep in touch, putting the resilience of authentication technologies to the test. 

In April, Google reported 18 million daily malware and phishing emails related to COVID-19 over the course of just one week. Six months later, and there are still no signs of social engineering attacks slowing. If anything, we’ve learned that phishing scams are not just targeting executives or people of power — everyday individuals are also at risk and it’s important that every person has the means in place to combat these kinds of attacks. The first step: turn on two-factor authentication (2FA) wherever you can

Feeling hesitant, or that 2FA might not be for you? We’re here to put a couple of myths to rest, and offer a few tips for Cyber Security Awareness Month, so you can make more informed decisions about boosting your online security

Cyber security myth #1: Strong and unique passwords will keep you secure enough 

Regardless of your password length or the amount of unique characters you use, passwords were not built to withstand motivated hackers and their evolving threats. Don’t get us wrong, proper password management and hygiene is incredibly important, which is why we support a multitude of password managers. But we also urge you to take your online security one step further.

We recommend setting up two-factor authentication (2FA) on all of your accounts — even with your password manager — for an extra layer of security beyond your username and password. This ensures that hackers have to break through two barriers to access your account instead of just one. YubiKey 2FA in particular is designed to minimize threats from remote hackers as it requires physical access to the key to log in. 

Cyber security myth #2: All two-factor authentication is created equal

While any kind of 2FA is better than none at all, it’s important to understand which methods may still leave you vulnerable to attacks. For example, SMS codes or mobile authenticator apps are still no match for advanced cyber security threats like SIM swapping, mobile malware, phishing scams, and man-in-the-middle attacks

As long as your 2FA method of choice is reliant on you to recognize that you’re being targeted by a hacker, human error will always be a possibility and vulnerabilities will continue to exist as even the most vigilant users are prone to being tricked. The ultimate solution that has been proven to protect against phishing and man-in-the-middle attacks 100% of the time is a security key, like the YubiKey. Starting at just $20, it’s a small investment to make for your online security

Cyber security myth #3: Two-factor authentication is complicated and time consuming

There’s typically a misconception that two-factor authentication makes you jump through too many hoops and is a hassle. In truth, it can be incredibly simple to use and doesn’t always involve copying and pasting one-time passcodes. 

There are solutions, like the YubiKey, that require just one touch or a tap of the key to log in. You can even set your phone or laptop to be a trusted device and it will only require you to log in with your YubiKey once, as long as you are on that machine. 

Another user-friendly tip: enable YubiKey 2FA on a social identity provider, like Google, Facebook, Microsoft Accounts and others, and leverage these services to register and sign in to other applications. By doing this, you are extending the same level of security on your Google, Facebook, or Microsoft account to every other service, all without requiring additional effort on your end. When thinking about upping your security, remember that strong authentication doesn’t have to be complicated, in fact, it can — and should be — seamless. 

Staying safe from hackers might seem daunting or out of your control at the moment – but it’s actually much easier than you might think. And now that we’ve debunked three of the most common cyber security myths around two-factor authentication, we hope you’ll take the necessary steps to better protect your online accounts.

If you’re interested in getting started with two-factor authentication using the YubiKey, visit the Yubico store to purchase one today, and secure your favorite applications like Google, Twitter, Facebook, Dropbox, and more

Cropped shot of an unrecognizable businessman sitting alone in his home office and working on his laptop
Chad Thunberg

Responding to the rising wave of social engineering attacks against remote workers

By now, it’s clear the pandemic has provided perfect conditions for many types of social engineering attacks. We’ve seen plenty of reports and warnings from the FBI, CISA, Interpol, and other reputable organizations about the growth in coronavirus-related attacks, from spear-phishing to vishing, ransomware, and more, as the world adapts to remote working and its associated risks. 

In many ways, social distancing and remote work have created more fertile conditions for hackers, but the types of social engineering attacks we’re seeing today aren’t too different from what we’ve seen in the past. So, why are we still seeing major breaches making news headlines on a regular basis? 

If history has taught us one thing it’s that hackers will always capitalize on the human element. Uncertainty, fear, distraction, isolation, and confusion can all contribute to increased vulnerabilities among users. And as we continue to face a rapidly shifting global news agenda, we can’t possibly anticipate the next twist in the pandemic or major news event that opportunistic hackers will exploit. Look at the rise in phishing attacks related to COVID stimulus and relief for example. 

We expect to see continued social distancing and increased virtual interactions long after the pandemic subsides, which means that enterprises must rely on strong authentication to protect against the rising wave of social engineering attacks. As we lose confidence in the security of systems and information with an increasingly decentralized work environment, it’s critical to re-establish trust with your users. Here’s how:

Employee education and training is not enough.

Educating employees to be on the look-out for COVID-related scams, while essential, is not a comprehensive response. No matter how much user education about phishing or social engineering takes place, some attacks will still succeed. As long as user action is required, and there is a reliance on users to identify phishing and man-in-the-middle attacks, vulnerabilities will continue to be an issue. 

It’s time to overhaul your 2FA strategy.

Organizations cannot afford to continually rely on passwords, recovery questions, or basic two-factor authentication (2FA) to protect against future social engineering attacks. These are methods proven time and time again to fall short in the face of mobile malware, SIM swapping, and phishing attacks. Hackers are getting more savvy, and we must as well. 

User experience is critical to your organization’s safety.

In a world where we are physically remote from coworkers or IT, and juggling home and work life, strong authentication must work at scale on a variety of devices, across business-critical applications, and within different environments. The better the user experience, the easier it is to deploy across and to secure the enterprise — unlike complex point solutions that only protect a niche set of users.

So, yes, the rise in COVID-related attacks is a real and present danger. But we can’t assume this is a temporary threat or unique to COVID. It is simply the latest version of an ongoing rise in social engineering attacks that demands a stronger response. Every day we are helping businesses large and small adapt to their new normal. Are you ready for yours?

Accelerate your digital transformation with hardware-backed strong authentication for your leading cloud-based services. Google Cloud, Microsoft Azure Active Directory, and many other day-to-day business applications offer built-in and seamless integration with the YubiKey.

A polling location station is ready for the election day.
Ronnie Manning

Preserving democratic integrity and election security is a job for all of us

As we enter the final month of the 2020 U.S. presidential race, election security and fraud is top of mind for many. With the memory of the 2016 Podesta breach still fresh, we are a nation braced for cyber-attack impact. 

Experts agree that, while countless security improvements have been made since 2016, we should expect more vigorous phishing attacks, data theft, ransomware, and disinformation efforts in the coming weeks. And while legions of cyber security professionals work around the clock to protect this apparatus of our democracy, we must all be vigilant to defend against foreign adversaries or domestic actors who seek to sow chaos or tamper with election outcomes. The truth of the matter is that election security extends far beyond the political organizations themselves. 

For years, Yubico has worked closely with state, local, and federal governments — recently in partnership with Defending Digital Campaigns (DDC) and Microsoft AccountGuard  — to secure everything from bi-partisan campaigns to candidates’ email accounts with the YubiKey. Based on this extensive work to safeguard democratic electoral processes, there are three observations that underscore the pressing need for all of us — every business, every individual — to play a role in securing elections and re-infusing trust into our democratic process: 

The conditions are perfect for phishing season 

Hackers thrive on fear, anxiety, and confusion. They leverage these emotions to facilitate social engineering attacks. When emotions are running high, people are more likely to fall for a phishing attempt. To put it another way, they’re less likely to stop and question the authenticity of an email or text message before clicking on a link or offering up their credentials. This year, fear, anxiety, and confusion are in bountiful supply, making the conditions perfect for phishing

Politically-motivated hackers exploit unsuspecting targets 

In a phishing attack, a hacker can turn almost anyone into a weapon for use in their mission — whether that’s to help a particular candidate or simply cause unrest. 

Take the latest Twitter breach for example. According to WIRED, hackers sent out thousands of phishing emails and phone calls to Twitter employees in an effort to gain access to accounts of well-known and influential users. The consequences of such an account takeover in the final days of an election campaign could be catastrophic. Even if the breach were recognized immediately, the damage would be almost impossible to contain. 

In Twitter’s case, the company has focused intently on minimizing the chances of such an attack happening again — an exemplary effort that we would encourage other companies to mimic. Among other measures, the company recently announced it is rolling out phishing-resistant security keys. 

Hackers can work their way from account to account in order to get closer to their target. For example, they might target an individual that is a friend of someone who works at a large, influential company, or target a campaign volunteer instead of the campaign manager. Ultimately, their final target could be anyone whose identity can be used to influence public sentiment.  

Private companies see an increase in hacktivist threats

Experts report that private companies are seeing an increase in hacktivist threats in the run-up to the election. Media organizations, universities, and nonprofits are all at risk due to their profiles and roles in influencing the public, but almost any business could serve a purpose for a politically-motivated hacker

The recent SendGrid breach illustrates this well. SendGrid customers distribute large volumes of email with a high delivery rate. If those account credentials get into the wrong hands, it’s easy to see how they could be used to deliver political disinformation to millions of voters, opposing candidate campaign members, or media organizations.  

“Given the current climate in the U.S. and the amount of activism going on, I think it’s fair to assume that hacktivism activity would parallel community-level activities, since the web is just an extension of activities in real life,” said Michael Kaiser, president and CEO of Defending Digital Campaigns, and former executive director of the National Cyber Security Alliance in a recent SC Magazine article. “I fully expect disrupting a campaign, person or organization viewed as an opponent — in order to convey a message or do greater harm — would be part of the hacktivism playbook.” 

The message is clear: any individual, in any organization can be an accessory to an attack. That’s why every organization — political or not — must ensure it is authenticating every user. Passwords are too easy to steal, while basic two-step authentication can be vulnerable to phishing and man-in-the-middle attacks. Making strong authentication available at scale, with physical hardware keys like the YubiKey, is a trusted way to ensure the identity of every user at every login point. 

The stakes are high — we must do all we can collectively to protect individuals, protect organizations, and protect democracy.

Olivier Sicco

Yubico expands partnership with Infinigate into the UK and celebrates channel program growth across EMEA and APAC

This year has been challenging and with an increase in remote workers, the need for organizations to protect their workforce from phishing attacks and credential theft has never been stronger. With remote work on the rise, and strict compliance guidelines being implemented, organisations are required to rapidly adapt best of breed security technologies, including modern authentication standards in order to secure sensitive data. 

Building on our goal of making strong authentication available to everyone, Yubico has taken many expansion steps to bring strong authentication to organisations around the world. Across EMEA and APAC, we have realised that our customers would benefit greatly from a wider range of channel options. By expanding our network of channel partners, introducing a new channel partner program, and offering new YubiKey subscription services globally, Yubico has been able to better support our channel partners and reach new milestones in 2020. 

Growing Yubico’s UK channel landscape with Infinigate

After years of successful collaboration in many European countries, we are now expanding our partnership with Infinigate — named CRN’s 2019 UK Security Distributor of the Year — into the UK market. Based on our successful partnership in other markets across EMEA, Infinigate has become a perfect choice to help Yubico execute our ambitious growth plans for 2021 and beyond. 

“Yubico is an exciting vendor for us. The technology is truly market-leading and they are pioneers in the security key space”, said Justin Griffiths, Managing Director at Infinigate UK. “Enabling our partners to provide their customers with cutting-edge security is Infinigate UK’s primary focus, and Yubico powers us to deliver broader solutions and even stronger security. Their technology ecosystem also integrates with some of our existing vendors, such as CyberArk, Entrust, Idaptive, and HID, as well as key technology providers including Google, Microsoft, and AWS.”

Infinigate brings a wealth of expertise in the cybersecurity space and will be a great addition to Yubico’s channel landscape in the UK&I. Our existing distributor, Distology, has consistently delivered a great value-add to customers and resellers in the UK, and will continue to be an integral part of our go-to market strategy.  

Celebrating milestones with Yubico’s Partner Program and YubiEnterprise Subscription 

Earlier this year, we launched the Yubico Partner Program for EMEA and APAC. Designed for companies of all sizes and profiles, it simplifies the onboarding process for new resellers and distributors. Based on performance, Yubico partners are classified in one of three tiers — Authorized, Certified, and Certified Gold — with Certified Gold partners considered extensions of Yubico’s team in terms of product knowledge and commitment to excellent customer experience. 

YubiEnterprise Subscription, our new service-based YubiKey offering, was recently made available in EMEA and APAC on September 23. Now, Yubico channel partners across the world — including the United Kingdom, France, Germany, Nordics, BeNeLux, Australia, and more — can efficiently sell strong YubiKey authentication at scale.

Since Yubico was founded in 2007, YubiKeys have been sold on a per-device basis but with the increased need for flexibility within certain organisations, it is possible to purchase YubiKeys on a per-user basis with YubiEnterprise Subscription, and experience predictable OpEx spending. The replacement of lost or stolen YubiKeys, and upgrades to new YubiKey models, such as the most recent YubiKey 5C NFC are additional benefits included in the service.

Continuing scalable growth in EMEA and APAC

Yubico’s network of resellers in EMEA and APAC has grown significantly over the past few months, and we intend to keep this momentum as we enter into 2021. Our channel partners bring valuable expertise on all levels, including local procurement, logistics, and technical expertise – not to mention, they also help customers reach their business goals with Yubico’s technology. 

We will continue to invest in our channel partners and equip them to continue offering tailored support to organisations on the path to modernising their authentication processes and solutions.

Jerrod Chong

Minecraft or math lessons: which one could be the cause of your company’s next social engineering attack?

Your child’s math lesson is a clear and present threat to your company data, and believe it or not, their Minecraft addiction could very well be the cause of your next enterprise-grade social engineering attack.

In the past few weeks, millions of children returned to online learning, and simultaneously — and perhaps unknowingly — your company’s cyber attack surface has grown exponentially. Children are borrowing their parents’ old unpatched laptops, downloading or signing in to a half-dozen new learning apps, and after Zoom school is out for the day, some are settling in for an evening of gaming or video streaming. Meanwhile, frazzled parents are logging into the same learning apps from their corporate laptops, or checking their work email from a personal device during virtual back-to-school night. 

The ease with which a hacker can move from a personal account to a corporate one is becoming increasingly apparent, and the combination of remote work and school isn’t helping your organization’s case. For anyone tasked with protecting their organization from malware and cyber security breaches, here is what you need to consider during the 2020 back-to-school season.

Your employees’ families are your users now, too.

You can’t be sure that the person logging into your company-issued laptop is actually your VP of sales, or their 10-year-old child with a homework deadline. In the same way, you also can’t be sure that a normally-cautious employee in accounting isn’t accessing your finance system from the same device that someone else in their household used for an epic two hours of video gaming just the night before. 

No matter which way you slice it, your employees’ family members may be using your corporate PCs for school purposes, and employees may be logging into work apps from personal devices. 

Your users are more vulnerable to a phishing attack.

Remote learning is a patchwork of hastily assembled apps and online services, each requiring separate logins. It’s confusing, and hackers thrive on confusion. It’s easy for an attacker to spoof one of these services and issue a fake password reset that harried parents and kids will fall for. And in general, we humans are much more susceptible to social engineering attacks in times of fear and uncertainty (hackers thrive on those too). 

There’s no line between personal account takeovers and enterprise security breaches.

With the blurring of home and work screen time, it’s much easier for a hacker with access to a user’s personal account (a learning app, a gaming account, or Gmail) to gain credentials for a corporate one using simple spoofing techniques. As security pros know, of course, this is not new — many major enterprise breaches have begun with a compromised personal account. But now, it’s so much easier and faster for a hacker with access to a work computer to log onto a corporate VPN with phished credentials or read a user’s work email when users are at home. 

With these considerations in mind, the way we approach enterprise security must change. Gone are the days of protecting your most privileged users. It doesn’t matter how the hackers get in your corporate network, the point is, once they’re in they can go almost anywhere they please — and hackers will always take the path of least resistance. 

To remain secure amidst remote working and beyond, enterprises must adopt a zero trust mentality and authenticate every user, every time, on every service. This must be done with a form of strong authentication, like YubiKeys, that cannot be spoofed by email phishing attacks or man-in-the-middle attacks, and for productivity’s sake, must be almost seamless to the user.

So, Minecraft or math lessons? Either could be the social engineering attack that invites hackers into your corporate data. One thing is sure —unless you have strong authentication enabled for all remote employees, hackers will capitalize on the current situation and find a way in. And don’t forget to restart your computer or browser after a patch is available!

To deploy YubiKey strong authentication across your entire organization, regardless of employee location, read more about YubiEnterprise Services.

Sebastian Elfors

How NIST and eIDAS revisions are shaping the future of e-identification

This blog is co-authored by John Fontana, Standards Analyst at Yubico. 

On both sides of the Atlantic, standards and regulations on electronic identification are being revised more or less simultaneously. In the United States, the National Institute of Standards and Technology (NIST) accepted public comments on its SP 800-63-3 Digital Identity Guidelines last month, which is on track for a scheduled revision in 2022. In the European Union, the eIDAS regulation is also up for review. 

As an active member in the FIDO Alliance, W3C, Better Identity Coalition, and OpenID Foundation, Yubico was invited to provide input on both the NIST and eIDAS revisions. While this takes place on a predetermined schedule, our feedback was heavily influenced by our learnings and observations from the COVID-19 pandemic and the influx of remote work. This shaped a majority of our recommendations, which were focused on improving guidance on strong authentication and remote identity proofing. 

NIST SP 800 63-3 

NIST last revised its Digital Identity Guidelines in June 2017 just as multi-factor authentication (MFA) entered a robust innovation cycle led by FIDO protocols. The latest revision intends to evaluate recent improvements to authentication standards and technologies (WebAuthn), and other new identity and access management innovations. 

Last month, Yubico submitted comments and suggestions that ensure stronger identity assurance and authentication, and address the need to eliminate persistent vulnerabilities in aging authentication technologies such as SMS and OTP. 

    • We asked that the updated guidelines address modern attack vectors, and re-classify grading systems to recognize credential phishing resistance as a distinct and important advancement in modern hardware authenticators that are needed to close security holes.
    • We also suggested NIST recognize and classify new identity proofing and binding techniques for strong remote identification systems. Additionally, we recommended guidance around a combination of technologies that support authenticated and protected communication channels for security techniques such as verifier impersonation resistance. 
    • Lastly, we pointed out that the previous NIST Digital Identity Guideline revisions showed an affinity for hardware-backed, web-based strong authentication as defined by FIDO and WebAuthn. We emphasized that this innovation must continue in the 800-63-4 revision. 


In Europe, eIDAS (EU regulation 910/2014), is subject for revision and open for feedback to a public consultation. The EU Commission proposed three new options for the revised eIDAS regulation, and Yubico submitted feedback accordingly:

    • Option 1 would revise and complement the existing eIDAS framework. In this scenario, our recommendation is that eIDAS should specify well-defined rules for remote identity proofing, be harmonized with the EU Cybersecurity Act, require phishing resistance, reuse pre-approved eID products for notification, allow for backup eID schemes during disasters, and make the ‘High’ level of assurance mandatory for access to Qualified Trust Service Providers.
    • Option 2 would extend the scope of eID schemes to the private sector. We are positive to this initiative, since existing identity providers would extend the reach of notified eID schemes, which could also be aligned with the PSD2 requirements on financial transactions. The eID approval process and the architecture of eIDAS-Nodes would however have to be adjusted for private identity providers.
    • Option 3 would introduce a European Digital Identity scheme (EUid). Instead of a pan-European EUid, we believe that federated solutions would allow for better international interoperability, higher scalability, and be based on modern technology.

Yubico’s complete response to the eIDAS inception impact assessment can be found at the EU Commission portal. In addition to our eIDAS contributions, Yubico also provided feedback to promote remote identity proofing for ETSI TS 119 461, the European Telecommunications Standards Institute’s (ETSI) new standard on identity proofing. 

Fortunately, the development of legislation and standards for electronic identification continues to progress in the US and EU with consistent input from leading security and identity experts across the globe. As we account for evolving threat landscapes and innovative technologies that offer the best combination of security and usability, we can collectively continue to serve and protect governmental agencies, the private sector, and citizens even better in the future.

To learn how the YubiKey can be used for national electronic ID-card projects and eIDAS-compliant eID schemes, such as the National Digitalisation Programme at the Faroe Islands, read more here

To learn how the YubiKey FIPS Series can enable government agencies and regulated industries to meet the highest authenticator assurance level 3 requirements from the NIST SP 800-63 guidance, read more here

Ashton Tupper

Our family is growing! Meet our newest member… the YubiKey 5C NFC

The YubiKey 5C NFC and the YubiKey 5Ci on a keychain.

Today is the day that many of our YubiFans have been waiting for — Yubico’s latest form factor, the YubiKey 5C NFC, is here! It’s the first security key featuring dual USB-C and near-field communication (NFC) connections in addition to multiple authentication protocols, including PIV for smart card login.

As one of our most long-awaited and sought-after form factors, we can’t wait to share in the excitement with you. Here’s just a few reasons why we love the YubiKey 5C NFC, and suspect you will too:

It’s the modern security key to work with modern devices. 
USB-C connectors are growing in popularity, and many of the latest laptops and computers, from MacBooks to Windows Surface Pros, are making the switch from traditional USB-A ports. Meanwhile, the major mobile platforms — Android and now iOS — support hardware authentication over NFC for a tap-and-go experience. 

The YubiKey 5C NFC combines both USB-C and NFC connections on a single security key, making it the perfect authentication solution to work across any range of modern devices and leading platforms such as iOS, Android, Windows, macOS, and Linux. 

It’s the first USB-C and NFC-compatible security key with multi-protocol support, including smart card. 
As part of the YubiKey 5 Series, the YubiKey 5C NFC is equipped with Yubico’s signature multi-protocol support. In addition to compatibility with modern standards like FIDO2 and WebAuthn, the YubiKey 5C NFC can also be leveraged as a smart card — a feature that is beneficial for hundreds of enterprises and particularly those within the government sector

The full range of multi-protocol support includes: FIDO2 and WebAuthn, FIDO U2F, PIV (smart card), OATH-HOTP and OATH-TOTP (hash-based and time-based one-time passwords), OpenPGP, YubiOTP, and challenge-response. This flexibility is an invaluable benefit, specifically for enterprises, as it allows one key to work across a wide range of services and applications ranging from email clients, identity access management (IAM) solutions, VPN providers, password managers, social media platforms, collaboration tools, and many more

It’s the newest security key to secure remote work with ease. 
Working from home isn’t set to disappear anytime soon, and even after shelter in place and social distancing guidelines are lifted, we’re bound to see an increase in remote work around the world. Companies are challenged with establishing trust with employees and their devices outside of the traditional confines of a secured office environment. 

Security keys are the proven method to protect against phishing and man-in-the-middle attacks 100% of the time, and they come with the added benefit of being easy to use. One touch or tap to authenticate is all that’s needed — a significant benefit when most employees are struggling to balance the increasing overlap of personal and work responsibilities. With the ability to work across modern devices, the YubiKey 5C NFC is the perfect fit for securing your at-home workers with ease. 

Looking to start (or add to) your YubiKey collection? Head over to the Yubico store today and order a YubiKey 5C NFC for $55 USD. And while you’re at it, don’t forget to add in some YubiStyle covers to personalize your key. 

The YubiKey 5C NFC is also available for enterprise customers as part of our recently added YubiEnterprise Service offerings. YubiEnterprise Subscription and YubiEnterprise Delivery allow organizations to quickly and cost-effectively deploy YubiKey authentication at scale, regardless of employee locations.

Stina Ehrensvard

How YubiKeys are made: Security at scale

The first YubiKey was manufactured in Sweden in 2008. A few years later, part of our team moved from Stockholm to California, and we expanded our production capabilities to this part to the US West coast. It was a conscious choice to manufacture our products in the two democratic countries that were close to our innovation teams and main customers. To further safeguard the security of our products, we have the last decade continued to make investments across the entire supply chain, summarized in more details in this page on Yubico secure manufacturing

The Yubico innovation team has been internationally recognized for creating game changing product designs and security protocols in our industry. What many may not know is that we also invented new methods for manufacturing USB keys in a monoblock form factor. A glimpse of how YubiKeys are made can be seen in this video from our main manufacturing plants in Sweden. 

Today, we are launching and ramping up volume production for our fourth USB-C device, the YubiKey 5C NFC. In 2016, before USB-C was commonly available on laptops on Android phones, we launched the first USB-C security key in keychain form factor. Two years later we introduced the YubiKey C Nano, which is probably the industry’s smallest USB-C authenticator ever made. And last year, we introduced the YubiKey 5Ci, the world’s first USB-C and Lightning dual-connector security key.

The YubiKey 5C NFC is a welcomed new member of the YubiKey family. After unexpected delays due to COVID-19, it’s finally here. Requested by our customers and meeting the core features and values that signifies a genuine YubiKey — quality, security, robustness, and usability in a minimalistic design. 

Andreas Ohrbeck

Build your Passwordless offering with Microsoft Azure AD and YubiKeys – Limited Time Offer

COVID-19 has disrupted the business norm and forced most organizations, including many Yubico partners, to adjust their security strategies. Our partners have had to recommend and implement the right technologies that will enable their customers, who are now managing expanded remote workforces, to achieve secure access to critical applications – all while maintaining business continuity.  

Companies have become smarter about how they address:

  • Investments in cybersecurity
  • BYOD and connectivity to internal networks
  • Employee productivity 
  • VPN overload

A recent Forrester Report¹ cited 10 security and risk technologies to pay attention to as a result of the pandemic, with one major disruptor being  the shift away from weak password requirements. Many authentication solutions that were good enough a few years ago, do not protect against modern malware, phishing or man in the middle attacks. By moving beyond passwords to hardware-based security keys, organizations are enabling the strongest form authentication, that is proven to mitigate account takeovers, with unsurpassed ease-of-use. 

It has been our long standing mission to make the internet safer for everyone. By being a pioneer for security keys with our YubiKey, and co-creating open security standards such as FIDO2 and WebAuthn, major platform companies, like Microsoft, are helping to drive the global business world towards the elimination of passwords. 

Microsoft has been incorporating FIDO2 flows that support YubiKey strong authentication features that work natively with Azure Active Directory, Windows 10 and Microsoft 365 applications. Incorporating these types of identity verifications in conjunction with hardware-based authentication, hardens the security and mitigates remote phishing attacks. 

Together with Microsoft, we are announcing a Go Passwordless Pilot Program where qualified Services Providers (e.g. systems integrators, consulting services) in Canada, EU, UK and US can nominate their customer to pilot the Azure Active Directory Passwordless flow. For a limited time, Yubico and Microsoft are offering 25 free YubiKeys to up-to 100 qualified customers to pilot the Microsoft Azure AD Passwordless flow and YubiEnterprise Delivery (YED) service

“I believe this offering is a compelling program. It fits well with our respective missions to help everyone achieve more and make the internet safe for everyone.” – Sue Bohn, Partner Director of Program Management in the Identity Division at Microsoft.

To get started and check qualifications:

    1. Services Provider will need to identify a customer (500+ Azure AD Users) that has the technical FIDO2 requirements to go passwordless 
    2. Enroll your organization into the program. If you have an Azure AD + Yubico Passwordless practice – share the link with us when you sign up!
    3. Then, nominate the customer for the pilot
    4. If you and your customer are selected for the pilot, we will contact you for shipping details

Pilots requirements: Windows 10 version 1903 or later, Azure Active Directory and Yubico’s YubiKey 5 series, Microsoft Azure AD MFA enabled users, and integrate Azure AD with Microsoft and 3rd party applications; such as Office 365, Salesforce, and ServiceNow.

Services Partners such as Patriot Consulting (US), InSpark (NL),  ThirdSpace (UK) Skill (NO), Magellan Securite (FR), SPIE (FR) have already built  Microsoft 365 integrations with YubiKeys. Nominate your customer by going to Go Passwordless Customer Pilot Program

We encourage businesses to build their practice by incorporating strong, hardware-based authentication methods. 

Stina Ehrensvard, CEO and founder of Yubico and Sue Bohn, Partner Director of Program Management in the Identity Division at Microsoft, discuss the Go Passwordless Pilot Program and how both companies are helping to drive open standards and passwordless momentum.

¹ Csar, Andras; et al, “The Top Security Technology Trends To Watch, 2020,” June 30, 2020

Christopher Harrell

How modern phishing defeats basic multi-factor authentication

Two years ago, at the internet security conference Black Hat US, the Yubico team was invited to speak about how advanced phishing works and how FIDO authentication standards and YubiKeys can help mitigate these attacks.

Today’s hackers increasingly hijack one-time use codes and push notifications during the brief window when they are valid, and the attack and account takeover is all but invisible for the user.

With the recent spike in spear phishing using these methods, we decided to build on our previous work and show what it’s like to be phished with these modern techniques when using several types of basic multi-factor authentication.

If some of these terms are unfamiliar, don’t worry, we will go over them in this video.


These links have the details of the recent attacks. Krebs’ article in particular shows screenshots of some of the phishing pages used against several targets. Twitter was even quite open and posted publicly about their related security incident.

A different set of similar attacks happened over the last few years and are very serious. Amnesty International has three in-depth articles which detail phishing techniques used by seemingly politically motivated attackers against human rights defenders, journalists, and civil society organizations in the Middle East, Egypt, and Northern Africa during 2018 and 2019. This is a clear example of how attackers know their victims, and will use things they care about (security) to try and trick them.

Also not covered here are attacks on SMS based authentication where the phone network is leveraged via backbone connections or sim swaps to intercept the code that the victim was supposed to get. Read below to learn more about this:

The way I was able to make fairly clean phishing pages over the course of roughly a day was by using the open source phishing framework called Evilginx2 by Kuba Gretzky and hacking in some tweaks and javascript. If you’re interested in the details of how these attacks are done under the hood, or want to see some other great examples against other services, please see Kuba’s fantastic talk here.

Young photographers in modern office with cameras. Creative and stylish youth.
Ronnie Manning

New Yubico for Free Speech Program Arms Nonprofits with Strong Authentication

2020 continues to be a challenging year in many ways for all of us, but today, we’re proud to share some hopeful news — Yubico is introducing the Yubico for Free Speech Program, an initiative designed to defend digital privacy, online security, and free speech for at-risk individuals and nonprofit organizations. 

As of July 1, 2020, Yubico has committed to donate one YubiKey for every 20 YubiKeys purchased on Using these keys, we will equip nonprofit organizations, and the populations they serve, with the power of hardware-backed security — free of cost. Our goal is to enable these organizations to safely continue their important work of serving, empowering, and protecting vulnerable populations most at risk of targeted cyber attacks. 

Enabling YubiKey protection for at-risk individuals

For years, Yubico has worked with nonprofit organizations like Freedom of the Press, ISC Project, Electronic Frontier Foundation, Defending Digital Campaigns, and the Human Rights Foundation. With the Yubico for Free Speech Program and Yubico’s new donation initiative, we have formalized this work to reach a wider range of organizations that align with our shared desire of upholding and protecting free speech, including: 

  • Non-profit organizations that protect journalists, freelancers, and writers from doxing and other targeted attacks in an effort to uphold transparent, fair, and ethical reporting.
  • Human rights organizations and activist groups focused on ending racism, sexism, LGBTQ violence, domestic abuse, and other social justice issues around the world. 
  • Bi-partisan networks that fight to preserve democratic integrity by securing political campaigns, political candidates, and election processes.

Why free speech matters to Yubico 

Free speech is an important human right, and one that aligns closely with Yubico’s greater mission: to make the internet safer for everyone. We believe that free speech and free press play a critical role in exposing injustice and inequality, and we also know that free speech is under attack in many ways and for many groups of people. Coercive force, disinformation, doxxing, and cyber attacks are used across the globe each and every day to silence voices that matter. 

Yubico has a longstanding partnership with Freedom of the Press where we’ve donated YubiKeys to secure their organizations and the individuals they work with. “At Freedom of the Press, we encourage all of our clients and trainees to use Yubikeys to secure their accounts and important communications. This new program will make hardware tokens available to so many who have wanted to bolster their security, but couldn’t quite justify the expense. We’re thrilled to support Yubico in their initiative to bring a safer internet to those on the front lines of great causes” – Harlo Holmes, Director of Newsroom Digital Security at Freedom of the Press.

We believe that freedom of speech must not only be protected, but also exercised — at home, at work, in the streets, and online. This is the path to educating ourselves and others, while evolving as a society.

Join the cause 

If you are with a nonprofit organization that values free speech and defending human rights and you are interested in protecting yourself or others online, apply to join our Yubico for Free Speech Program here

Please also join us in helping this program grow! Here’s what you can do: 

  • Purchase any of our products from to contribute to the amount of YubiKeys we are able to donate, or
  • Share your favorite nonprofits with us if you believe they could benefit from strong authentication and would be a fit for this program. 

We thank you for your support!

Dennis Hills

Exploring clientDataJSON in WebAuthn

Calling all developers! Today, we’re kicking off our first-ever post in our new technical blog series specifically designed for our developer community. Each month, we will be selecting a new technical topic to cover in more depth. 

To start our series, we dive into the clientDataJSON object as part of the Web Authentication or WebAuthn specification. WebAuthn is an exciting standard that has garnered a lot of interest, but it can often feel complicated to get started. 

WebAuthn defines a client/server ceremony API performing user registration and authentication. For registration, the user, via a client (web browser or mobile app), requests to register a hardware authenticator with a server. For authentication, that user, via a client app, attempts to login to a server with that previously registered authenticator. During these two ceremonies, there’s data passed back and forth between the client and the server. 

The clientDataJSON object is key to the WebAuthn API data exchange. If you are building a desktop or mobile application, the building and encoding of the clientDataJSON object needs to be done using a library or SDK.

First, let’s go over the high-level aspects of WebAuthn and then we can dive into details about what the clientDataJSON object is, its purpose and its attributes, and finally explain encoding and decoding of this object.

What is WebAuthn?

Web Authentication, or WebAuthn, is a W3C-recommended specification that defines an API for enabling the creation and use of public key-based credentials, for the purpose of strongly authenticating users. See the W3C Specification for more information.

The idea behind WebAuthn is to rid the world of password authentication (something you know) by replacing it with public key authentication (something you have). 

For password authentication, a user generates a password which is passed to the server, where it is stored in a database. During user authentication, the user-generated password is sent to the server for validation against the stored password. If the password matches, the user is authenticated and can access the service offerings or features.

For WebAuthn public key authentication, strong hardware-backed public/private-key credentials are created and stored by an authenticator, such as a YubiKey, during registration. The private key is securely stored on the authenticator and is never shared, while the server stores the public key portion in the database.

During user authentication, the server sends pseudo randomly generated challenges to the client for the authenticator to sign. The signature, which takes a hash of the clientDataJSON along with the authenticatorData, is signed over by the private key. This signature proves possession of the private key and assurance that the challenge, relying party (RP) ID, and origin were not tampered with, all without ever sharing the private key or requiring the user to provide a static password. Replay attacks are prevented by the pseudo-randomness of the challenge.  Phishing attacks are prevented by this signing of the challenge with the private key that is scoped to the RP ID (domain). In addition to measures to counter replay and phishing attacks, the web authentication API also prevents compromised credentials (username + password) in that a password is never passed to or stored by the RP, hence the term “passwordless”.

What is clientDataJSON?

At a high level, the WebAuthn specification is really just an exchange of challenges and responses performed during two types of ceremonies; registration and authentication. The clientDataJSON object, always populated by the client (browser or app), is sent in response to the RP server during registration and authentication. 

The object, populated by the client, has three required properties: a type, a challenge, and an origin. The type can be either webauthn.create” for a registration response or “webauthn.get” for an authentication response. The challenge value is the actual challenge that was sent by the RP during the create or get ceremony. The origin contains the effective domain name of the endpoint to which the client is connecting during the WebAuthn registration or authentication. 

Now that we know about the properties, let’s find out the purpose of each property and how these are integrated to control the Web Authentication flow.

clientDataJSON Use Cases 

The clientDataJSON is used to determine the current state or flow of the WebAuthn ceremony. The type attribute tells the RP whether this client data is a registration or authentication response to a server challenge. 

The most important responsibility of the clientDataJSON is storing the effective domain of the connected client. In the WebAuthn API spec, the client browser or application is responsible for capturing the effective domain of the connected endpoint and storing it in the origin attribute during the registration (create) and authentication (get) ceremony. The public keypair generated by the authenticator is considered to be “origin-based”, which means the keypair can only be used to authenticate a user when the client is connected to the same domain (origin) endpoint to which it was originally connected (or matches a subset of the server domain) at the time when the keypair was generated. I’ll go into this in more detail later.

The last responsibility of the clientDataJSON is to capture the cryptographic challenge sent by the RP during registration or authentication. The challenge is randomly generated by the RP and sent to the client during a challenge. The client captures the challenge in the challenge attribute and passes this back to the server.

clientDataJSON Properties

The clientDataJSON object (after decoding) has the following properties:

Property Definition Required/Optional
type Contains a string with one of two values:

Required Value(s): “webauthn.create” or “webauthn.get

webauthn.create” → A new credential is being created during REGISTRATION.

webauthn.get” → An existing credential is retrieved during AUTHENTICATION

challenge The base64url encoded version of the cryptographic challenge sent from the relying party’s server (RP). The original challenge value is passed via the relying party (RP) through PublicKeyCredentialRequestOptions.challenge or PublicKeyCredentialCreationOptions.challenge. Required
origin The effective domain of the requester given by the client/browser to the authenticator.  Required

Encoding and Decoding clientDataJSON Properties

With only three main attributes, the clientDataJSON object is pretty straightforward; however, according to the W3C spec, the JSON string is converted into an ArrayBuffer before being transported back to the RP and then back to a string on the server side before validation. The ArrayBuffer is being used for efficiency and optimal performance when speaking binary to the authenticators.

The conversion to and from an ArrayBuffer is the most confusing for developers. The good news is, for most WebAuthn solutions, developers can rely on a Web Authentication API supporting web browser as the client to handle the interaction with the external authenticator. Those browsers have already implemented the client API requirements using the FIDO2 Client to Authenticator Protocol (CTAP) specification. CTAP is an application layer protocol used for communication between a client (browser) or a platform (operating system) with an external authenticator such as the YubiKey. 

If you are building a mobile, desktop, or IoT application without the use of a browser, you will need to implement the CTAP Authenticator API using a library, or a mobile SDK for iOS or Android.

On the server side, the RP receives the object as an ArrayBuffer and must be decoded and parsed. 

Here’s what the hashed clientDataJSON object within the client response looks like when received by the relying party during registration:

Here’s what the hashed clientDataJSON object within the client response looks like when received by the relying party during registration:


Here’s what the parsed clientDataJSON object looks as a JSON string:

Here’s what the parsed clientDataJSON object looks as a JSON string:


In the examples below, the server converts the ByteArray to a JSON object and then parses and validates the data.

Here’s a Java example of how the Yubico Java Server demo handles the clientDataJSON:

Here’s a Java example of how the Yubico Java Server demo handles the clientDataJSON:


Here’s a JavaScript example from the Firefox developer guide:

Here’s a JavaScript example from the Firefox developer guide:


Relying Party Validation of WebAuthn clientDataJSON 

Once the RP receives the registration or authentication response from the client and converts the ByteArray to a JSON object, it’s ready to parse and validate the three attributes. At this point, the server can validate any of the attributes in any order. 

The origin value is the most important validation. The client browser or app determined the endpoint/domain during the request for authentication to the server. The server must then validate that the “origin” string matches at least a subset of the valid domain string of the RP as part of the Relying Party Identifier (RP ID). 


The clientDataJSON consists of only three required attributes but plays a critical role in the Web Authentication flow between the client and server. In this post we learned that this object is populated by the client during the registration and authentication flows in order to determine the type of ceremony (registration or authentication), the origin of the connected client, and the current challenge from the server. The data is transported as an ArrayBuffer by the client and then decoded and parsed by the server. The RP can reject any authentication attempts if the client object is not encoded properly, contains an incorrect challenge, or the client origin does not match the domain (RP identifier) associated with the JSON string.

Building and encoding the clientDataJSON object is the client responsibility, but that work is typically handled for you by a web browser that supports Web Authentication. However, if you are building a desktop or mobile application, that work will need to be done using a library or SDK of your choice following the Web Authentication API structure as defined by the W3C spec.


Yubico WebAuthn Developer Guide
W3C WebAuthn Spec
Mozilla MDN Web Docs
Yubico iOS SDK – WebAuthn Client
Github WebAuthn API wrapperWebAuthn API wrapper that translates to/from pure JSON using base64url 
Yubico WebAuthn Server (Java)


[url=/search/lightbox/5542306] - the Capitol LB -
Jeff frederick

5 reasons why the government and other public sector agencies should care about WebAuthn

Federal, state and local governments and other public sector agencies have important responsibilities that support a functioning community – everything from national security to public transit, public education, public safety, state parks, financial services, energy and power grids, and many more services are all tax funded and managed by the public sector. While these are vital components to life as we know it, the sheer amount of personal and sensitive information required to uphold these critical operations puts agencies at constant risk of being compromised.

Government and other public sector run systems and data are accessed daily not only by employees and contractors, but also by partners and citizens, exponentially increasing the likelihood of security breaches related to account takeovers. In fact, remote hacks continue to occur at an alarming rate, while also growing more advanced. According to the 2020 Verizon Data Breach Report, organized criminal groups were behind 55% of breaches, and nation-state or state-affiliated actors were behind 38% of breaches. 

While CAC and PIV cards are de-facto authentication methods across various Federal agencies within the public sector, there are many cases where they’re not suitable, and passwords do not provide enough security to defend against the volume of sophisticated attacks. Fortunately, WebAuthn, a core component of the FIDO Alliance’s FIDO2 set of specifications, is a modern, phishing-resistant web authentication standard that is now supported across all computing platforms. WebAuthn makes it easy for websites, services, and applications to offer strong authentication with the option of removing the reliance on passwords entirely. This could include government hosted web-based applications and services – like the Department of Motor Vehicles –  that are both employee and customer facing. 

Here are 5 reasons why the Federal government and other public sector agencies should care about WebAuthn:

Standardized strong authentication 

For the first time, the standardization of strong authentication is possible. Imagine setting up simple multi-factor authentication (MFA) across digital public sector services and having a convenient, consistent, and secure login. WebAuthn enables just that across all major browsers and operating systems, empowering services and apps to make strong authentication available to end users.

Improved security 

The public sector has access to critical information and stores sensitive data, meaning a breach could impose on the safety and security of millions of constituents. With the help of public key cryptography, WebAuthn raises the bar for strong authentication and provides strong MFA security for users, including public sector employees, contractors, partners and citizens.

Seamless user experience 

Through a WebAuth API, strong authentication is accessible for web and mobile apps, eliminating the hassle of password resets and SMS codes, allowing users the convenience to sign in by tapping a security key. The WebAuthn API enables IT teams and developers to easily and quickly integrate WebAuthn into existing and new services, providing a consistent and seamless authentication experience for their users. 

WebAuthn also gives users a broad range of choices for authenticating, from biometrics to hardware security keys. 

Improved productivity 

Resetting passwords is no longer an issue with WebAuthn. With the possibility of passwordless login, it eliminates the time spent and frustrations that stem from managing passwords. This time saved extends to help desks and support centers – for both internal public sector employees and external users – who no longer have to devote resources to resetting and maintaining passwords.

Reduced costs 

Breaches, especially for government and other public sector entities, can be detrimental in many ways, including confidential data loss, lost productivity and financial burdens. WebAuthn helps reduce negative financial impacts associated with breaches and support costs, allowing government and other public sector services to repurpose budget that was previously designated to maintain and manage infrastructure and passwords. 

Interested in learning more about the benefits of WebAuthn in the public sector? Download the Yubico white paper series, WebAuthn for the Public Sector, here .  Additionally, you can view Yubico’s on-demand webinar on the topic here

Internet crime and protection concept. Hand finding the unprotected account
Luke Walker

4 reasons to consider a security-first approach to product development

The internet is a powerful invention. It was originally built for collaboration, but it’s far surpassed the capabilities anyone could have expected, and has become a core function of society. As developers, we contribute to these incredible advancements every day, but it’s also our job to help protect and preserve the future of the internet.   

To put it simply, the internet was not originally built with security in mind — much like the automobile. But over time we’ve recognized the need to protect internet users and the sensitive data that is shared. We now expect to have security features built into our products and services similar to how we expect to purchase a car that comes equipped with airbags, seatbelts, alarm systems and more. 

Nevertheless, security can still be an afterthought in the product development lifecycle — but it shouldn’t be. The cyber security landscape is evolving and organizations must evolve with it. Here are four reasons why your organization should consider adapting a security-first mindset when building the next generation of innovative solutions. 

Recovering from a data breach is a costly mistake 

The financial disparity a data breach can cause is catastrophic, especially for smaller businesses. A data breach costs businesses $3.92 million on average, not to mention organization’s continue to incur residual costs for years after the initial data breach. Reversing these repercussions are far more costly than investing in a strong security foundation from the start. Establish principles of privilege-based access, strong authentication, and minimize risk from the get-go, to save your organization money, time, and negative brand exposure down the road. 

Negative brand reputation decreases customer trust

A data breach can cause substantial damage to a brand’s image and reputation, including a loss of customer trust. In fact, studies show that 65% of data breach victims lose trust in an organization after a breach, and 80% of consumers will avoid using a service if their information was compromised. 

Strong security is a competitive differentiator 

With an ever-evolving security landscape fueled by a growing remote workforce, a forward-looking security perspective will become a standard among consumers and enterprises, and strong security options will set your organization apart from other competitors. 

Operators, system administrators, and developers who shift from a perimeter-focused approach to a comprehensive multi-layered approach that protects all elements — networks, endpoints, cloud services, and mobile devices — will succeed.

A seamless user experience builds customer loyalty

When done properly, good security can play an important role in improving your customer’s product experience. In fact, it can make or break the experience all together. Take passwords for example. No one likes them, they’re hard to remember, and they do very little in terms of offering adequate protection against account takeovers. Yet, they are still used widely across the internet and oftentimes, account creation or log in can be a customer’s first interaction with a website or mobile app. 

“When product development prioritizes security early on, the resulting product offers a better user experience from day one,” explains Josh Aas, Executive Director, Let’s Encrypt. “There are few things as disruptive to user experience as security mechanisms bolted on as an afterthought.”

When security is a forethought rather than an afterthought, it provides an opportunity to design a seamless and enjoyable user experience from start to finish. 

Ultimately, a security-first mindset can help your organization avoid detrimental repercussions caused by data breaches and reap the benefits for your bottom line, your customers, and your brand. 

At Yubico we value strong authentication as a critical piece of this puzzle, but we also recognize that there are many other security aspects that must be taken into consideration (and work together) to ultimately make the internet a safer place for everyone. That’s why we’ve chosen to partner with our friends at Let’s Encrypt — a non-profit organization that issues TLS certificates.

Starting today, Let’s Encrypt is giving the first 500 people, who donate $50 or more during their 2020 Summer Giving Campaign, a coupon to redeem a free Security Key NFC by Yubico at  

Developers who are interested in implementing strong YubiKey authentication with open standards can join the Yubico Developer Program to gain access to open source libraries and servers, implementation guides, training resources and more.

Ashton Tupper

From Security Geek to Security Chic: YubiStyle covers now available for purchase

When thinking about security, we typically have a list of features that are important to us as users. Is it secure? Yes. Is it easy to use? Yes. Is it durable? Yes. But who ever said that security has to be boring? Not us! 

As of today, we’re excited to share that you can now purchase YubiStyle covers from the Yubico store. After all, you have a security solution that works really good, and now you can make it look really, really good. 

Purple YubiStyle

Double Rainbow YubiStyle

Geode Blue YubiStyle








With 11 new designs and solid colors suited for our keychain models, pick the style that works for you and personalize your YubiKey. Not only are you likely to make your co-workers jealous, but differentiating your YubiKeys is especially useful for those of you that carry several security keys – and we all know that having multiple YubiKeys registered to your accounts is the way to go.

Visit the Yubico store today to pick up a YubiStyle (or two) of your choice, and add some flair to your security wardrobe. Are you ready to go from security geek to security chic? 

Available now! Works with YubiKey makes it easy for services to self-verify and for users to submit integrations for listing
Camila Brindis

Available now! Works with YubiKey makes it easy for services to self-verify and for users to submit integrations for listing

Changing the world can’t be done alone. That’s why integrations play such a critical role in our mission to make the internet safer. We often like to say that we have created  the key, and our partners build the locks. With this in mind, we launched Works with YubiKey (WWYK), our technology alliance program for products, apps, and services that integrate with Yubico hardware and software. 

Since first launching in 2018, the program has seen remarkable growth, and has enabled us to work with hundreds of global companies sharing the same commitment to protecting devices, accounts, and most importantly, people. 

Today, we’re expanding on this momentum with significant updates to our WWYK Program. These updates will empower even more companies to build support for the YubiKey and YubiHSM into their products, and make it easier for our users to discover all of the integrations that enable hardware-backed authentication on our online catalog

Designed to address varying needs, we’re introducing two new tracks to program membership—self-verified and Yubico-verified—and also made it possible for our community of users to submit YubiKey integrations for catalog listing.


The Yubico-verified track provides a way for companies, who wish to engage in a deeper business relationship with Yubico, to help amplify their YubiKey integration and work together as business partners. Want to partner with us? Let us know.


Yubico now provides a self-verification checklist for companies who wish to verify their own integrations and ensure they have the essential features to meet our usability guidelines. This track enables companies to independently manage their own catalog listings, and engage in periodic marketing activities without any joint business plans. Verify your integration now

Lastly, we’re providing a way for you, our users, to submit community listings for YubiKey integrations that you know and love, and may not yet be listed in our catalog. We also encourage you to tweet at your favorite companies to request that they build support for YubiKey authentication.

With these new updates to the Works with YubiKey Program, we hope to provide companies with a new platform for showcasing their products and commitment to user security, and at the same time, ensure that users don’t miss out on all the great integrations available today.

If you are interested in becoming a Works with YubiKey Program member, but don’t yet support Yubico products, start with our Developer site.

Camila Brindis

3 Factors to Consider on the Path to Digital Transformation

Digital transformation, by definition, is the use of new, fast, and frequently-changing digital technology to solve problems. When done successfully, digital transformation can help businesses be more agile, so they can quickly innovate and adapt. Recent reports have shared that 56% of surveyed CEOs said digital improvements have led to increased revenue, and digital-first companies are 64% more likely to achieve their business goals than their peers.

Digital transformation is exceedingly relevant today, as it has been the past few months during the COVID-19 pandemic, given the dramatic shift in how companies operate across the globe. To keep up with the demands of a remote workforce, many companies were forced to adopt cloud-first strategies and modernize in haste, without having enough time to consider implications to cost, complexity, and security. 

Cost: Develop an investment strategy.

Many companies have made the mistake of adopting modern technology for technology’s sake, without being able to achieve business outcomes. Of the $1.3 trillion spent on digital transformation in 2018, an estimated $900 billion was wasted when initiatives didn’t meet their goals. That’s 70% of the overall spend! As with any big investment, companies headed toward digital transformation need to develop a solid strategy before investing in new technology, so they don’t end up paying for services and tools they don’t actually need. 

Complexity: Adopt technology that enhances—not slow down—productivity.

Digital transformation, with its many advantages, also introduces new complexity. Companies now need to adopt new infrastructures, deploy new applications, acquire new services, and support new customers (both internal and external) more than ever before. The challenge can be exponential.

Jake King, Co-Founder and CEO of Cmd shared the need for modern approaches that enable the workforce without slowing them down. “As mission-critical, data-rich environments move to the cloud, it’s more than just the platform that is changing. These applications are accessed by lots of employees in iterative cycles that are getting faster and faster. ”

A new report emphasizes this, sharing that 56% of individuals will only adopt new technologies that are easy to use and significantly improve account security. According to Dr. Shimrit Tzur David, CTO and Co-Founder of Secret Double Octopus, companies must consider strategies that meet the challenge of balancing usability with security. “To fully enjoy the benefits of digital transformation, companies should adopt innovative mechanisms like passwordless authentication that deliver a seamless and easy user experience across the enterprise while dramatically boosting security,” she said. 

Security: Enable strong authentication across systems and services.

With the adoption of new technology, and a rapid increase of employees and customers who rely on this technology, comes a new and sometimes unforeseen set of security risks. With remote work on the rise, unsecured WiFi networks and the use of multiple computers and mobile devices have given hackers plenty of new attack vectors and surfaces to exploit. 

Hed Kovetz, CEO and Co-Founder of Silverfort identified SSH credentials used to access business servers as a high-value target for hackers, as they are used by developers and systems administrators who may have higher access levels to critical systems and data. 

“Securing remote access doesn’t end at the VPN. It’s important to protect all forms of remote access, especially RDP/SSH to internet-facing servers and administrative interfaces like PsExec,” he said. “It’s also important to monitor and analyze access beyond the perimeter, to on-premise and cloud resources, in order to detect and respond to threats.”

Understanding that security is only as good as its weakest link, Shashank Rajvanshi, Product Management Consultant at RSA shares that digital risk can be managed through a practical, phased approach. “Since passwords represent the weakest link, the first step in minimizing risk is adding layers of security using multi-factor authentication (MFA), and eventually going passwordless with methods like FIDO-based authentication,” he said.

James LaPalme, VP and GM of Authentication at Entrust Datacard also highlighted the benefit of enabling strong authentication at the user level. “The ability to quickly and securely verify identities is a critical requirement for digital transformation,” he said. “High assurance MFA delivers the security, flexibility, and scale required for a successful digital transformation.”

As we’ve learned from the statistics and from our industry peers, digital transformation is no longer a buzzword, but an imperative for which companies must consider cost, complexity, and most importantly, security. “On the path to digital transformation, consider security at every step,” said Robert Freudenreich, CTO of Boxcryptor. “There are many advantages to digitization if you protect your business properly.”

Learn more about the path to digital transformation by tuning into our recent Q&A roundtable webinar with panelists from Entrust Datacard, RSA, and Secret Double Octopus. Watch it on demand now.

A detailed interior view of the US Capitol Building dome Washington DC
Guido Appenzeller

Yubico Expands FIPS 140-2 Certification to YubiKey 5 Series and YubiHSM2

Today, we are happy to share that the YubiKey 5 Series firmware has completed testing by our NIST accredited testing lab, and has been submitted to the Cryptographic Module Validation Program (CMVP) for FIPS 140-2 certification, Overall Level 2, Physical Security Level 3. Soon, the YubiKey 5 Series firmware will also be submitted for FIPS 140-2 Level 1 certification, and the YubiHSM 2 firmware will be submitted for FIPS 140-2 Level 3 certification for the first time. 

Yubico has a large number of customers that rely on our YubiKey FIPS Series security keys to keep their organizations secure, as well as compliant to government and industry regulations. With this continued certification effort, Yubico is not only doubling down on our commitment to support our current and future FIPS customers, but we are expanding the options that are available, including more certification levels and a broader range of FIPS-compliant product offerings. 

YubiKey 5 FIPS Series

We are excited to be certifying another hardware module type that offers Physical Security Level 3. This allows YubiKeys to be used when Authentication Assurance Level 3 is required, and enables compliance to Federal Risk and Authorization Management Program (FedRAMP), and Defense Federal Acquisition Regulation Supplement (DFARS). 

With both Level 1 and Level 2 certifications under way, the upcoming YubiKey 5 FIPS-validated platform will give our customers the flexibility to meet the level of compliance that is best suited for their particular needs. Key benefits of the new series will include:  

    1. Additional form factors: The YubiKey 5 FIPS Series will include new FIPS 140-2 validated form factors such as the YubiKey 5 NFC, YubiKey 5Ci, and the upcoming YubiKey 5C NFC. The YubiKey 5C Nano and YubiKey 5 Nano will also be available. Together, this combination of form factors will provide our customers with a range of choices, and open up new use cases for strong authentication on both iOS and Android mobile platforms. 
    2. FIDO2 certification: The YubiKey 5 FIPS Series will be the first line of FIDO2-enabled security keys to receive FIPS 140-2 certification. Yubico is a core contributor to the FIDO2 standard, and has helped drive native support in all major browsers and operating systems, as well as its rapid adoption in the commercial space. More recently, we have seen a surge in interest from government agencies as well. 
    3. Multi-protocol support: The YubiKey 5 FIPS Series will continue to support all of the standard protocols that are offered in our current YubiKey FIPS Series: FIDO U2F, PIV, Yubico OTP, OATH OTP (TOTP and HOTP), and OpenPGP. 


For the first time, we will also be pursuing FIPS 140-2, Level 3 certification for our YubiHSM 2 Hardware Security Module (HSM). We are excited about the prospect of offering a cost-effective, small-footprint Level 3 device. 

For more information on the YubiKey as a government-approved CAC and PIV card alternative, please listen to our on-demand webinar, “Modern CAC/PIV alternatives: Securing government teleworkers & mobile devices.”

To stay up to date on the YubiKey 5 Series certification progress, please visit the CMVP’s Module-in-Process List. Yubico will continue to release information on the YubiKey 5 FIPS Series and YubiHSM 2 FIPS as details become available. 

Kanika Thapar

Yubico releases Android SDK to improve mobile app security

Calling all enterprise developers and technology partners! Today, Yubico’s Android SDK is made generally available to equip you with the tools you need to quickly and efficiently build YubiKey support into your mobile apps. Together with the Yubico iOS SDK, you can now provide a seamless and consistent login experience for your customers and employees, regardless of their mobile device. 

With the launch of our Android SDK, we are now making it easier for apps to add YubiKey support using the YubiOTP, OATH (TOTP and HOTP), and PIV authentication protocols over both USB and NFC connections. Not all applications rely on modern authentication protocols like FIDO — particularly in the enterprise — and our new SDK delivers a uniform integration experience for all developers regardless of the authentication flow they choose.  

Fortunately, customers who are building apps with FIDO authentication can continue to use the native Android platform support.

3 benefits of YubiKey authentication on mobile devices

When it comes to mobile authentication, there are some key benefits of using a portable hardware-backed authenticator like the YubiKey in comparison to other mobile-dependent solutions like SMS or Google Authenticator. 

    1. Mobile phones are not purpose-built for security. They are multi-purpose computing devices that, by nature, have a larger attack surface. An external, single-purpose authentication device like the YubiKey significantly minimizes the level of risk exposure to malware or phishing attacks. 
    2. YubiKey authentication is up to four times faster than copying and pasting one-time codes. Not only is this a more preferred and enjoyable user experience, but it has also been shown to reduce support costs within an enterprise by up to 92%. 
    3. In some cases, app developers may want to require step-up authentication to complete a high-risk action, such as transferring a large sum of money or updating an address. As a general rule of thumb, an additional form of user verification — one that is not tied to a user’s device, which can be stolen or compromised — delivers the best level of security.

Achieving mobile security with the YubiKey in healthcare and beyond

Allscripts, a leader in healthcare information technology solutions, is one of the first companies actively working with the Yubico Android SDK to make YubiKey support available in the upcoming releases of Allscripts Sunrise™ Mobile and Allscripts Professional™ EHR Mobile and Desktop.

Due to the complex compliance requirements and fast-moving nature of hospitals or other healthcare environments, it’s important that doctors, nurses, and medical staff have quick, yet secure, access to critical systems and information.

“By integrating directly with the Yubico SDK, Allscripts is improving the multi-factor authentication (MFA) experience that is needed to comply with the electronic prescription of a controlled substance (EPCS),” said Steve Pascht, Allscripts Senior Solutions Manager. “It’s easier for providers to use hard tokens on mobile and desktop platforms by simply plugging in — and eventually tapping — the YubiKey without having to read, remember, re-type, or copy and paste OTP codes when prescribing controlled substances.”

In addition to healthcare, the advantages of YubiKey mobile authentication spans many industries including financial services, manufacturing, retail, and technology, many of which have already integrated our iOS SDK into their apps. 

Get started with building YubiKey support into your mobile app

At Yubico, we strongly believe in the power of the ecosystem and community development. Developers and partners building enterprise and consumer apps are key to how Yubico architects products and we are committed to enhancing our software portfolio to enable all use cases across all platforms. 

If you’re interested in building a YubiKey-enabled mobile app or you would like to explore the latest Android SDK, check out our Github repo or developer guides.

Ashton Tupper

Google enhances mobile security on iOS with YubiKey support via NFC and Lightning

We are excited to share that Google has added WebAuthn support on iOS, which begins rolling out to users starting today! This means that you can now use YubiKeys on your iPhone and iPad when accessing Google’s iOS apps and web services on the Safari browser. The expanded support of strong hardware-based authentication can now be used via the Lightning connector (YubiKey 5Ci) and NFC (YubiKey 5 NFC, Security Key NFC). For individuals with YubiKey models that may not be NFC enabled, it is also possible to use the Apple Lightning to USB Camera Adapter.

In other words, you can now protect your personal and work Google Accounts, the Advanced Protection Program (Google’s strongest account security offering), and even services like Meet, Nest, and YouTube, with the most secure and easy-to-use security keys on Apple devices.

Many individuals and organizations around the world rely on Google products to power their day-to-day applications and communications, and provide fast and simple logins into many other web-based services. Now, this new functionality on iOS opens the door to every single Google user, to heighten their mobile security with increased YubiKey options.

With today’s rapidly growing remote workforce, G Suite administrators will benefit from this added level of protection to secure employees regardless of location. Earlier this year, Google shared that they’ve seen no evidence of a successful phishing attempt on accounts enrolled in APP to date. With added Lightning and NFC support, organizations and users can now achieve zero account takeovers on iOS.

The YubiKey 5Ci is the only multi-protocol USB-C and Lightning equipped security key to provide strong authentication on iOS devices and a range of other USB-C enabled machines. Today’s news adds to the growing list of services that support the YubiKey 5Ci and Lightning connection including: 1Password, Bitwarden, Dashlane, Idaptive, Keeper, Okta, and more.

To celebrate this milestone, we are offering a limited-time exclusive promotion for Google Cloud and G Suite customers. Account administrators can request a one-time introductory discount of $20 off any two (2) YubiKey 5 Series, up to 20 keys ($200 maximum discount value), for their employees to experience the ease-of-use, strong security, and diversity of YubiKey form factors. This promotion is available globally until June 30, 2020, and can be redeemed via this link.

Additionally, for large organizations with remote and dispersed workforces who want to add YubiKey protection to their G Suite Accounts, they can immediately benefit from our new YubiEnterprise Delivery service. YubiEnterprise Delivery allows organizations to easily ship YubiKeys directly to individual employees, partners, and customers across the globe.  

For more details on this new functionality and to learn how Yubico can help to secure your organization, register for our upcoming webinar “Securing Google and G Suite Accounts with YubiKeys” on June 10, 10:00 AM PST.

Unrecognizable male voter holds in his hand a ballot above the ballot box
Ronnie Manning

Acing election security in 2020: A conversation with Defending Digital Campaigns

2020 is a big year for the US electoral system, and with society moving to a remote structure amidst the current climate, elections may very well be the next big sector to feel an impact. US citizens could find themselves voting entirely remote — possibly through mobile phones or otherwise — changing the election security landscape as we know it. 

Remote or not, election security is not a new challenge. From securing voter registration databases to preventing account takeovers for political candidates and government officials, federal, state and local governments have been trying to get their hands around election security for years. Yet, one of the fundamental cornerstones of effective governance is ensuring the security and integrity of elections and other political processes. 

Voting systems have seen little technology innovation throughout the course of US history, until more recently. Some states for example, have started implementing mobile solutions to help with the tracking and recording of polling results. These trends will only continue with COVID as a forcing function, and governments that are not equipped to securely embrace a virtual voting system at scale, will have hard lessons learned.

As a government-approved authentication solution, YubiKeys are used by many agencies and political campaigns. In fact, Yubico is a Defending Digital Campaigns (DDC) partner to help secure campaigns as they navigate the uncertainties of the 2020 election cycle. 

To share some perspective from the front lines of election networks, we recently sat down with Michael Kaiser, President and CEO of DDC, to discuss what’s top of mind for this year’s election security.

What kind of work does your organization do? 

Defending Digital Campaigns (DDC) was founded with a focused mission of providing free and cost-reduced cybersecurity products services to federal campaigns. We serve the House, Senate, and presidential campaigns as well as national parties and committees. DDC works with companies to come up with offerings to the campaign ecosystem and provides some support to get products implemented.

What risks do political campaigns, candidates and election networks face around the world? 

We can expect more vigorous phishing attacks, data stealing, ransomware, disinformation and misinformation efforts. The kind of attacks that do occur will be based on the motivations of the perpetrators. It could be nation states trying to divide us and be disruptive, a person in our own country opposed to a particular candidate, or cybercriminals stealing data to be monetized by conducting scams like business executive compromise, or seeking payments through ransomware. 

Most cybersecurity professionals I talk to believe that phishing remains a major vector of attack. Credential stealing is one of the ways attackers gain broad access to a network and from there instigate malicious activities. People are vulnerable to social engineering efforts, and creating and sending phishing emails is not a heavy lift for cybercriminals. Specifically, we do expect to see more ransomware and stepped attacks to steal confidential, potentially embarrassing, or detrimental data. As we get closer to elections, attacks may increase and the more we will see attempts to disrupt our campaign process.

Are we seeing cyber security risks to the US 2020 presidential elections? How are these risks different from those in prior elections?

For bad actors wanting to disrupt our democracy, cause chaos, steal a wealth of data to manipulate people or monetize, presidential campaigns are prime targets. As we have seen in previous cycles, the impact of a cyber incident on presidential campaigns can be significant.

Presidential campaigns need to be viewed as large enterprises. They grow quickly to many thousands of geographically spread out employees and volunteers, have tremendous amounts of data, and are highly dependent on a full spectrum of technology – all ingredients for increasing risk. 

What measures are you advising campaigns, political candidates and election networks to take to ensure they are protected?

The Federal Election Commission Advisory Opinion that allows DDC to bring free or reduced cybersecurity services to bipartisan campaigns is for federal campaigns — House, Senate, presidential — and national parties and committees. The vast majority of campaigns eligible for DDC’s help are House campaigns that likely have between 5-15 people at the core of the campaign that need to be protected. 

From the way we think about cybersecurity, these campaigns look a lot like small businesses. And while that’s true in some ways, they differ in others. These campaigns have what I call “squishy” perimeters. They use many volunteers and consultants and there are many other critical people in the orbit of the campaign, including a candidate’s spouse and children and close confidants.

We focus on making sure campaigns implement the basics: multi-factor authentication, encrypted communications, and protected websites. We encourage campaigns to focus on who needs protection because they have access to the campaigns core and confidential workings. We also encourage that campaigns take advantage of security features that might be built into the systems they are already using such as Windows, Microsoft Office or GSuite.

How do you see Yubico partnering with Defending Digital Campaigns to help ensure the integrity of elections?

YubiKeys represent a foundational and critical building block of any cybersecurity effort. Protecting credentials is step one for every campaign in the country and Yubico addresses that issue directly and comprehensively. DDC is thrilled to have Yubico as one of it’s partners.

Learn more about how Yubico helps governments ensure election integrity by securing sensitive information across government elections and political campaigns. 


Guido Appenzeller

Quickly and easily secure remote workers with YubiKeys through YubiEnterprise Delivery

In the current situation of social distancing, record percentages of employees working from home have added complexities to securing the workforce. In fact, many of our customers have expressed that the actual distribution of YubiKeys to remote, individual employees is a real challenge. To help fix this issue, we are excited to release our second YubiEnterprise Services offering today: YubiEnterprise Delivery. 

With YubiEnterprise Delivery, US and Canada-based organizations can ship YubiKeys directly to employees, partners, and contractors in more than 30 countries across the US, Canada, and Europe. Delivery requests can be entered online via the YubiEnterprise console individually, in bulk through a CSV file upload, or programmatically through an API. Leveraging the API option enables IT administrators to fully automate the distribution of keys as part of the user onboarding and allows for integration with in-house service catalogs like ServiceNow. 

While Yubico takes care of the shipping logistics and simplifies YubiKey distribution, enterprises can focus on what matters – securing the workforce. Whether your organization has experienced an uptick in remote workers, has scarce IT resources, or has hiring surges throughout the year, YubiEnterprise Delivery makes it easy to quickly distribute YubiKeys to employees no matter their location.

For Remote Workers

IT administrators can experience cost-effective, turnkey shipping and tracking capabilities, with YubiKey delivery directly to employees’ doorsteps.

For Limited IT Teams 

Typically, IT teams are stretched thin managing the many business-critical applications that keep an organization running. By simplifying delivery, distribution, and management of inventory, organizations can operate efficiently without hindering security or productivity. 

For Seasonal Hiring 

Managing security logistics and inventory has its challenges when hiring activities increase during specific times of the year. With the combination of YubiEnterprise Subscription and Delivery, Yubico customers have the flexibility to accommodate hiring surges and focus on the busy season ahead. 

With YubiEnterprise Subscription, organizations can seamlessly add users midterm to existing subscriptions. Benefits also include the ability to replace or upgrade 25% of your user subscription with new YubiKeys, which can be leveraged to accommodate employee churn, lost keys, or support an influx of seasonal workers. With these options, added users can quickly receive YubiKeys via YubiEnterprise Delivery. 

If you’re looking for an easy, flexible solution to improve your organization’s security landscape, let YubiEnterprise Services own the logistical difficulties. Work with your Yubico sales representative to set up your YubiEnterprise Delivery console with your YubiKey order today. 

For a limited time only, any qualifying Yubico customer that purchases a 3-year YubiEnterprise Subscription with prepayment before June 26, 2020 will be eligible for free YubiEnterprise Delivery shipments within the US and Canada until September 30, 2020.

For terms and conditions, as well as YubiEnterprise Delivery pricing details please visit our YubiEnterprise Services page

To learn more about the business advantages of YubiEnterprise Services, view the on-demand webinar, YubiEnterprise Services: Hardware Authenticators as a Service

Camila Brindis

Password Management: Securing Businesses with Small, Yet Mighty Teams

Now more than any other time in history, businesses are working remotely. Going virtual, while enabling collaboration and helping to maintain regular business operations in these trying times, introduces a fair amount of challenges.   

Data shows that businesses with smaller teams have been increasingly targeted by hackers and cybercriminals in recent years. In fact, about one third of the 850 global businesses in this study report suffering a cyberattack in the last year.  

Poor password hygiene in the workplace continues to be a problem. Data shows that employees consistently set basic, formulaic, and recycled passwords that can be easily exploited.  For any organization, this poses a security risk, and can lead to a loss of money, draining of IT resources, and a damaged brand. Businesses adapting to remote working infrastructures should prioritize password best practices to enable their newly remote teams to work efficiently and securely.  

So what’s the first step?  A fast and affordable way to ramp up security for a small yet mighty team is with a password manager. Password managers mitigate the inherent challenges of memorizing dozens of complex passwords by storing users’ passwords in an encrypted vault. Additionally, password managers can generate unique and extremely strong passwords for each online account and service.  

The next step is to enable YubiKey two-factor authentication (2FA) to your password manager to ensure that the passwords in your vault are protected by a physical key, regardless of operating system. The YubiKey delivers the strongest, hardware-based defense against phishing and other threats leading to account takeovers. The combined solution of a password manager and a YubiKey is an easy way for businesses to bolster account login security—no matter the size of their team. 

At Yubico, we take pride in our ecosystem of technology partners, a number of whom are password managers and services that advocate for better password management. 

“The workplace is changing more rapidly than we ever imagined, and this brings new security considerations. To keep a tight grip on who can access, amend, and share your data stored using the cloud, it’s best to use a password manager like 1Password in combination with multi-factor authentication.”

Matt Davey, COO, 1Password

“At Bitwarden, we empower individuals, teams, and organizations to store and share sensitive data easily and securely. We are proud to partner with Yubico to build a strong security foundation for our users.”

— Gary Orenstein, Chief Customer Officer, Bitwarden

“Our world and workspaces are changing fast due to the current crisis. Private devices are now used for work, which leaves user credentials at risk and in need of protection. With a smart password manager protected with a YubiKey, you keep important and confidential company data secure.”

— Sergej Schlotthauer, VP Security & Strategic Alliances, Matrix42

“Don’t give attackers a single target. Use a different password everywhere, a different email address, or alias with subscriptions, and protect your accounts with a hardware authenticator. Your other accounts won’t be at risk in the event one account is compromised.”

— Ricardo Signes, CTO, Fastmail

As your business transitions to an increasingly remote working environment, consider investing in a password manager plus the YubiKey for easy to use, hardware-backed 2FA. Want to learn more? Watch our roundtable Q&A with 1Password to hear expert insights and best practices on effective password management.

Space travel
Yubico Team

Star Wars Day Promo: May the 4th Be With You!

You don’t have to travel to a galaxy far, far away to find a more wretched hive of scum and villainy. Sadly, our world is facing an ever-growing number of phishing attacks from data smugglers (work with us here). But there is hope. A new force has awakened…


And you’re armed with this… a YubiKey. The YubiKey is the spark that’ll light the fire to bring an end to account takeovers. With it, you are a security Jedi with the power to prevent attacks with just the touch of your finger.

As the weapon of choice for a security Jedi, the YubiKey is not as clumsy or random as SMS or mobile apps. Rather, it’s an elegant tool for a more civilized age – this is the way.

To celebrate Star Wars Day, we’re including a limited-edition galactic YubiStyle cover with any qualifying YubiKey purchase made on our e-commerce store during May the 4th.* Armed with this unique YubiKey, you will restore balance to your digital accounts, but hurry, these will be gone faster than light speed. To make a purchase, visit the Yubico Store

May the 4th be with you!

*Promotion is valid for all purchases including a YubiKey 5 NFC, YubiKey 5C, Security Key by Yubico, or Security Key NFC by Yubico. Offer begins at 12:01am PT on 5/4 and ends at 11:59pm PT on 5/4.

Mature men at home during pandemic isolation have conference  call
Sebastian Elfors

YubiKey secures remote workers during COVID-19 as government-approved alternative to PIV and CAC cards

In the matter of just one week, Google reported that it saw more than 18 million daily malware and phishing emails related to COVID-19. That’s an astonishing number, and one that is not likely to slow down any time soon. 

For organizations across the globe, it is imperative to quickly, securely, and affordably fill existing security gaps to effectively support remote workers. For government agencies, the stakes are even higher. It is critical to protect and sustain our government infrastructures in a time when many citizens are relying on these services more than ever before. 

Preventative measures against phishing are not new, but scaling them quickly across an organization is. This is uncharted territory for many government agencies, and the Personal Identity Verification (PIV) and Common Access Card (CAC) authentication infrastructure lacks the convenience and flexibility required to support a rapid shift to remote work environments. While PIV and CAC set a high bar for security, they rely on in-person identification to issue credentials — an impractical requirement when servicing droves of new remote workers or renewing recently expired credentials. 

US government releases guidance on securing remote workers

Recognizing the immediate need for increased security without disrupting productivity, the United States White House Office of Management and Budget (OMB) released a directive for the broader government. The memo acknowledges three main points: 

    1. Not all agencies may be able to issue PIV credentials during the time of remote work.
    2. Agencies are directed to use the breadth of available technology capabilities to fulfill service gaps and deliver mission outcomes. 
    3. Agencies should be prepared to issue an alternate credential or authenticator for physical and logical access.

YubiKey approved as PIV alternative for strong authentication 

For federal entities, we know that this means finding applications and solutions — like the YubiKey — that already have the government seal of approval and a federal terms of service agreement to enable rapid and seamless deployments. 

“A FIDO security key can help bridge the gap,” explains Jeremy Grant, Managing
Director of Cybersecurity at Venable, and former Senior Advisor to the Obama Administration’s National Strategy for Trusted Identities in Cyberspace. 

“Much like the PIV card, FIDO security keys leverage public key cryptography for authentication, which can’t be phished — an important benefit at a time when we’re seeing an explosion of COVID-related phishing attacks,” continues Grant. “Agencies can mail FIDO security keys directly to employees needing strong authentication, and because they work via USB and NFC, they don’t require a specialized reader as PIV cards do.”

FIDO security keys are 1 of 3 government-approved alternate authenticators, according to the Department of Defense. This guidance was released as early as 2018, demonstrating that the US government recognized the need for agile, adaptable, and affordable security solutions far before COVID-19. 

Global governments recommend multi-factor authentication to protect remote workers  

Efforts from the US government are underscored by similar initiatives by many other leading government agencies around the world. For example, the British NCSC (National Cyber Security Centre) and European Union Agency For Cybersecurity (ENISA) both issued guidance on best practices to secure citizens and employees working remotely, and strongly recommended multi-factor authentication (MFA) as a top priority. 

For more information on the YubiKey as a federally-approved authentication solution, tune into our latest on-demand panel webinar with Danelle Barrett, former US Rear Admiral, and Director Navy Cyber Security and Deputy Chief Information Officer. 

Additionally, read how FIDO2 is aiding eIDAS (electronic identification, authentication and trust services) as the legal basis for cross-border interoperability of electronic identification, authentication, and electronic signatures amongst EU Member States

Over the shoulder view of woman using laptop with blank screen. Female blogger is working at home. Smart phone and coffee cup are lying on wooden table.
Guido Appenzeller

3 reasons to use Yubico Authenticator on desktop computers

Did you know that the Yubico Authenticator app is available for desktops as well as mobile devices? Today, we are excited to announce the support of the Yubico Authenticator desktop versions on their respective platform stores (Mac App Store, Microsoft and Snapcraft). 

Achieving strong protection with authenticator apps  

Authentication mechanisms today need to be highly secure, usable and portable, and these are the exact same principles we used to build Yubico Authenticator. Similar to other authenticator apps, Yubico Authenticator generates a one-time code used to verify your identity as you’re logging into various services. However, unlike other authenticator apps, the secrets are stored in the YubiKey rather than in the app itself, making it necessary for a user’s YubiKey to be physically present to receive the time-based codes. 

Because secrets are stored on your YubiKey, if you change phones or laptops, there is no porting or re-registering of accounts required, regardless of operating system. Furthermore, the secrets cannot be stolen from the hardware key. 

Yubico Authenticator advantages for desktop users

With recent availability of Yubico Authenticator on the Mac, Windows, and Linux app stores, we are able to seamlessly deliver the same security, portability and usability benefits of the product to desktop users. Besides simplifying and accelerating the authentication experience across many services and platforms, Yubico Authenticator for desktop carries specific advantages. It enables two-factor authentication (2FA) across unique environments including: 

Desktop VPN authentication 

Yubico Authenticator for desktop enables seamless VPN integrations by generating one-time codes with desktop VPN clients such as Cisco Anyconnect, Pulse Secure, or AuthLite. With the recent influx of remote workers, this is particularly useful in helping to secure employees who are working from home. 

Mobile-restricted environments 

Not all corporate setups allow for the use of mobile devices, making it impossible to use mobile-based authentication methods such as SMS or authenticator apps. Since Yubico Authenticator stores secrets on the YubiKey, users are able to replicate the same time-based codes that would be on a mobile device, on the desktop. This is particularly advantageous for corporate setups where mobile devices are restricted, such as call centers or doctor’s shared devices. 

Multi-device sign in 

In a recent survey from Ponemon Institute, individuals use an average of 5 devices to access online accounts. With a YubiKey and Yubico Authenticator, the same secrets are accessible on desktop computers as well as mobile devices. This makes it easy to authenticate without needing to re-register every service with the authenticator app on different platforms. 

Setting up Yubico Authenticator for desktop 

Simply download the app for Windows, macOS, or Linux depending on the machine you’re using. Open the app, insert your YubiKey, and begin adding the accounts you wish to protect by scanning the QR code provided by each service. Yubico Authenticator is also available for download on iOS (iPhones and iPads) and Android operating systems. 

Now you’re all set! Start using the Yubico Authenticator app and your YubiKey to securely login as a second factor to your services. 

For added convenience, head over to the Yubico store to pick up a YubiKey 5Ci for seamless authentication across desktop and mobile devices!  

Yubico Team

Top Yubico Partners to Modernize your Workplace Login

The workplace is evolving and expanding well beyond the four walls of a corporate office, and with this expansion comes new questions about how to secure employee login. In 2019, fifty-one percent (51%) of IT professionals said their organization experienced a phishing attack, making it dire for organizations to identify solutions that employees can use to access critical workplace systems and data while staying safe from rising attacks.

As your organization is on the path to modernizing workplace login, security at the individual user level is more critical than ever. Secure login is fundamental to preventing unauthorized access, and when done really well, results in: 

Through our extensive partner network, Yubico offers organizations a broad range of choices in the way users can securely log into their workstations and computers. Whether aiming for a cloud-first or hybrid environment, strong authentication can be implemented to protect access everywhere, all based on the systems users need to access.

Last month, we shared 5 ways the YubiKey can protect your remote workforce from phishing and other attacks. This month, we are featuring five of our partners to share tips on how our joint technologies can enable your organization to modernize the login experience to desktops and laptops as well as cloud-based apps and services. 


“Strong authentication is fundamental to modernizing the workplace. YubiKeys provide seamless multi-factor authentication (MFA), while systems like MyID give IT teams the control they need to issue and manage YubiKeys simply and at scale.” – Allen Storey, Chief Product Officer, Intercede


“The best experience you can give your users is one that doesn’t require them to learn new ways or new habits. Rather than distributing new usernames and passwords, you can leverage the credentials they already use to sign in to their devices.”- Sue Bohn, Director of Program Management, Microsoft 


“MFA doesn’t have to be difficult. OneLogin’s Trusted Experience Platform enables users to leverage WebAuthn with hardware-backed YubiKey MFA for access to enterprise apps and services. With our integration, companies can reduce MFA friction with OneLogin SmartFactor, and increase their overall security posture.” – Brandon Simons, Director of Product Management, OneLogin


“By partnering with Yubico, we’re making it easy to deploy the YubiKey as a smart card using our onboarding software plus PKI Services to secure app authentication, VPN, desktop logon, and more.” – Tom Rixom, CTO,  SecureW2

Bottom line: Organizations undergoing digital transformation require modern, secure, and flexible authentication approaches to protect critical data. Whether you’re considering MFA by adding another layer of protection on top of a username and password, or potentially replacing passwords altogether, the multi-protocol YubiKey is equipped to handle it all. 

Join our upcoming partner roundtable discussions to hear expert insights and best practices on modernizing workplace login. Use the links below to sign up now! 


Stina Ehrensvard

Staying safe in our physical and digital worlds

Most of our lives are now connected on the internet. We stay in touch with our loved ones, order food, talk to our doctors, do our banking — and now, many of us also work from home. 

We are all facing challenges we did not predict a few weeks ago. Never before has our society been more dependent on the internet, and never before have people been more vulnerable. Each individual is now exposed to more phishing attacks and we are seeing a new wave of cyber threats capitalizing on the fear surrounding the pandemic.

While hero first responders and doctors are fighting for lives attacked by a biological virus, the global IT security standards community is doing its best to protect us in the digital world. The human body and the internet are both amazing complex structures that will always be attacked, but we are resilient. 

Last year at BlackHat USA, the conference issued its annual 2019 Black Hat USA Attendee Survey, in which one question asked what cybersecurity technologies have been most effective for data security and privacy online. The response was clear: multi-factor authentication (MFA). MFA was the highest ranked security tool for protecting enterprise data, with 82% of respondents citing it as effective. 

History has shown that if we come together and collaborate on solutions, we can invent cures. During the last decade, our team at Yubico has worked closely with internet giants and open standards bodies, and together we invented the best authentication solutions to prevent remote account takeovers: FIDO U2F, FIDO2 and WebAuthn. See the stats below, or read the full research here. 

Since a few weeks ago, most of the Yubico team is working from home, but we have been fortunate to continue to serve our customers, partners and developer community around the world. Moving ahead, we are committed to help make the world safer by continuing to contribute to open security standards, and providing free open source tools and support for technology that makes a difference. We will also continue to donate YubiKeys to non-profit organizations supporting a free open internet and free speech to safeguard security for the world at large.  

Without doubt, the world is in a crisis. But no matter how difficult things get, there is often a way, and through these challenges we can boost our spirits and immune system if we find things that make us smile. A couple of weeks ago, the Yubico team made a short video to explain how FIDO authentication works, which made me smile. I hope it can do the same for you.

Stay healthy and safe. 

P.S. — If you want a dog to look at a computer screen, show cat videos. To learn more about how to secure your remote workers, tune into any of our upcoming and on-demand webinars on BrightTALK

Fahter is showing his daughter things on a laptop
Chad Thunberg

A CISO’s best advice for protecting a rapidly evolving remote workforce

As Yubico’s Chief Information Security Officer (CISO), I am responsible for the company’s security, risk management, and compliance programs. I have more than 20 years of experience solving complex security scenarios, but I have yet to encounter the unique landscape that we are collectively facing as IT leaders. 

Many of my peers and businesses across the globe are suddenly navigating new security complexities associated with managing a remote workforce — and it’s tough. Not only are IT teams scrambling to establish or scale technical infrastructures that can protect a rapidly growing remote workforce, but employees are also facing their own set of challenges. 

Individuals are working from home that have never worked outside of an office before; fear, uncertainty and doubt are on the minds of many; and most everyone is distracted by the influx of news, lack of social connection, or disrupted home routines. The unfortunate reality is that hackers thrive in times of crisis when the likelihood of human error are in their favor. 

While the state of current events can feel disheartening — even impossible — there are ways for organizations to immediately elevate their remote work security posture while also helping employees to feel supported. The following three areas will provide some immediate benefits to any organization, and will foster a more resilient working environment for everyone as we move forward together. 

Deploy strong authentication technology to secure remote access. 

Strong multi-factor authentication, like the YubiKey, serves an important role in providing an additional level of confidence in a user’s proof of identity. This is especially important with the changes in workflows. Behavioral- and heuristics-based detection controls may not function as well as intended, at least in the near term. Companies will need to rely on preventative measures until their detection systems are re-tuned and adapted.

Additionally, companies should expect to see an influx of social engineering attacks on all employees, but also specifically targeted at support personnel. These individuals are going to be inundated with support calls from employees, and will be working quickly — maybe even around the clock — to resolve issues. It’s the perfect environment to capitalize on user error, and I suspect we’ll see an increase in stolen credentials and hijacked accounts as a result. 

Maintain endpoint security, and plan for increased use of personal devices. 

Without oversight into employees’ work environments, it is necessary to have increased confidence in the endpoints that are accessing the company infrastructure. Environmental factors can pose significant threats including the unauthorized use of corporate assets by family members or the use of personal devices to access corporate assets. Both of these scenarios can increase the likelihood of a successful malware, ransomware, or phishing attacks. 

Using anti-malware or firewall software, strong authentication for computer logins, and simple best practices like frequent software updates or screen locking are critical to maintaining control of endpoints in unsecured work environments. 

Establish backups to address ransomware threats for remote workers.

A remote workforce is more likely to work offline and to store information on both company-issued devices and personal machines. A successful ransomware attack on either may lead to a greater impact on the employee and company. 

Successful recovery will require frequent and automatic backups of that information. Backups should happen seamlessly and not require the user to be connected to the corporate network via VPN.  

One of the main reasons I chose to join Yubico is to help address fundamental security issues facing the world. I believe now more than ever, our mission is critical to help ensure frontline and remote employees can work seamlessly without additional security risks. 

Even after companies begin to reduce their remote workforce and transition back to in-office working parameters, a business continuity plan with these three focal points will provide a sustainable security foundation to mitigate future risk.  

If you’re looking for other helpful tips on securing your remote workforce, tune into our on-demand webinar, 5 Ways to Protect Remote Workers From Account Takeover.’ Yubico’s Chief Solutions Officer, Jerrod Chong, shares some of the best practices for protecting identity and access management (IAM) platforms, VPN and VDI solutions, computer logins, SSH sessions, password managers, and more. 

Concentrated female paramedic in uniform using digital tablet
Alex Yakubov

The Critical Role of Frontline Workers

I am in awe of how the world is coming together, setting aside our differences and making bipartisan decisions to do what’s right for humanity and to help everyone adjust to a more remote and distanced coexistence. Security professionals, risk and legal officers, operations leads, and finance heads everywhere are working through plans to ensure their employees are supported and safe, all while trying to avoid unintended business consequences down the line. 

At Yubico and Axiad, we know that user groups often vary, including those that can make the shift to work from home, and others — like medical, and public safety professionals — that cannot due to the nature of their work. In fact, eighty percent (80%) of the global workforce doesn’t actually sit at a desk. 

The United States Department of Labor reports almost 70 million Americans work in occupations including services such as healthcare practitioners, protective/public safety, food preparation, building cleaning and maintenance, personal care, natural resources, construction, production, shipping, transportation, and more. 

The critical role that frontline workers are playing in today’s health crisis emphasizes the need to enable productivity (like preventing lock-outs due to forgotten passwords), maintain compliance, and eliminate complexity. 

To help navigate top authentication challenges facing frontline workers, Yubico and Axiad are hosting four (4) virtual meetups for security professionals in the NYC, San Francisco, Midwest, and South Central areas. A current Yubico and Axiad customer will also join to facilitate a discussion on handling temporary workers, emergency licensure laws, and other real-world scenarios currently facing many enterprises. 

Attendance is limited, so make sure to sign up today and reserve your spot! 

New York

April 14, 2020 at 10am ET


April 15, 2020 at 10am CT

South Central

April 23, 2020 at 10am CT

San Francisco Bay Area

April 28, 2020 at 10am PT

If you aren’t able to make one of these virtual meetups, please contact us and we will be happy to schedule a private discussion around your unique needs. 

Thank you for doing your part to keep the world safe! We are honored that millions trust Yubico to solve their toughest authentication challenges.


Ronnie Manning

Top 10 tips from employees for working from home

Recently, remote access has become the new way of working for many businesses and our team at Yubico has also had to adapt to this new reality.  

Last week, we published the first entry in our remote working blog series: 5 ways the YubiKey can protect your remote workforce from phishing and other attacks. Now, with our second blog, we wanted to provide some insight — in a lighter tone during these challenging times — on remote work tips direct from Yubico employees. We asked our team for their top remote working best practices, and summarized the list below. We hope our team’s advice can be useful for anyone working from home. 

Q: How do you successfully work from home?

  1.  “Create a work-only space. Whether that be a spare bedroom or a corner in your kitchen. It should be devoid of all other home projects or distractions.”
  2.  “Create or buy an ‘On air’ sign to hang on your office door or otherwise display so others in the house know when you need uninterrupted work time.”
  3. “Posture and ergonomics are important. Move around and stretch and take as many walking calls as you can, and if possible outside. Fresh air also gives clarity to the brain.” 
  4. “Fuel yourself! Don’t get hung up on work so much that you forget to eat and drink.”
  5. “When possible, use the video when communicating with your teammates. Even though we are working independently, it can make it feel like we’re at the office together.” 
  6. “For every 30 minutes spent staring at your screen, look away for at least 20 seconds to focus on something outside your window. Your eyes will thank you.” 
  7. “When working at home with cats, be sure to CLOSE your laptop any time you leave it for more than a minute or two, because cats, attracted to the warmth, love to sit on the keyboard.”
  8.  “Take advantage of working at home, like taking a couple of minutes to chat with your family or put the laundry in the dryer. Those small breaks sprinkled through the day will make you more productive.”
  9. “Over communicate across all of the teams you are working with, as nuances might be lost when working remotely.”
  10. “Use a YubiKey, or some form of two-factor authentication, whenever and wherever you can to protect your work and personal applications.”  

So how are you coping with working from home? What is the best advice you can give? Please join the conversation! Click here to send a tweet with the hashtag #YubiHome (get it?!), and share your advice for anyone who may be new to working remotely. 

For additional information on how organizations are using YubiKey to protect remote workers, sign up for our webinar on March 26, ‘Enabling employees to work securely from home’.

The last few weeks have set new high records of account takeovers and phishing attacks across the globe. At Yubico, we are dedicated to continue to serve our customers and make working from home safer for all. 


Alex Yakubov

Diablo Valley College students implement WebAuthn in 24 hours

What do you get when you mix six hundred developers, twenty-four hours, twelve challenges and a mass of cash and prizes? The nation’s largest challenge-driven hackathon, hosted by DeveloperWeek in San Francisco.  

Hackathon participants get just twenty-four hours to create a working proof of concept to solve some of the world’s most pressing problems. Yubico challenged developers with a user-centric approach to security. We were looking for the best integration of strong two-factor, multi-factor or passwordless authentication with the YubiKey to protect sensitive user information. Ten teams took on the challenge, all with excellent use cases and implementations, but we could only nominate one winner. 

This year, Yubico chose FoodHopa as the winner of the 2020 Yubico DevWeek Hackathon Challenge. FoodHopa was born out of the simplest of concepts — how can environmentally conscious college students help reduce carbon emissions and save the world while feeding themselves and their friends, all on a shoestring budget? 

FoodHopa engineers, Michael Winailan & Scott Sunarto

Developed by engineering students Michael Winailan and Scott Sunarto, FoodHopa aims to match restaurants with surplus food to hungry eaters. The idea is that one driver delivers food to one centralized location instead of making multiple deliveries to multiple locations. By bringing eaters together, utilizing surplus food from restaurants, and reducing food delivery to one location, FoodHopa succeeds in reducing food waste and carbon emissions at the same time.  

In just a few short hours, Michael and Scott built a mobile app for party-goers (eaters) and a web app for party hosts (drivers) and restaurant operators. Using a web-based management platform, restaurant operators can log in to the web app using a passwordless login flow with a YubiKey. This was all built on the WebAuthn standard.

When asked why they chose to go passwordless, the savvy students told hackathon judges that a passwordless login flow was important for three reasons:

  • The food and beverage industry experiences high employee turnover rates, and YubiKeys are easy to re-issue to new employees.
  • Inconsistent hourly work schedules make it challenging to remember a complex password.
  • Memorizing complex passwords is hard, which results in weak or shared passwords among coworkers. 

Enabling a passwordless login flow and providing YubiKeys for each restaurant employee that needs to interact with the web app ensures both the restaurant and their customers’ information is kept private and secure.

FoodHopa integrates with WebAuthn and YubiKeys

What’s next for these savvy students? The FoodHopa team hopes to productize their app and take it to the marketplace by implementing credit card payments through their app. By adding strong multi-factor authentication using YubiKeys into their payment flow, they will be well on their way to achieving PCI (Payment Card Industry) compliance.  

Hackathon submissions don’t typically prioritize security—especially when the focus is on building an MVP as quickly as possible. Yubico has increased our participation in hackathons over the past few years in an effort to change that behavior, while also exploring better ways to empower non-security engineers to integrate strong authentication. If you’re hosting an upcoming hackathon, and would like Yubico to participate, please let us know at

Are you interested in integrating security into the products, services, and applications that you’re building? Check out Yubico’s developer website to get started and sign up for the Yubico Developer Program mailing list to be notified of new documentation and resources, as well as get early access to SDKs and new products.

Jerrod Chong

5 ways the YubiKey can protect your remote workforce from phishing and other attacks

In today’s enterprise journey to digital transformation, remote work is on the rise. Advancements in technology make it possible for employees to work from anywhere, but also introduce a new set of challenges for IT departments. Unsecured WiFi networks, unmanaged personal mobile devices, and phishing scams make it easy to steal user credentials and difficult to  securely manage geographically dispersed teams. 

While the concept of remote work is not new, it is becoming more prevalent for modern businesses. Recent global events are driving these numbers even higher, making it imperative for organizations to set processes and systems in place that not only secure remote workers, but do so without hindering productivity. We are already seeing hackers taking advantage of the current state of business uncertainty with targeted phishing attacks, making it imperative to develop a business contingency plan that includes protecting the workforce when working remotely. Enterprises need to ask, “Can employees access systems remotely without introducing new risks and vulnerabilities?” 

Enabling multi-factor authentication (MFA) should be one of the top requirements for a work from home policy. The YubiKey 5 Series and FIPS-validated YubiKey Series offer an easy-to-use, durable, and multi-function solution for all employees regardless of device type, operating system, or location. If you’re already using or want to use YubiKeys in your organization today, there are likely several other ways that you could be benefiting from strong hardware-backed authentication. 

With remote and distributed workers on the rise, here are five tips to ensure that your employees are protected from phishing and beyond, with YubiKeys: 

  • Enable MFA for identity access management (IAM) systems and identity providers (IdPs) — The best cloud and hybrid environments leverage IAM solutions to enable employees to work without the hassle of multiple usernames and passwords. Many of the leading IAM vendors offer native YubiKey support including Axiad, Duo, Google Cloud, Microsoft Azure Active Directory, Okta Workforce Identity, PingID, RSA SecurID Suite, and others. If you’re already using any of these services, you can immediately improve the level of security across your entire organization by simply turning on MFA with YubiKeys.
    • IAM vendors and IdPs can also be used for Single Single On (SSO) to other business critical messaging or video conferencing apps such as Microsoft Teams, Google Hangouts and Zoom. 

    • Secure VPN access with MFA — With an increase in remote workers, comes an increase in the number of people utilizing a VPN to access the corporate network. Pulse Secure and Cisco AnyConnect, can be configured to work with a YubiKey as a smartcard (PIV) for remote access. Other VPN applications that offer native support for YubiKeys use the one-time password (OTP) capabilities. 

    • MFA for computer login — Whether you’re using a Mac or Windows machine, there are several options for securing your computer login with the YubiKey. One of the most effective ways is to leverage the smart card functionality of the YubiKey, and use the key in addition to a PIN, to lock down access to a computer. Most recently, Yubico has been working very closely with Microsoft to enable native YubiKey support in Microsoft Azure Active Directory for a FIDO-based passwordless login experience. It is now available in public preview for hybrid environments as well. 

  • Step up authentication for password managers — If you are like the majority of respondents in a recent Ponemon Institute report and are still making your employees manage passwords with sticky notes and human memory, then it’s time to ditch that plan fast. Remote workers or not, your employees need a simple and safe way to create, store, and manage passwords. The YubiKey integrates with several enterprise-grade password managers including 1Password, Dashlane, Keeper Security, LastPass, and more
  • Use a YubiKey to generate one-time time-based passcodes — Many of the services or applications you’re using internally may support time-based one-time passcodes  (OTPs) — such as Google Authenticator or Authy — as a two-factor authentication method. Did you know that you can actually replace those authentication apps with the Yubico Authenticator application and a YubiKey? Instead of the one-time passcodes being stored within a mobile device or computer, secrets are stored in the YubiKey. This allows users to generate the OTP codes within the app by inserting or tapping the YubiKey to a device. Yubico authenticator is compatible with iOS, Android, PC and Mac.

For additional information on how organizations are using YubiKey to protect remote workers, sign up for our March 26 webinar on Enabling employees to work securely from home.

On behalf of all of Yubico, we’re committed to making secure login easy and available for everyone. To discover more YubiKey use cases, check out our solutions page. If you have questions about deploying YubiKeys within your organization, please contact us for more information.

Stina Ehrensvard

Why we designed the YubiKey the way we did

The first YubiKey was launched in 2008, inspired by the word ‘ubiquity’ and with the mission to make simple and secure logins available for everyone. At the time, we were less than 10 people in the company, but our strategy was simple: if we focused on further developing the YubiKey technology in close collaboration with a handful tech giants, we could help make the internet safer for all.  

Today, 12 years later, we are closer to this goal. Since Yubico released the first-ever FIDO security key in 2014, now all leading platforms and browsers have made support for the YubiKey and the FIDO and WebAuthn standards that we pioneered. A growing number of FIDO-compatible authenticators have also entered the market, including those that are built into computers and phones — which is how we envisioned it. More organizations adopting the standards will continue to grow the ecosystem, and also benefit YubiKey users.

There may never be one silver bullet for all authentication needs, but the YubiKey is designed to cover as many use cases as possible. The current YubiKey product line is a direct result of continuous innovation and collaboration with our customers, partners and users to achieve the highest levels of security, usability and durability. Below is a high-level summary of the design and production choices Yubico has made and why. 

An external authenticator minimizes the attack surface

FIDO authenticators are now being integrated directly into phones and computers, which will be great for growing adoption for consumers and a long tail of use cases. However, these multi-purpose components also come with a larger attack vector and potential security risks such as the Intel Spectre issue

Security experts for both the physical and digital world agree that minimizing the attack surface is critical for a stronger defense. To improve security for online accounts, we created the YubiKey as an external authenticator that is solely focused on authentication and encryption, and is not tied to the internet. In comparison to built-in authenticators, the YubiKey is also made to function without batteries, work across all computers and phones, and be an affordable cross-device root of trust. 

Small devices reduce environmental footprint

The YubiKey is designed to last: a solid monoblock design, no batteries, no moving parts. The most common YubiKey keychain design weighs similar to a credit card, and we designed all our products and packaging to be as low weight and flat as possible to help minimize shipping volume and carbon footprint. 

USB and NFC are secure and easy-to-use form factors

Some FIDO authenticators — including phones, computers or security keys — use Bluetooth Low Energy (BLE) communication during the authentication flow. However, Bluetooth was primarily designed for audio, not for security. Though security improvements have been made since the initial BLE specifications were created, there is still a risk of being compromised within a range of a few meters. Additionally, BLE adds complexity for users, which increases the amount of help desk support calls and associated costs.

Research has shown that large FIDO-based user deployments with USB and NFC YubiKeys have resulted in zero account takeovers and 92% reduction of support calls, with tens of millions of cost savings. 

Secure elements offer strong physical protection

Allowing more people to scrutinize code is generally good for security, but unfortunately, major open source security issues, such as Heartbleed, are also a reality.

The initial YubiKey was built on off-the-shelf USB components. To improve the physical security of the YubiKey, we later decided to build all of our hardware on secure elements, which are also used for chip-based credit cards and passports. Secure elements provide authenticity of origin for the components, and help to prevent a fraudster who has physical possession of a device from extracting or altering the code.

State-of-the-art secure elements do not allow for open source implementations, since these chips are proprietary and restricted in terms of documentation and tools. To safeguard the quality and integrity of Yubico products, our security and engineering teams run continuous internal and third-party security reviews. 

Biometrics and PINs will coexist in a passwordless world

FIDO and WebAuthn will soon help us forget our complicated passwords and replace them with physical FIDO authenticators using strong public key cryptography. These devices will be the first strong factor (what you have), and can be combined with a PIN (what you know) or biometrics (what you are).

Though biometrics offer convenience, a static image such as a fingerprint is not necessarily more secure than a PIN. Later this year, Yubico will launch the YubiKey Bio that will support both fingerprint and PIN. The product will arrive in a slim, robust design and with improved security features compared to what is available on the market today. 

Supply chain matters

Yubico products are manufactured in the US and Sweden. We made this a conscious choice to ensure the integrity of our products. FIDO only certifies interoperability, but currently does not set any security policies or perform product security reviews. Therefore, it is up to users and service providers to choose vendors they trust. 

Authentication continues to evolve

The YubiKey was designed with the future in mind. To enable a seamless path from today to tomorrow, we added both legacy and modern security protocols on a single device. 
To allow one authenticator to work across a wide range of systems, services and applications, the YubiKey supports static password, one-time password (OTP), PIV (smart card), OpenPGP, FIDO U2F and FIDO2. 

Yubico’s new YubiEnterprise subscription model allows businesses to upgrade a percentage of their YubiKeys as new models and features are introduced.

Following our mission to make the internet safer for all

With the growing market of FIDO authenticators, our customers ask us what options to consider. Our general response is to make support for FIDO2 and WebAuthn, try out many of the authenticators available, and then let users’ feedback and deployment statistics help guide the decision. With open standards, service providers and users are not locked into one vendor or design option, but can choose to move as the market evolves. 

At Yubico, we will continue to innovate, drive open standards, and focus on our customers to earn market share and long-term trust. 

Ronnie Manning

Yubico continues to win global industry recognition in 2020

We’re just a couple months into 2020 and Yubico has already had the honor of receiving award recognition from several leading organizations for our efforts in developing innovative solutions that address some of today’s most pressing security challenges. 

Innovation Award for Mobile Accessories, IHS Markit

At CES 2020, Yubico was presented with the Innovation Award for Mobile Accessories by IHS Markit for our industry-pioneering YubiKey authentication technologies supporting NFC (near-field communication), USB-C, and Lightning mobile connections. 

Most Innovative Product, TEISS

At a ceremony in Stockholm in early February, Yubico’s CEO and Co-founder, Stina Ehrensvärd, was awarded ‘Business Game Changer of the Year’ by top Swedish businesses for Yubico’s standards work and the company’s vision and execution to modernize hardware authentication. To quote the panel of judges, The winner has infused courage in its own organisation to contribute to a solution for one the biggest problems in our modern society; stolen login credentials. In close collaboration with the tech giants, her company has developed a new global internet security standard for securing access to online services for millions of people around the world.

On February 12, at The European Information Security Summit (TEISS), Yubico and the YubiKey brought home the Most Innovative Product or Service of the year award. And most recently, heading into RSAC 2020, Yubico was again honored to be included in several award nominations for both our company and executives. 

Industry Changemaker, Microsoft

At the first-ever Microsoft Security 20/20 event this past Sunday evening, Yubico was awarded ‘Identity Trailblazer’, and Stina took home recognition as ‘Industry Changemaker’ for demonstrating excellence in innovation, integration, and customer implementation with Microsoft technology. These honors, presented by Microsoft, speak directly to the strong collaboration between our companies, and our joint efforts to replace weak passwords with strong, cryptographic passwordless authentication. 

Identity Trailblazer, Microsoft

“Solving our mutual customers’ security challenges is very much a team sport,” said Andrew Conway, General Manager, Security Product Marketing, Microsoft Corp. “We are pleased to recognize these leaders in the ecosystem at Microsoft’s inaugural security awards.”

We truly thank our fans and users who have been with us on this awesome journey. This industry recognition would not be possible if it wasn’t for the tireless work from every Yubico employee, and our amazing customers and supporters.

Ronnie Manning

Passwordless login, YubiKey 5C NFC, YubiKey for RSA SecurID® Access, and more at RSAC 2020

The annual RSA Conference never disappoints with the rush of exciting sessions, new products, and innovative demos. Yubico looks forward to this event every year, and today, we are kicking off our presence at RSAC 2020. Are you attending? If so, we’d love to see you. Stop by Yubico’s booth (S-3103), catch our speaking session, and visit some of our partners to learn how we are working together to solve today’s complex authentication and security challenges.

RSAC 2020 YubiStyles

Visit our booth (just look for the big, green Yubico column) to see the YubiKey in action, learn about our new YubiEnterprise services and partner integrations, and experience the simplicity of passwordless and mobile logins. We’ll also be discussing what to expect from Yubico’s product roadmap, including our upcoming YubiKey 5C NFC. And be sure to grab an exclusive YubiStyle cover, designed specifically for RSA Conference attendees, to personalize your YubiKey.

YubiKey for RSA SecurID® Access

Look for Yubico’s Chief Product Officer, Guido Appenzeller, who will be discussing Cloud & Modern Workforces with other thought leaders during a Fireside Chat on Tuesday, February 25 at 3:00pm, at the RSA booth theatre (N-5845) in the North Hall. 

Additionally, RSA and Yubico’s FIDO-based authentication solution for the enterprise, YubiKey for RSA SecurID® Access, is expected to be generally available on March 9, 2020 for current and prospective RSA customers. Organizations of all sizes can purchase an enterprise-grade identity assurance platform and authentication solution to streamline company-wide deployments. A live demo of the YubiKey for RSA SecurID® Access will be available at the RSA booth, and more information is available on

Works with YubiKey stand

Along with RSA, you’ll recognize many other Yubico partners on the show floor featuring a “Works with YubiKey” stand. If you spot one, be sure to stop by to say hello and see a demo of their YubiKey integration and enterprise use cases. Exhibiting partners include:

If you’re not attending the RSAC this year, but have interest in any of the information mentioned above, please get in touch with us! Additionally, you can sign up for our newsletter to get the latest in Yubico news, updates, and important announcements. 


Ronnie Manning

Yubico releases 2020 State of Password and Authentication Security Behaviors report

Today, Yubico released its second annual State of Password and Authentication Security Behaviors Report, conducted by Ponemon Institute. The study surveyed 2,507 IT security practitioners in Australia, France, Germany, Sweden, United Kingdom, and United States, as well as 563 individual users.  

Last year’s report strictly focused on IT security professionals and their password and authentication behaviors and beliefs, so in this year’s report we were curious to see if any of these habits improved. Additionally, we wanted to see how their security practices or preferences compared to the individual users — employees and customers — that IT professionals are serving. 

Ultimately, we discovered that both IT practitioners and individuals are engaging in risky security practices. Password problems continue to prevail, two-factor authentication (2FA) lacks adoption, and mobile use introduces a new set of security challenges and complexities. 

What’s also interesting about this year’s report is that we can see the gaps between the solutions and technologies that IT security respondents are implementing, and the preferences from individual users. 

These findings underscore the need for easy-to-use and highly-secure solutions for IT professionals and individual users to reach a safer future together. The good news is that we are well on our way with the growing adoption of FIDO and WebAuthn open standards. Today, WebAuthn is supported in all major platforms and browsers, bringing the benefits of security keys and the promise of passwordless login to millions around the world — two solutions that both IT and individual respondents rated as desirable. 

See our infographic below for a high-level view of some of the most salient findings. 

To download the full research report and infographic, please visit To learn more about cybersecurity trends on the path to digital transformation, sign up for the upcoming Yubico webinar on March 18 at 10 a.m. PST.

Guido Appenzeller

Newly available YubiEnterprise Services make it easy for organizations to streamline YubiKey procurement and delivery

Today marks a milestone in Yubico history. For the first time ever, we are now offering a service-based solution for enterprises in need of a simple and efficient way to purchase and deliver YubiKeys at scale: YubiEnterprise Services. 

Until now, enterprises have struggled to effectively and easily implement YubiKeys across an entire organization, leaving many gaps in security. With YubiEnterprise Services, companies will be able to eliminate the logistical, budgetary, or planning challenges associated with achieving company-wide security with YubiKey authentication. These added benefits continue to deliver on Yubico’s mission of making strong authentication accessible to everyone.

YubiEnterprise Subscription and YubiEnterprise Delivery are the first two services offered, initially to customers in the US and Canada, with a phased rollout in Europe and other regions. YubiEnterprise Subscription is available today, and YubiEnterprise Delivery will be available Q2 2020. Key benefits include: 

YubiEnterprise Subscription 

  • Improved cost efficiencies — Businesses with a minimum initial purchase for 750 users or more can subscribe to a 3-year or 1-year license on a per-user basis, lowering the overall cost to entry for the industry-leading authentication solution. With the grouping of YubiKeys into tiers, customers have the flexibility to choose YubiKeys at the time of fulfillment.
  • Predictable spending — With a per-user pricing model versus per-key pricing model, IT departments don’t need to worry about how many YubiKeys they’ll need over a certain period of time. They only need to consider how many users require support. This allows organizations to better plan and experience predictable spending. 
  • Flexible YubiKey upgrades — Similarly, IT departments do not need to determine which YubiKey models will best support their growing authentication needs. Customers can choose the YubiKeys that suit their needs today, and can easily upgrade their devices to the newest form factors in the future, such as the upcoming YubiKey 5C NFC or YubiKey Bio

YubiEnterprise Delivery 

  • Streamlined shipping, tracking, and delivery — Customers can request single or bulk YubiKey shipments directly to end-users at any time. Yubico maintains the customer’s YubiKey inventory, validates addresses, automatically calculates shipping costs and applicable taxes, and notifies administrators and end-users with tracking information. Delivery services are automatically calculated and deducted from customers’ prepaid shipping credits with Yubico. 
  • Consolidated visibility into product inventory— With access to a self-service administrator console, customers can easily gain visibility into YubiKey inventory, access shipping statuses, and generate reports all in one centralized location. The console is available through Yubico’s user interface, or can be directly integrated into existing IT software using public APIs. 
  • Cost-efficient outsourced logistics — Enterprises can reduce the costs typically associated with managing YubiKey inventory. Not only can customers continue to buy YubiKeys in bulk at a discounted rate, but Yubico handles all shipping, tracking, and delivery services as needed. As a result, this also reduces support cases associated with shipment tracking and notification for end-users. 

For additional details, including access to pricing information and early application for YubiEnterprise Delivery, visit our YubiEnterprise web page

To learn more about the business advantages of YubiEnterprise Services, sign up for our upcoming webinar, YubiEnterprise Services: Hardware Authenticators as a Service, on February 20 at 10 a.m. PST time. 

Professional Development programmer working in programming website a software and coding technology, writing codes and data code, Programming with HTML, PHP and javascript.
Guido Appenzeller

What’s new in Yubico PIV Tool 2.0?

New open authentication standards, FIDO2 and WebAuthn, have been getting a lot of attention lately with tech giants like Apple joining industry adoption. As a core creator of these standards, we celebrate these milestones, but our mission here at Yubico is to make a safer internet for all. In addition to driving new open web standards, our teams are also continuously working to support other authentication use cases or needs. 

Today, we released Yubico PIV Tool 2.0. Many large companies and government agencies deploy YubiKeys as a user-friendly alternative to smart cards for public key infrastructure (PKI), and the PIV Tool helps with programming and managing YubiKeys. It allows users to import keys and certificates and generate keys on the device, among other operations. 

If you are an enterprise or individual working with YubiKeys and PKI, the PKCS#11 module of the PIV Tool has a number of new capabilities that may help you with programming and managing YubiKeys. As a result, the 2.0 release is now compatible with:

The new functionality in PIV Tool 2.0 is primarily in the PKCS#11 module (YKCS11). With these new additions, developers can now:  

  • Open multiple parallel PKCS#11 sessions and the module is thread safe.
  • Receive an attestation certificate for keys stored on the YubiKey PIV interface using standard PKCS#11 function calls.
  • Utilize new padding options for RSA operations, specifically PSS padding for signatures/verification and OAEP padding for encryption/decryption.

The YKCS11 module updates also support a number of new functions to talk to a YubiKey:

  • Encryption – EncryptInit, Encrypt, EncryptUpdate, EncryptFinal
  • Decryption – DecryptInit, Decrypt, DecryptUpdate, DecryptFinal
  • Digest – DigestInit, Digest, DigestUpdate, DigestFinal
  • Signatures – SignUpdate, SignFinal (SignInit/Sign were already supported)
  • Signature Verification – VerifyInit, Verify, VerifyUpdate, VerifyFinal
  • Other Functions – InitToken, GetObjectSize, SeedRandom, GenerateRandom

A complete list of all the supported functions in Yubico PIV Tool 2.0, as well as new YKCS11 attributes, can be found here. Download Yubico PIV Tool 2.0 here, or learn more about the PIV (smart card) functionality of the YubiKey, and its varying use cases.

Pile of newspapers folded and stacked under the Christmas tree. Fresh daily papers with news in the morning with selective focus, blurred background with bokeh
Ronnie Manning

USC journalism students embrace YubiKeys as part of new security training

With Data Privacy Day just around the corner, nothing is a more fitting topic than securing a free and open internet — an internet where thoughts and ideas can all be openly expressed with the assurance that the identities of those sharing are protected and preserved. A particular population that falls into this category, and that closely aligns with our mission here at Yubico, is journalists. 

Journalists are at high risk of targeted cyber attacks, and security and privacy are critical to the safety and livelihood of many of these individuals. Today, we’re excited to announce that Yubico and Freedom of the Press are joining forces once again to deliver digital security training and resources to University of Southern California (USC) Annenberg School for Communication and Journalism students — the first education initiative of its kind. 

The training curriculum, jointly developed by USC Annenberg and Freedom of the Press, will teach students how to identify the common cyber threats in a newsroom and what security practices to employ. Meanwhile, tools like the YubiKey will equip students to defend against rising phishing attacks and credential theft by protecting their email, social media, password manager, and file sharing accounts. As part of the ongoing program, roughly 250 students will receive the same training as part of their mandatory curriculum by the end of the Spring semester. 

We recently sat down with Marc Ambinder, adjunct professor of journalism at USC who is leading the school’s efforts, to get his perspective on the growing importance of security for journalism students like his own. 

Security is a rising concern across all industries. Why do you think this is the first initiative of its kind for journalism students, and what precedent do you hope to set?  The pace of journalism is fast, and the toolkit that journalists must obtain, then apply, and then perfect, in order to be effective is evolving. But the threat landscape has evolved more quickly, thanks in large measure to the platforming of news and our immersion in the digital world. This hits employers too; most journalists don’t receive anything more than a basic standard module even after they graduate journalism school. We aim to give our students not just the tools but an approach that they can use throughout their careers to better secure themselves, their colleagues and their sources.

In your opinion, what are some of the top security concerns that this next generation of journalists needs to be aware of as they enter newsrooms across the country?  Thanks to the ubiquity of metadata —  and the relatively easy (and low-cost) ways that malicious actors can track it — and poor digital hygiene practices, a lot of our students’ future colleagues might work in ways that make them less safe. The goal here is to give our students a way to help themselves and help others.  My other major concern is that the barrier to entry for harassing, doxxing, and sabotaging journalism is much lower than it used to be, and anyone — a state actor or a troll — can truly wreak havoc by stealing passwords, outing sources, or exposing personal information. 

You’ll be providing the students with various tools during their training, one of which is the YubiKey. Why did you select the YubiKey as a two-factor authentication method, and what unique benefits do you think it offers journalists? While I can’t endorse specific products, I happen to be a personal YubiKey user myself, so I chose the product because your company was top of mind. Yubico immediately understood the value of what we were trying to do. Using a key for two-factor authentication can be an immediate game-changer in terms of reducing the spear-phishing / phishing threats, which are still a major attack vector. Using the keys makes it much harder for anyone to break into social media and work-product apps that we all use. 

In your eyes, what would qualify as a successful training? In other words, what do you hope the students will take away from this? I want our students to use the tools that we are giving them, including YubiKeys. I want them to feel the keys in their hands, and then find ways of incorporating them in their daily digital lives. I want them to understand why having a separate key is safer than using SMS authentication methods or another device. 

For more information on how the YubiKey can help protect high-risk individuals, visit our media page


Fredrik Krantz

YubiKey protects nations: eIDAS and eID projects in Europe

Security has been moving to the forefront of government regulations — and rightfully so. From DFARS to FIPS, PSD2, GDPR, and eIDAS, nations and service providers are being forced to address user security and privacy with a more mindful approach. For years, Yubico has helped organizations like GOV.UK deliver secure authentication options and meet regulatory compliance requirements, and today, we’re seeing this work expand. 

Several Europen countries are now in the process of deploying modern web authentication, including YubiKeys, for their citizens. This comes in large part due Yubico’s recent work around the eIDAS regulation (Electronic Identification, Authentication and Trust Services), which was introduced by the EU Commission in 2014 to provide a predictable regulatory environment for secure and seamless electronic interactions in the European Single Market.

During the past five years, the eIDAS regulation has been widely adopted by the EU member states, and several eIDAS-compliant services and schemes have been rolled out across the European continent. However, what continues to trouble eIDAS Qualified Trust Service Providers is how to ensure that users are securely authenticated to their service, so that they get sole control over the remote signature creation.

In order to address this challenge, Yubico has designed a solution whereby FIDO2 can be used to secure access to a remote signing service and give users sole control over the signature creation process. 

Using a YubiKey, FIDO authentication is used for unlocking the signing key and certificate at the service provider.


In addition to securing remote signing solutions, the YubiKey can also be used for national electronic ID-card projects and eIDAS-compliant eID schemes, such as the National Digitalisation Programme at the Faroe Islands. Digital identity is one of four major pillars in the new digital infrastructure and will be launched in 2020.  

Yubico is partnering with Nexus to deliver the eID solution, which will enable all Faroese citizens, above the age of 15, to securely and easily access government and banking services with a YubiKey 5 Series device. The resulting eID scheme will be classified as eIDAS assurance level ‘high’, which allows it to be recognized across all European online services.

“One of the reasons we chose Yubico’s YubiKey, is the fact that it is supported on almost all major mobile and desktop platforms and embraced by top internet players, including browser suppliers. In the near term, we see it as an added benefit to our citizens to offer an eID while at the same time offering an easy way to secure their online presence,“ said Janus Læarsson, Chief IT Architect, Talgildu Føroya.

The next generation of the National Digitalisation Programme at the Faroe Islands will support  FIDO2, the emerging open standard for web authentication, which will allow the YubiKey to be accredited as an eID card. 

Yubico is very active in projects, standardization and cutting-edge technology that are related to eIDAS and national eID projects in Europe. Sign up for our newsletter to stay tuned for more exciting news announced during 2020.

Alex Yakubov

Yubico and RSA team to deliver FIDO-based authentication to enterprises

As more organizations undergo digital transformation initiatives, identity and access management (IAM) is becoming more critical than ever before. IAM sits at the heart of every business, which is why Yubico is excited to announce a new partnership this week at Gartner IAM Summit with one of the longest standing IAM vendors on the market: RSA. 

YubiKey for RSA SecurID® Access

Today, we expand our partnership with RSA with the upcoming availability of YubiKey for RSA SecurID® Access, a joint solution that offers enterprises a new path to modern FIDO-based authentication. 

This partnership will enable current and future RSA customers to purchase an enterprise-grade identity assurance platform and a range of authentication solutions — including YubiKey for RSA SecurID® Access — all from the same vendor, RSA. RSA customers will enjoy a consistent user experience without having to engage multiple vendors to solve their identity management and authentication challenges. 

RSA has more than 25 years of experience in securing and managing complex enterprise IT environments and applications, and Yubico is the pioneer of secure and easy-to-use YubiKey hardware-based authentication. Together, our combined technologies solve the need to secure enterprises and their customers in a scalable way, all while delivering a frictionless user experience. 

“The benefits of bringing RSA and Yubico together are so apparent that customers were engaging both companies prior to the partnership,” said Jim Ducharme, VP Products, RSA Identity and Fraud & Risk Intelligence. “Together, we will combine the secure, robust identity assurance of RSA SecurID® Access with the convenient access and FIDO2 features of the YubiKey. The strategic partnership helps enterprises address the evolving threats and challenges faced by today’s dynamic workforce, from ground to cloud.” 

The initial YubiKey for RSA SecurID® Access offering will have the same form factor as the YubiKey 5 NFC, and is expected to be available for RSA customers in March 2020. Additional form factors are also expected to become available later in the year. 

“Our partnership with RSA demonstrates a shared commitment to protect millions of users from security breaches,” said Jerrod Chong, Chief Solutions Officer, Yubico.This collaborative effort combines RSA’s long-standing expertise in identity and access management, with Yubico’s proven leadership in standards and innovation, to bring forward a unified FIDO-based hardware authentication solution for enterprises, their partners and their customers.” 

As we approach a new year, Yubico looks forward to engaging our strong ecosystem of partners to continue driving value for our users in innovative ways. The better the customer experiences that we can deliver together, the closer we get to securing millions worldwide. 

For enterprises interested in receiving more information on the YubiKey for RSA SecurID® Access, please visit:

Gartner IAM Summit attendees can stop by the Yubico (#233) or RSA (#104) booths for more information on the benefits of pairing strong YubiKey authentication with RSA SecurID® Access.

Stina Ehrensvard

Native support for WebAuthn and FIDO is finally here on iPhones and iPads

Yubico was founded with the mission of making simple and secure logins ubiquitous. In 2008, we launched the first YubiKey for seamless, one-touch authentication. In 2012, in close collaboration with Google, Yubico’s inventions evolved into the FIDO Universal 2nd Factor (U2F) open authentication standard, and in 2014 it was launched in Gmail and Chrome. In collaboration with Microsoft and the FIDO Alliance, the standard evolved into FIDO2, with the W3C web standards body certifying the standard under the name WebAuthn. 

With each passing year, Google, Opera, Mozilla, Microsoft, and Brave browsers have added support. Now, with Apple adding native support for FIDO and WebAuthn in iOS and iPadOS 13.3, these standards are supported by all leading platforms and browsers. Today, developers can make easy-to-use, privacy-preserving, strong authentication available to all users across all leading platforms and devices.

Here are the highlights of native WebAuthn and FIDO support on iOS:

    • iOS and iPadOS 13.3+ natively support FIDO-compliant security keys, like the YubiKey, using the WebAuthn standard over near-field communication (NFC), USB, and/or Lightning as appropriate to the Apple hardware being used.
    • Currently, the WebAuthn second-factor use case (the FIDO U2F user experience) is the only log in flow that is supported. Security key-based biometrics or PIN (without the use of username and password) are not supported yet.
    • Web apps via Safari, or mobile apps calling SFSafariViewController ASWebAuthenticationSession should work. If a service fails to work, it is likely that the provider is unaware that native support is now available on iOS, and needs to update their web flow. Please contact your service provider to make support.

With today’s announcement, Yubico now offers two great user experiences on iOS using a simple tap or a physical connection. Authentication via NFC is supported by the YubiKey 5 NFC or Security Key NFC by Yubico by just tapping the YubiKey at the top of an iPhone (7 and above). Authentication via physical connection is supported by the YubiKey 5Ci by plugging the YubiKey into the Lightning or USB-C port of an iPhone or iPad.

So, what can you do? 

Developers and online services can learn how to rapidly add support, including how to enable native support on iOS. If you are a developer, sign up to join the Yubico Developer Program to be informed on the latest reference documentation, testing tools, and open source servers.

Individuals and companies who want easy, secure access to their daily online accounts — including those in financial, healthcare, and government services — can accelerate adoption by requesting support for YubiKey and WebAuthn.

Today, Yubico is humbled by the many contributions our entire community has made, and would like to extend our utmost gratitude to every one of you that helped bring us one step closer to internet security ubiquity! 

Ronnie Manning

Yubico Authenticator App for iOS Now Supports NFC

Did you know that you can use a YubiKey to protect your online accounts even if a service doesn’t offer built-in support for security keys? That’s right. With the Yubico Authenticator app, individuals can use a YubiKey to secure any service or application as long as it supports other authentication apps as a two-factor authentication (2FA) option. These include Authy, Google Authenticator or Microsoft Authenticator. 

For years, Yubico Authenticator has been available for Windows, Mac, Linux and Android platforms, but not iOS. This changed in October when Yubico released the first Yubico Authenticator for iOS with Lightning support. And today, we’re happy to announce that the iOS app has support for near-field communication (NFC) as well, thanks to Apple’s recent NFC updates

With today’s news, the Yubico Authenticator app series now works seamlessly across all major desktop and mobile platforms, with full support for Windows, Mac, Linux, Android and iOS. 

So, what’s the difference between using Yubico Authenticator or another authentication app? Instead of storing the time-based one-time passcodes on a mobile phone or computer, Yubico Authenticator generates and stores one-time codes on the YubiKey. A user must present their physical key in order to receive the code for login. This not only eliminates security vulnerabilities associated with a multi-purpose computing device, but also offers an added layer of convenience for users that work between various machines. Yubico Authenticator provides a good balance of usability, security and portability. 

See how it works in the video below. 

To get started with Yubico Authenticator on mobile, download the app from the Apple Store or Google Play.

Additional information on Yubico Authenticator can be found at

Ronnie Manning

Yubico Reveals First Biometric YubiKey at Microsoft Ignite

Today, at Microsoft Ignite, Yubico is excited to preview the long-awaited YubiKey Bio. It is the first YubiKey that will support fingerprint recognition for secure and seamless passwordless logins, which has been a top requested feature from many of our YubiKey users. 

YubiKey Bio preview device.

The YubiKey Bio delivers the convenience of biometric login with the added benefits of Yubico’s hallmark security, reliability and durability assurances. Biometric fingerprint credentials are stored in the secure element that helps protect them against physical attacks. The result? A single, trusted hardware-backed root of trust delivering a seamless login experience across different devices, operating systems, and applications. With support for both biometric- and PIN-based login, the YubiKey Bio leverages the full range of multi-factor authentication (MFA) capabilities outlined in the FIDO2 and WebAuthn standard specifications. 

Ignite attendees can see a live demo of passwordless sign-in to Microsoft Azure Active Directory accounts using the YubiKey Bio during Alex Simons’ keynote on Tuesday, November 5.

In keeping with Yubico’s design philosophy, the YubiKey Bio will not require any batteries, drivers, or associated software. The key seamlessly integrates with the native biometric enrollment and management features supported in the latest versions of Windows 10 and Azure Active Directory, making it quick and convenient for users to adopt a phishing-resistant passwordless login flow. 

“As a result of close collaboration between our engineering teams, Yubico is bringing strong hardware-backed biometric authentication to market to provide a seamless experience for our customers,” said Joy Chik, Corporate VP of Identity, Microsoft. “This new innovation will help drive adoption of safer passwordless sign-in so everyone can be more secure and productive.”

Over the past few years, Yubico has worked with Microsoft to help drive the future of passwordless authentication through the creation of the FIDO2 and WebAuthn open authentication standards. During this time, we’ve built YubiKey integrations with the full suite of FIDO2-enabled Microsoft products including Windows 10 with Azure Active Directory and Microsoft Edge with Microsoft AccountsToday, we continue on this journey together with Microsoft’s announcement to extend support for FIDO2 security keys, like the YubiKey, to hybrid Active Directory environments. Early next year, enterprise users will be able to authenticate to on-premises Active Directory integrated applications and resources, in addition to providing seamless Single Sign-On (SSO) to cloud- and SAML-based applications.

To take advantage of strong YubiKey authentication in Azure Active Directory environments, please refer here for more information. To stay tuned on product updates and general availability, please join our YubiKey Bio mailing list. 

This blog has been updated with additional information as of November 5, 2019. 

Alex Yakubov

4 security tips: for developers, by developers

As National Cybersecurity Awareness Month comes to an end, our focus turns to what the developer community can do to stay cyber smart all year long. We’ve already talked about access management, and shared tips on how to protect your personal accounts. Today, we offer tips from the Yubico Developer Team to developers looking to up their security game. 

The best way to get started is by securing yourself, then help others. Get a password manager and enable strong two-factor or multi-factor authentication across all your personal and work accounts (read last week’s blog for 10 Steps from Yubico to Protect Your Personal Accounts).

Now, let’s get into some more technical things you can do.

1. Secure your operating and development environments with encryption. You can do this with tools like EgoSecure Data Protection FDE, which provides easy and effective protection for your laptop. The encryption and decryption of data is completely transparent to authorized and authenticated users, which makes the solution simple to use. To enhance security, EgoSecure’s full disk encryption application supports two-factor authentication during pre-boot authentication using the YubiKey.

“We believe hardware-backed multi-factor authentication plays a very important role in cybersecurity because it protects privacy without compromising ease of use.”– Sergej Schlotthauer, Vice President of Security Strategic Alliances, Egosecure (Egosecure is a Matrix42 company

2. Keep your code signing certificates and data safe by using developer tools that support multi-factor authentication. You can even sign code with the YubiKey by securely storing your code signing certificate on the YubiKey itself. We talk a lot about FIDO, but the YubiKey also supports OpenPGP. Our latest firmware update included a number of enhancements to the OpenPGP implementation including ECC support, attestation, and multiple operations per touch. Read about it here.

3. Extend your security discipline to all of your devices, not just those that touch your corporate network. Attacks are often successful because of a weak point made available through a personal account.

“With the rise of bring-your-own-device programs and remote work, the attack surface has shifted from corporate networks to endpoints. Thus, a modern security strategy must consider all endpoints, including mobile devices”– Dr. Dominik Schürmann, CEO, Cotech

Here’s a hot tip if you’re building YubiKey support into your product. Cotech provides ready-to-use animations to assist end-users on how to use security keys, and shows the smartphone-specific sweet-spot where NFC works best. With the Hardware Security SDK, Android developers enable strong, hardware-backed YubiKey security leveraging modern authentication protocols, such as Universal 2nd Factor (U2F).

4. Strong authentication doesn’t have to be hard to implement for yourself or your users. Be sure to leverage modern protocols such as FIDO2 or WebAuthn along with a YubiKey. We are constantly impressed by the different use cases brought to us by companies from all over the world. Take for instance, Gandi. Because a domain name is used for websites, email addresses, SSL certificates, and more, they are valuable assets for individuals, organizations, and businesses. Gandi offers two-factor authentication with the YubiKey to make sure only authorized users can access an account.

“Whether they’re working for profit, the common good, or fun, our customers’ projects are tied to their domains. Our job as service providers is to keep them safe. Staying on the cutting edge of security technology is essential to that mission.”– Andrew Richner, Head of Communication, Gandi US

If you’re also serious about integrating security into the products, services, and applications that you’re building, check out Yubico’s Developer website. Sign up for the Yubico Developer Program mailing list to be notified of new documentation and resources, as well as get early access to SDKs and new products. 

Already have a YubiKey? Discover all of the places you can enable it now by visiting our  Works with YubiKey catalog. If you don’t have a YubiKey, you can pick one up from our web store or even on Amazon.

Alex Yakubov

Staying safe online beyond national cybersecurity awareness month

Last week, we talked about access management and its role in securing businesses from cyber threats as part of our National Cybersecurity Awareness Month (NCSAM) campaign. Today, we will take you through what’s putting your personal accounts at risk, and share tips from our partners on how to stay better protected.

Let’s start by identifying some of the biggest threats to personal accounts —  phishing, SIM swapping, and database leaks. 


By using fake websites and emails that look genuine, attackers lure you into providing your login credentials, personally identifiable information (PII), and other private data, such as banking and credit card numbers. This is called phishing. These stolen credentials are used to take over your account. From there, an attacker can lock you out and even compromise your other accounts through password reset flows. 

Last year, 51% of respondents in our 2019 State of Password and Authentication Security Behaviors Report said they have experienced a phishing attack on their personal accounts, while 44% experienced one at work.  

SIM Swapping

SIM swap attacks are becoming increasingly more common, particularly for individuals with a lot to lose financially. In these scenarios, the attacker poses as the account holder (usually through various pieces of PII they’ve gathered elsewhere) and convinces your mobile service provider that you are switching from your current phone to another phone. Once complete, the attacker can intercept one-time passcodes (OTP) sent to your mobile phone number now associated with the phone in their possession.

Once this is achieved, the attacker can essentially perform password resets on any of your accounts that leverage text-based (SMS) 2FA. In most cases, if you’re using the same email address for all your accounts, then the attacker really only needs access to your email account after the SIM swap. Here’s a real-life example that cost one individual $100,000

Database Leaks

A database leak occurs when a service provider is breached and the attacker accesses the database of stored user credentials. The information from those databases often end up on the black market for other attackers to use. There are countless examples of database leaks we could reference (hackers stole one billion Yahoo! login credentials in 2016, the Equifax breach affecting 143 million American consumers in 2017). There’s really nothing you can do as the account holder to ensure the service provider is properly storing your password. 

You’ve probably been told that the longer and more complex you make your password, the stronger it will be. Sure, long passwords with numbers and symbols are hard to guess, but even the most complex and unique passwords won’t stop attackers when they’ve stolen the account password itself from a poorly protected database. That’s why it’s a good idea to use a different password for each and every account you have. Doing so can limit your risk and exposure in the event a password database of a service you use is breached.

Our Advice

You don’t have to feel defeated or helpless against these attacks, and you can still protect your accounts by simply enabling strong two-factor authentication (2FA) or multi-factor authentication (MFA) across the services you use. There are multiple types of 2FA and MFA — avoid SMS (we explain why here). We believe hardware is not only easy to use, but also stronger given that these attacks are all remote-based. Using hardware security keys, like YubiKeys, require physical possession. Since you’re here reading our blog, we recommend you check out the YubiKey and explore all the services that work with YubiKeys.

Most of us have friends or family members in need of basic account security advice. The trick is figuring out how to help without losing them in the details as you watch their eyes glaze over with boredom or confusion. Below, you’ll find 10 steps that any person can take to protect their personal accounts from the attacks we talked about today. If you feel your personal threat model isn’t addressed by this blog, hang tight! More tips are coming!

10 Steps from Yubico to Protect Your Personal Accounts 

1. Get a YubiKey (Hot Tip: We recommend a 2-pack so you have a backup!)

2. Register your YubiKeys with your personal email account(s) (e.g. gmail, Fastmail, or other supported email services)

3. Remove SMS 2FA from your email account(s)

4. Call your mobile service provider, and request a security PIN 

5. Get a Password manager (Hot Tip: You can use your new password manager to store your security PIN from your mobile service provider!)

6. Register your YubiKeys as a second factor for your password manager

7. Store all of your account passwords in your password manager

8. Make sure you reset each account’s password to be unique (Hot Tip: Most password managers have a password generator feature!)

9. Download Yubico Authenticator to all of your devices to use with accounts that support authenticator apps (Hot Tip: Find registration instructions for your favorite services in our Works with YubiKey Catalog!)

10. Enable 2FA/MFA and enroll your YubiKeys on all of your accounts 

Through the years, we’ve developed software and hardware 2FA solutions to better protect users online. We’ve been fortunate enough to forge partnerships with global leaders in password management, browsers and platforms, cloud services, and many more, as part of our Works with YubiKey Program. Check out some awesome tips from our partners below.

“2FA, plus a password manager, is the best way to protect your data. If someone were to learn your password for an account, they’d need that second factor to access it, making account takeover much less likely.”  Jeff Shiner, CEO, 1Password

“Sensitive accounts like banking, email, and social media warrant an additional layer of protection. Having strong, unique passwords for every account is a necessary first step in securing our digital lives.”  Emmanuel Schalit, Co-Founder & CEO, Dashlane

“Cryptocurrency is built on the fundamental promises of security and freedom. To deliver on these promises, people need to be in control of their security, and have the opportunity to choose the measures that suit their needs.”Mike Rymanov, CEO, DSX

“Don’t give attackers a single target. Use a different password everywhere, a different email address or alias with subscriptions, and protect your accounts with a hardware authenticator. Your other accounts won’t be at risk in the event one account is compromised.”Ricardo Signes, CTO, Fastmail

“It’s a great time to get cyber-checked. With data breaches becoming more frequent, one of the most basic precautions is to use strong, unique passwords for every account along with 2FA. That is the first step towards protecting yourself against account takeover.” – Craig Lurey, CTO, Keeper
If you don’t see the service you use on our catalog, ask them to implement strong authentication with the YubiKey by tweeting at them to add support.

Guido Appenzeller

Yubico Login for Windows Application Now Generally Available

Today, the Yubico Login for Windows application (formerly Windows Logon Tool) is now generally available, providing a simple and secure way for YubiKey users to securely access their local accounts on Windows computers. Over the past six months, we’ve received valuable feedback from many of our public preview users, and have a clear path forward for ongoing improvements to the application. 

The primary benefits of Yubico Login for Windows include: 

    • Highly secure and easy-to-use multi-factor authentication (MFA) for login using local accounts to Windows workstations 
    • Simple configuration for up to 10 individual users 
    • Fast enrollment for backup YubiKeys
    • Easy recovery mechanisms for lost YubiKeys

Yubico Login for Windows is designed to provide strong MFA for logging into local accounts on Windows 7, Windows 8.1 or Windows 10 computers. It is not suited for logging into any of the following accounts: Azure Active Directory (AAD), Active Directory (AD), Microsoft accounts (e.g.,,

While Yubico Login for Windows is now only applicable for securing local accounts, there are other solutions to secure AD and AAD accounts with MFA. Thanks to an ongoing partnership and collaboration between Yubico and Microsoft, YubiKey MFA is also an option for organizations with AAD or AD environments. For computers joined to cloud-based AAD, passwordless authentication with the YubiKey is currently supported in Azure AD preview. For accounts managed by AD, the YubiKey enables authentication as a PIV-compliant smart card (Windows 7+, Microsoft Windows Server 2008 R2+). 

For more information on the Windows login options available with the YubiKey, and to download the current version of Yubico Login for Windows, please visit our computer login tools pageThe multi-protocol YubiKey 5 Series or YubiKey 4 Series keys are required for compatibility with Yubico Login for Windows.

Alex Yakubov

National Cybersecurity Awareness Month: shining a spotlight on secure access

October is National Cybersecurity Awareness Month (NCSAM), and here at Yubico, we’re doing our part to raise awareness on the importance of cybersecurity and staying safe online. 

Billions of login credentials and user records are routinely leaked — sometimes in the course of a single year — and can cause significant damage to those who fall victim. By enforcing two-factor (2FA) or multi-factor authentication (MFA), you make it harder for hackers to crack the account. 

We recommend investing in access management platforms, such as Identity Access Management (IAM) and Privileged Access Management (PAM), which enable you to proactively take steps to enhance cybersecurity for your users. In recent years, leaders in IAM and PAM have innovated to deliver high security, without compromising ease of use, to address the challenges of an increasingly online workforce. In doing so, these services implemented support for stronger, more modern forms of user authentication.

In honor of NCSAM, we’ve asked some of our IAM and PAM partners to provide tips for enterprises looking to tackle these challenges. 

Yves Audebert, President and Co-CEO, Axiad IDS

“Validating identities and ensuring trust across every entity that interacts with the enterprise network is vital to business operations. IT leaders will need an agile identity platform that balances risks, compliance, and user experience.”

Robert Freudenreich, CTO, Boxcryptor

“In a time when data is the new instrument of power, citizens need to start defending themselves against the excessive collection of data. Protecting your cloud with zero knowledge encryption is a good starting point.”

Mike Nelson, VP of IoT Security, DigiCert

“With our growing list of connected devices, protecting consumer privacy starts with implementing security fundamentals to ensure that data is encrypted, devices only trust properly authenticated connections, and that code running on each device is secure.”

Sam Srinivas, Director of Product Management, Google Cloud

“Other security controls are virtually irrelevant if an attacker can get through the front door by phishing your credentials. Google was an early adopter of FIDO security keys to provide a defense against the dangers of targeted phishing attacks.”

James Litton, CEO and Co-Founder, Identity Automation

“IAM does more than just help IT staff create user accounts; it enables productivity and provides a solid security foundation by addressing authentication and rights management. IAM must be the core of your security program to effectively secure your data and systems.”

Allen Storey, Chief Product Officer, Intercede

“Cyberattacks affect enterprises and individuals alike. Now is the time for cybersecurity best practices to become standard practices as more step up to deploy strong multi-factor authentication with a credential management system and hardware security keys.”

Greg Keller, Chief Strategy Officer, JumpCloud

“We fundamentally believe that the system is the gateway to securing IT. Focusing on where the work happens—the computer in front of you—allows you to protect not only the security of individuals but also their customers.”

Todd Peterson, Director of Product Marketing, One Identity

“With the steep rise in security breaches caused by threat actors using credential theft, it’s become clear that adding additional factors to the authentication process—across all types of users—can dramatically reduce your risk.”

Matt Hurley, VP Global Channels and Strategic Alliances, OneLogin

“Organizations are looking at ways to better secure their environment and reduce password dependency. Integrating identity management with a strong authentication method makes it convenient for end users to adopt advanced login sequences while enhancing privacy.”

Anirban Banerjee, CEO and Founder, Onion ID

“Securing privileges in a fast paced, changing landscape of applications, servers, containers, and endpoints can be very challenging. We believe that easy yet strong authentication is the cornerstone of an effective PAM strategy.” 

Joakim Thorén, CEO, Versasec

“Breaches are a reality both from outside and within the enterprise. Securing a company’s most vital assets with strong, easily managed two-factor authentication solutions is more than critical – it’s a moral imperative.”

Since 2007, Yubico has driven the development of open standards, and collaborated with hundreds of companies worldwide through our Works with YubiKey Program to bring secure, hardware-backed authentication methods to light.

Discover all the Identity Access Management and Privileged Access Management platforms that enable strong authentication with the YubiKey on the Works with YubiKey catalog. Contact our partners to learn more about their solution.

Wendy Spies - SVP of New Businesses
Stina Ehrensvard

Wendy Spies Joins Yubico as SVP of New Business to Drive YubiHSM Growth

Today, I am excited to share that we have added yet another stellar member to the Yubico leadership team: Wendy Spies. Wendy comes from Microsoft where she most recently directed engineering strategy and business development for cloud and AI to build new products and markets. She will be focusing on similar things here at Yubico in the role of SVP of New Business with an initial focus on YubiHSM. 

Wendy has more than 23 years of experience building everything from payment and hardware solutions to games and software. She has taken seven notable companies from conception to financial exit and has a long and proven track record of driving exponential growth for companies, teams, and products. Her secret? “Working with and hiring folks that are a lot smarter than me, focusing on customer needs, and measuring our success by delivering extraordinary products efficiently.”

It’s safe to say that we are lucky to have Wendy on board, and I am personally excited about the expansion of strong female leadership here at Yubico. Please join me in welcoming Wendy into the YubiFamily. To learn a little more about her background, expertise, and vision for Yubico, here is an excerpt from a recent interview between Ronnie Manning, our SVP of Communications, and Wendy.

What led you to join Yubico? 

Yubico was the right choice for me because each person I met with was clearly in the learning zone. Collaboration is high, and the customer focus is turned up to eleven. 

I believe that every day, one step at a time, Yubico can make the world better through product development, new standards, growing partnerships, and excellent teamwork. In the end, it wasn’t about joining a big or small company, consumer or enterprise —  it was about relentless customer focus and knowing that I was joining a team that would always have my back. This is the recipe for making profound, positive change the world, creating a lot of value, and having a really fabulous time doing it. I hope everyone finds their Yubico. 

In your opinion, what makes a team successful?  

Throughout my career, I’ve found that there are two simple criteria that seem to bring the magic at work.

Build a team that 1) you would want to fight the zombie apocalypse with — this takes talent, passion, and opportunity and 2) is relentlessly focused on driving customer value. 

When you bring together talent, passion, and opportunity, you are in the zone nearly every day at work, but that doesn’t always guarantee success. You must also ensure that the team is relentlessly focused on driving customer value. Are these individuals in a learning mode? Do they come from a humble point of inquiry and are they prepared to truly listen when you answer? And are they actively talking about customers and partners?  

When I focus on the customer with a team of folks who have a listening and iterative mindset, we build unique customer experiences, solve wicked hard problems, and create so much value for users. Everyone wins: employees, customers, and investors.

What do you look forward to most during your time here at Yubico? 

I am proud to be part of a team at Yubico that’s securing the net for everyone and everything. We know that the only way we can do that is to make security truly easy to use. 

I look forward to the passwordless future we are building. I look forward to working across boundaries to solve some of the hardest problems of the internet. I look forward to no longer hearing stories about good folks getting their accounts hacked because passwords stink, and because hackers continue to have more resources than we do. I look forward to no longer hearing stories about devices and data being compromised because solutions are so complex that it is almost impossible to think of all of the threats, and even more impossible to remove them. And lastly, I look forward to the day when everyone can believe and see that security and usability can live together hand-in-hand. Strong vision. Clear plan. Sustained effort.

What do you see as the biggest market opportunity for the YubiHSM product line and how do you envision driving its growth?  

I see the YubiHSM as a natural extension of our YubiKey product line for devices and data. As a lot of folks know, anywhere a key is stored and even remotely available for others, it is at risk of being stolen — either by people on the inside of an organization, or sometimes even on the outside. The YubiHSM is a portable, low-cost solution. It can help with everything from code signing and protecting API calls to securing root of trust for something as complex as industrial IoT environments, something as legacy-bound as physical infrastructure (e.g. reactors and dams), and something as simple as cold wallets. While a few other solutions like secure enclaves and SGX could be used to solve this problem, YubiHSM provides protection for your keys in hardware that is physically isolated from operations on the server, creating yet another layer of security. This layer of security, combined with a simple, small attack surface form factor, can make it easier to adopt this technology without breaking the bank. 

When you’re not busy changing the world and driving businesses and teams toward success, what do you do for fun? 

I love to engage in activities that require such deep concentration that I cannot possibly worry about the problems of the world or what to make for dinner. This ranges from the beautiful shared moments with my family playing board games to spending time early in the morning in my tiny garage throwing heavy weights into the air.  

The Yubico team will continue to grow! If you’re interested in a career in cybersecurity at Yubico, check out our open job opportunities here.

Jerrod Chong

Yubico iOS Authentication Expands to Include NFC

This week, at the annual September iPhone event, Apple introduced new functionality that allows the full range of YubiKey authentication on iOS via near field communication (NFC). This has been many years in the making, back in Oct 2017 we even wrote about when this day would come.

Previously, NFC on iOS was read-only, which meant that it couldn’t support modern authentication protocols like FIDO U2F, FIDO2/WebAuthn that require both read and write capabilities – but now that has changed. With these recent updates, iPhone users (running iOS 13+) can experience mobile NFC authentication with a YubiKey 5 NFC or Security Key NFC by Yubico on apps and browsers that have added support. 

Coming right on the heels of our new YubiKey 5Ci, iOS users now have a broad and complete choice of secure authentication options, based on their preference and use cases. NFC-enabled YubiKeys will work with compatible apps and browsers on iPhones 7 or later running iOS 13. Older iPhone models, most iPads, and some iPods will work with the YubiKey 5Ci through its Lightning connector on select apps and browsers.

The YubiKey 5C NFC is coming soon!

That’s not all. Based on feedback and suggestions from our customers (we hear you!), we are happy to announce a sneak preview of YubiKey 5C NFC, our upcoming USB-C security key enabled with NFC. This key will provide yet another authentication option for all environments supporting iOS, Android, Windows, MacOS, and more, all on one key. Arriving this coming Winter*, this new device will deliver the same multi-protocol functionality and user experience of the YubiKey 5 Series. Sign up here to receive updates on product availability. 

This announcement supports Yubico’s long-standing YubiKey vision: to deliver secure hardware-based authentication across any operating system and platform. Our goal is to support all authentication use cases across any computing device, as we recognize that individuals use multiple phones, operating systems, laptops, tablets, or desktops each day to access work and personal accounts. 

To coincide with this new NFC functionality, Yubico will also be rolling out updated software for end users and developers on iOS. On mobile iOS devices, users will soon be able to use the Yubico Authenticator application to communicate over NFC, USB and Lightning connection to generate a 6 digit, time-based code commonly used by many services for 2-factor authentication. This is similar to Google Authenticator, with the main differentiator being the user credential is stored on the external YubiKey, versus internally on the mobile device, making it extremely portable to get the one-time codes either on mobile devices and/or desktop computers.  We expect to introduce the new Yubico Authenticator for iOS in the coming months. 

Developers who are interested in adding YubiKey support for desktop or mobile users, can access Yubico’s wide range of libraries on the Yubico developer site, including SDKs for Android and iOS app developers. We are also in the process of updating our Yubico Mobile SDK for iOS to support the new iOS NFC authentication capabilities. This will allow applications to implement modern authentication protocols such as FIDO2 and support the YubiKey over both Lightning and NFC connections. 

Please visit the Yubico developer website to sign up for updates and to get access the current Yubico Mobile SDK for iOS.

*Due to current circumstances, we’re experiencing delays with the upcoming launch of the YubiKey 5C NFC. We’re working to get the key out as soon as possible, and appreciate your patience! If you’d like to be notified of updates, sign up here.

Stina Ehrensvard

Yubico Adds New Round of Investment and Grows Board of Directors

Today, Yubico is excited to announce it has received a new round of investment led by Meritech Capital Partners, a top tier venture capital firm based in Palo Alto, CA.   

Existing investors include the Silicon Valley-based leading VCs Andreessen Horowitz (a16z) and NEA, Swedish growth equity firm Bure, and renowned Silicon Valley entrepreneurs Marc Benioff, CEO & Founder of Salesforce, and Ram Shriram, Yubico Chairman and Google founding board member. 

“Yubico has built an amazing company. We love the technology, the respect they have earned in the open standards community, and the enthusiasm from their customers. Beyond the efficient business and big market opportunity, Yubico presents a very special culture, unique in the security market. We are looking forward to working with Yubico to make their technology truly ubiquitous,” Says Paul Madera, Managing Director, Meritech.  

Yubico has been profitable the last seven years, attracting nine of the top 10 internet brands and millions of users in 160 countries. With this investment, we have more fuel to continue accelerated growth, and we welcome Meritech and the new funds to scale operations across our entire organization.

In conjunction to the company backing by Meritech, Paul Madera, Managing Director, will be joining the Yubico board of directors.  

Meritech is making an investment into the company of $25M for a company valuation of $600M. In addition, existing major investors are increasing their holdings, investing $15M in secondary shares, in connection with this round.

Guido Appenzeller

What’s New in YubiKey Firmware 5.2.3

When we launched the YubiKey 5Ci on August 20, we also introduced a new firmware to the YubiKey 5 Series: version 5.2.3. Currently, this firmware is only being shipped in the YubiKey 5Ci, however, we expect to roll out this version to all YubiKey 5 Series devices over the next month. While it is a minor update, 5.2.3 firmware has a number of features and improvements as it relates to the FIDO and OpenPGP protocol stacks.


For FIDO2, the new firmware adds an enhanced privacy mode. This enables sites to require a PIN when a YubiKey is registered with their service. The FIDO PIN of the YubiKey must be used in order to reveal what sites the authenticator was registered to. This feature is intended for services that want to protect the privacy of what sites their users have visited for a variety of reasons. For example, assume a user registers the YubiKey with “” and at a later point, they travel to a country where the content on “” is discriminated against. From this person’s  YubiKey, it would not be possible to tell that the key was registered to “” without using the PIN.

The FIDO protocol has also seen a number of technical improvements, which are supported in YubiKey firmware 5.2.3:

  • Removal of RSA, as we didn’t see any use of it in practice
  • Addition of  Ed25519 signature support, a modern ECC curve
  • Addition of  credential management to allow the deletion of FIDO resident keys
  • Addition of PIN and no PIN support to the FIDO HMAC-secret extension for offline operations
  • Implementation of signature counters with even more privacy features including keeping per-credential offsets and randomly increasing counter values 


YubiKey Firmware 5.2.3 also has a number of enhancements to the OpenPGP implementation on the YubiKey. Most of them are related to a number of the features from the OpenPGP Smart Card Specification version 3.0 and above.

ECC Support

OpenPGP 3.0 introduced support for Elliptic Curve Cryptography in addition to RSA. ECC today is by many considered a better choice for many applications and has a number of advantages including faster cryptographic operations and smaller key sizes. 

YubiKey Firmware version 5.2.3 and above specifically supports signatures (ECDSA) and key exchange (ECDH) from the OpenPGP 3.4 spec for the following curves.

From ANSI X9.62/FIPS-186-3:

  • ansix9p256r1
  • ansix9p384r1
  • ansix9p521r1

From RFC5639:

  • brainpoolP256r1
  • brainpoolP384r1
  • brainpoolP512r1

In addition to the PGP 3.X spec, the YubiKey now also supports:


Firmware 5.2.3 also adds attestation for keys generated on device ( this capability has already been available in our PIV application stack since we launched the YubiKey 5 Series). Specifically, a YubiKey can attest that an asymmetric key was generated on, and never left, the YubiKey. For example, a company could require that all developers sign their commits with a company-provided YubiKey that had the private key generated on device. Using the attestation keys, the system will reject any keys that were generated outside of the YubiKey and imported. Attestation was added as a Yubico-specific extension in version 3.4 of the OpenPGP Smart Card Specification. Documentation for how this feature can be used is found here on the Yubico developer site.

Multiple Operations per Touch

YubiKeys can now be configured to allow multiple operations over a short period of time with a single touch to the key, a capability that was previously available in the PIV application of the YubiKey 5 Series. This can be helpful for batch signing/encryption or operations that are composed out of multiple cryptographic primitives. The behavior can be enabled or disabled by the user.

Yubico is always working to advance the functionality and security of our YubiKeys, and we thank our users for their product feedback and support to drive technical improvements like the ones listed above. 

To determine which firmware your YubiKey 5 Series device has, please use the YubiKey Manager.

Ronnie Manning

Say Hello to Simple, Secure Login on iOS with the YubiKey 5Ci

Today marks an exciting milestone, not only in the history of Yubico, but in the history of security keys and mobile devices. Yubico celebrates more than a decade of cutting edge contributions to the authentication market with its latest innovation, the YubiKey 5Ci, now available for purchase at our Yubico store.  

The YubiKey 5Ci is the world’s first iPhone- and iPad-friendly* security key designed to deliver strong hardware-backed authentication over a Lightning connection. But that’s not all. This key is also equipped with a USB-C connector for securely accessing hundreds of Works with YubiKey applications and services on Mac, Windows, and Android devices as well. 

The unique dual-connector functionality of the YubiKey 5Ci, along with the signature multi-protocol features of the YubiKey 5 Series, make this key the perfect solution for consumers and enterprises alike. With support for FIDO2, WebAuthn, FIDO U2F, OTP (one-time password), PIV (Smart Card), and OpenPGP in a single device, the YubiKey 5Ci delivers strong multi-factor (MFA), second-factor (2FA), and single-factor passwordless authentication across a wide range of devices and use cases.

Featured Works with YubiKey iOS partner integrations.

For all our iOS users out there, we know that you’re eager to get started with the YubiKey 5Ci. Thanks to our strong ecosystem of partners, we are proud to launch the YubiKey 5Ci with native iOS app support from 1Password, Bitwarden, Dashlane, Idaptive, Keeper SecurityLastPass, and Okta. Monkton Rebar and XTN also support the YubiKey 5Ci in their latest software development kits. 

You can also access some of your favorite services with the YubiKey 5Ci through the Brave iOS browser, which is the first and only iOS browser to support WebAuthn over the Lightning connector at this time. These services include:,,,, and

Yubico continues to collaborate with services and applications on their support of the YubiKey 5Ci, with the goal of our users’ favorite, day-to-day apps being added soon. Partners with anticipated YubiKey 5Ci app support include: Dropbox, Keeper Security, SecMaker, and more. 

If you see some services or browsers that aren’t listed above, please help us by expressing your desire to secure your accounts on iOS with the YubiKey. 

Developers, if you’d like to step up the security of your iOS apps or browsers, we’ve made it easy for you. Visit to get access the Yubico Mobile SDK for iOS, along with other helpful resources such as implementation guides, webinars, or reference code. 

Get started with simple and secure authentication today. The YubiKey 5Ci is available for purchase on at a retail price of $70 USD. 

*The YubiKey 5Ci works on iPad models with a Lightning connector, however, some capabilities are not compatible via USB-C with the iPad Pro 3rd generation. 

Ashton Tupper

Find Yubico at Black Hat

If you happen to be in Las Vegas this week and you find yourself strolling past the intersection of Las Vegas Boulevard and Harmon Avenue, look up. You might just recognize the friendly green color plastered all over the world’s highest resolution LED screen. 

You guessed it. Yubico is taking Vegas by storm for the annual Black Hat conference. 

Find the Yubico billboard at the corner of Las Vegas Blvd. and Harmon Ave.

Custom Black Hat YubiStyle covers.


If you don’t catch our cheeky message on the iconic Las Vegas billboard, stop by the Yubico booth (#465) to get the latest YubiKey updates along with some cool swag. See a demo of secure iOS login over a lightning connection with our upcoming YubiKey 5Ci, or grab a few of our custom YubiStyle covers designed just for Black Hat attendees. These are only available for a limited time, so get them while you can. 

You may even spot a few YubiKeys elsewhere on the show floor. Our impressive partner network will feature ‘Works with YubiKey’ stands at each of their booths. If you see one of these, stop by to say hello and learn more about how the YubiKey works with OneLogin, Duo, Microsoft, 1Password, and more.

Our full list of partners at Black Hat include: 

Works with YubiKey stand.

  • OneLogin (#2030)
  • Duo (#675)
  • Thycotic (#1410)
  • 1Password (#2323)
  • Microsoft (#654)
  • ManageEngine (#1365)
  • Okta (#2518)
  • Cmd (Cmd Beach Bungalow at the Mandalay Bay Pool Deck)
  • PingID  (#2129)


To stay up to date on Yubico events, or to receive year-round updates on Yubico news, sign up for our newsletter and other mailing lists here



Jacob Jurilla

The Journey to Passwordless in the Enterprise

Today, Microsoft announced that the passwordless capabilities for Azure Active Directory (Azure AD) are in public preview, reaching a major milestone in enabling passwordless authentication in the Enterprise.

Azure AD provides an identity platform with access management, scalability, and reliability for connecting users with all the apps they need. With FIDO2 and WebAuthn passwordless authentication support now in public preview for Azure AD, users can register a YubiKey 5 Series security key with Azure AD, to enhance account security and enable passwordless login.

YubiKey Passwordless Starter Kit

Yubico is happy to have partnered with Microsoft in today’s announcement. For a limited time, we are offering complimentary YubiKey Passwordless Starter Kits to eligible organizations, who are Microsoft 365 customers interested in beginning their passwordless journey. 

The starter kit includes two multi-protocol YubiKeys, the YubiKey 5 NFC and YubiKey 5C. The YubiKey 5 NFC is compatible with USB-A ports and near field communication (NFC). The YubiKey 5C is compatible with USB-C ports. 

With the multi-protocol YubiKey 5, organizations can begin the journey to passwordless in the cloud, securing existing applications with Azure MFA or smart card login, and be ready for newer applications supporting FIDO2 and WebAuthn authentication.

The YubiKey 5 Series multi-protocol support includes FIDO2, WebAuthn, FIDO U2F, smart card (PIV), Yubico OTP, OpenPGP, OATH-TOTP, OATH-HOTP, and Challenge-Response functionality on a single device, to deliver passwordless, single-factor, second-factor, or multi-factor secure login. 

To verify eligibility and request a YubiKey Passwordless Starter Kit (while supplies last), please visit 

Want to learn more? Register for our upcoming webinar, Go Passwordless with Yubico & Microsoft: WebAuthn, FIDO2 & Azure Active Directory, taking place on July 30, 2019 at 9:00 AM PDT. You’ll hear from Yubico and Microsoft experts on the passwordless journey, key benefits, and how to enable passwordless login with Azure AD.


Ronnie Manning

WebAuthn sees rapid growth and adoption: Visit us at Identiverse to see WebAuthn in action

The new web authentication standard, known as WebAuthn, was recently approved by the World Wide Web Consortium (W3C) in March, and is rapidly gaining momentum. Since 2007, Yubico has been driving the development of open standards, and collaborating with partners to bring more secure authentication methods to users.  Through these combined efforts, we co-created WebAuthn.

What makes WebAuthn so noteworthy is that it is supported by all major platforms and browsers, providing users with greater choice of simple authentication methods that protect against phishing attacks. With WebAuthn, users can choose to use any combination of external authenticators, such as a security key, and internal authenticators, such as a biometric keypad on a computer, to secure access to web services and applications. That’s huge.

Microsoft, Google, and Mozilla already support WebAuthn in their web platforms and browsers. Support is currently on the developer preview version of Apple Safari. Upcoming support on Brave browser has been announced by Brave Software. Along with the platform and browser support, a growing number of web services have also rolled out WebAuthn support to their users, including, Singular Key, Daon, Isosec, Twitter, and Ping Identity, with more services committed to launching support in the near future.

WebAuthn is quickly gaining momentum, so we asked some of our Works with YubiKey partners to share why they decided to implement support. Here’s what they said:

Jasper Patterson, Web Developer, 1Password

“Our goal at 1Password is to make it easy for people to stay safe online, and adopting modern standards like WebAuthn helps us achieve that. Integrating WebAuthn into our existing two-factor implementation took about a week. The API is well designed and easy to work with for developers.”

WebAuthn offers significant security gains over traditional time-based one-time password (TOTP) or SMS-based two-factor authentication (2FA), all thanks to its secure design based on public key cryptography.

Yves Audebert, CEO, Axiad IDS

“Extending Axiad ID Cloud to support WebAuthn/FIDO2 is a step forward in providing a passwordless and frictionless authentication experience to our customers. Axiad ID Cloud leverages all the features offered by YubiKeys to further our commitment to meeting our customers’ authentication needs.”

Axiad ID Cloud is a standards-based higher-trust identity assurance platform that provides multi-factor authentication (MFA) and dedicated PKI services to secure digital interactions. Axiad IDS expects to roll out support in the back half of this year.

Ben Goodman, SVP, Global Business and Corporate Development, ForgeRock

“ForgeRock is excited to offer WebAuthn as a native authentication option for our identity platform. Hardware authentication enabled by WebAuthn provides a more secure user authentication option, while simultaneously making for an easier, more frictionless experience. This is a “Win-Win” for end-users and application owners.”

ForgeRock’s Intelligent Authentication technology has the capability to orchestrate a multitude of authentication options. WebAuthn support enables ForgeRock to seamlessly extend that functionality to a whole new breed of devices and authenticators.

Jeff Broberg, Sr. Director, Product Management, OneLogin

“WebAuthn simplifies the rollout and adoption of MFA by enabling users to leverage authenticators across mobile and desktop platforms in a more integrated fashion. Combining external authenticators, like the YubiKey, with desktop and mobile biometric sensors benefits both enterprise admins and end users.”

Adopting strong and simple authentication is critical to secure corporate resources from advanced cyber identity threats. With WebAuthn support, OneLogin expands their portfolio of strong authenticator options and makes it simpler for users to choose an authenticator that works best with their primary device.

Arshad Noor, CTO, StrongKey

“We recognize that behavior change is no easy task. Our implementation of FIDO2 and the certification of our FIDO2 server enable us to provide the ease and convenience of WebAuthn to our customers and their users through a safer and more user-friendly alternative to passwords.”

StrongKey has been committed to providing the strongest possible level of encryption and authentication technology to keep data safe for almost two decades. With WebAuthn support, StrongKey delivers phishing-resistant authentication to their users.

Jai Dargan, VP Product Management, Thycotic

“We’re excited to be a part of the Works with YubiKey program, and work together to educate customers about the benefits of strong, hardware-backed MFA.”

Thycotic and Yubico share the same vision that security should be easy to use, even for large organizations with dispersed teams and hundreds of thousands of assets to protect.

Yubico offers free resources and tools for rapidly implementing WebAuthn into an app or service. Visit the Yubico For Developers page to get started. To experience WebAuthn first-hand, visit our WebAuthn demo site.

Learn more about WebAuthn by downloading the WebAuthn Solution Brief, or chatting with us at the Yubico booth (#417) at Identiverse on June 25-27, 2019.

Alex Yakubov

Yubico Announces YubiKey for Lightning Partner Preview Program

Today, Yubico is happy to announce the launch of our YubiKey for Lightning Partner Preview Program, the next phase of the YubiKey for Lightning Private Preview Program announced earlier this year.

This is an exciting step forward for both Yubico and the Works with YubiKey ecosystem. With the launch of the Partner Preview Program, our goal is to enable more web services and applications (relying parties) to improve the protection of customer accounts and the entire account lifecycle with cross-platform support.

The YubiKey for Lightning Partner Preview Program includes access to iOS and Android SDKs to allow organizations to unify the user experience across all mobile platforms. Partners will also receive access to a YubiKey 5Ci preview device (formerly the YubiKey for Lightning), for development and testing. The YubiKey 5Ci has both a USB-C and Lightning connector on one device and will be generally available later this year. As part of the multi-protocol YubiKey 5 Series, the YubiKey 5Ci gives developers the option of securing their iOS apps using the FIDO2, WebAuthn, U2F, OTP, PIV (smartcard) or OpenPGP protocols for passwordless or two-factor authentication.

YubiKey for Lightning participating partners

Since launching the initial YubiKey for Lightning Private Preview Program, several notable partners have been working with us to provide feedback on our iOS developer resources. We would like to extend a special thank you to those partners, including: 1Password, Brave Software, Dashlane, DoD PKI Purebred, Keeper Security, LastPass, Secmaker, XTN, and more.

We look forward to enabling a growing list of compatible services, providing out-of-the-box uses with everyone’s favorite iOS applications when the YubiKey 5Ci becomes generally available later this year.

As Yubico extends hardware authentication capabilities to iOS, the YubiKey will be supported across all major platforms, allowing it to be the trust anchor for the rightful owner and serve as a portable root of trust across any computer or mobile device.

For developers interested in adding YubiKey support into their iOS mobile apps, we welcome you to apply for the YubiKey for Lightning Partner Preview Program here.

New YubiKey 5Ci demonstrations and previews of partner supported applications can also be seen at Identiverse this week, at the Yubico booth #417.

Alex Yakubov

1Password rolls out WebAuthn, and enhanced YubiKey support

Yubico has been a major contributor to the development of open standards for authentication from the initial development of the U2F specification to the latest W3C approved WebAuthn. As we see more services upgrade to modern authentication standards, we can’t help but share in the excitement.

We are thrilled to share that 1Password, a password manager used by millions of individuals and 47,000 business customers worldwide, today announced support for WebAuthn, the new global standard for secure authentication on the web.

A popular request by users, 1Password has enabled the option to use WebAuthn compatible Security Keys, like the YubiKey, for two-factor authentication (2FA). This provides the highest level of hardware-based security and a great user experience for those who want to use the same security key across services, browsers, and applications.

“1Password and Yubico share a common mission—to make it simpler for people to stay safe online,” said Jeff Shiner, 1Password CEO. “Yubico’s focus on security and user-friendly design aligns with our goals here at 1Password, making YubiKey 2FA a great extra layer of protection for 1Password customers.

Previously, 1Password users were able to leverage YubiKeys as a second factor using the Yubico Authenticator app over Time-based One Time Password (TOTP). With the upgrade to WebAuthn support, 1Password takes a leap forward by enabling easier to use, faster and the most secure 2FA for their users. WebAuthn uses asymmetric (public-key) cryptography and phishing-resistant origin bound key validation for registering and authenticating with websites.

Register your YubiKey with your 1Password account today by logging in to your app and following these setup instructions, or viewing 1Password’s how-to video.

Want to know more about WebAuthn? Visit our “What is WebAuthn?” resource to get an overview of what it is and how users can benefit. Interested in implementing support for WebAuthn? We have developer resources for the rapid integration of WebAuthn on our developer website.

Special Offer for Yubico customers

1Password helps businesses and families increase their online security and cut down on digital clutter by combining industry-leading security and award-winning design to make secure password management easy for everyone.

To celebrate this announcement, 1Password is offering Yubico customers three (3) months free on a 1Password Families account. The promotion is valid only for new customers, and is active for a limited time. Go to 1Password’s site to learn more.

Jerrod Chong

5 Reasons to Upgrade Your Web Authentication to WebAuthn

Authentication has made significant progress over the past five years. It has matured beyond passwords with the introduction of a variety of two-factor authentication methods, and most recently, we have the advent of passwordless logins with WebAuthn, the new global standard for web authentication.

WebAuthn now sets a new bar for user authentication and is considered best in class for protecting user accounts. With support in all major browsers and platforms, WebAuthn offers the opportunity for services to easily offer a wide choice of strong authentication methods to users, including a passwordless experience. This consists of using security keys or built-in authenticators such as biometric readers.

To experience the WebAuthn login experience, please take a look at our demo site where you can try out registering different authentication methods using WebAuthn.

For those curious about the additional benefits of passwordless login, we put together a list of five reasons to upgrade to WebAuthn authentication.

Widespread Accessibility

One of the key differentiators of WebAuthn, is the widespread acceptance and adoption of the technology across major browsers, operating systems and devices. To date, Microsoft Edge, Mozilla Firefox, Google Chrome and Google Android have already added support for WebAuthn, and Apple most recently announced WebAuthn support by default in Safari Technology Preview Release 83.

Additionally, the growing availability of built-in authenticators on computers and phones is providing users new options for authentication. As a service provider, this enables you to offer fast, convenient, and secure authentication options for all kinds of users, regardless of what kind of device or operating system they are using.

Improved Security for Customers & the Business

WebAuthn replaces weak password-based login or knowledge-based answers recovery with strong public key cryptography with origin checking to prevent phishing. By making strong authentication the baseline for using built-in and external hardware authenticators, users are protected from account takeovers. A recent study by Google reviewed more than 350,000 wide-scale and targeted attacks, and showed that security keys were the most effective at stopping account takeovers. Not only does the elimination of password-based login protect customers from the threats of credential theft and phishing, but it also relieves your organization from the vulnerabilities associated with storing and protecting millions of user credentials.  

Improved Customer Experience & Brand Loyalty

The average US consumer tries to keep track of over 14 different passwords across all their websites and services. Business users are estimated to be responsible for memorizing and using an even greater number of passwords, reaching up to as many as 191. The sheer number of passwords required for daily digital activities inevitably results in forgotten passwords, password resets, or at the worst, account takeovers due to weak or reused passwords. As a result, passwords degrade customer experiences, reduce brand loyalty, and contribute to lost revenue.

Passwordless login with WebAuthn provides an experience that is faster and more secure than usernames and passwords, transforming the online user experience into the familiar split-second convenience of using an ATM card. WebAuthn also enables users lacking cellular access to still authenticate when they typically might not be able to with authentication methods like one-time codes sent to mobile devices via text messages.

Lower Operational Costs

When users forget their passwords, they often end up calling help desks or support centers, consuming valuable time from support staff. In fact, Gartner estimates that password reset inquiries account for 20 to 50 percent of all help desk calls, which can cost large companies between $5 million and $20 million annually.

WebAuthn enables support and IT departments – including service desks and call centers — to be free from the operational overhead incurred from having to create, store, cycle, and reset passwords. It can simplify user on-boarding and given that password resets currently represent the number one IT support cost, passwordless login promises to significantly reduce workloads in IT call centers where agents today spend considerable time setting and resetting user passwords.

Simple & Flexible Integration Options

WebAuthn introduces the option for strong single-factor, two-factor, or multi-factor authentication. With this expanded choice of authentication flows, developers choosing to add WebAuthn support will have the option to select the authentication model that best suits their use cases and customers. This is specifically useful for organizations who require a higher level of authentication security or who may prefer a layered approach (ex: a PIN, biometric or gesture for additional protection) for certain in-app actions like changing a personal information or transferring a large sum of money.

WebAuthn is also backwards-compatible with FIDO U2F authenticators for a second factor use case. This means that all previously certified FIDO U2F security keys, such as the YubiKey 4 or YubiKey NEO, will continue to work as a form of second-factor authentication login with WebAuthn-enabled authentication flows.


To learn more about the WebAuthn open standard and how it can benefit your organization, read our ‘Going Passwordless’ whitepaper. We also offer full development resources on our developer site to enable rapid WebAuthn implementations.

Stina Ehrensvard

WebAuthn wins support in Safari, Twitter, Coinbase and hundreds of more services

“And the winner is… WebAuthn!”

A few weeks ago at the European Identity Conference (EIC) in Munich, WebAuthn won the award for Best Future Technology and Standard Project. As a co-chair of the W3C WebAuthn working group and lead authors of FIDO U2F/FIDO2, Yubico was invited to receive the award on behalf of all who collaborated on the standard.

John Fontana, co-chair of W3C WebAuthn WG and member of the Yubico open standards team, at EIC award ceremony

There is no doubt that the winning authentication standard is gaining momentum. Last week, Apple enabled default WebAuthn support on macOS in its Safari Technology Preview, while Twitter and Coinbase announced their upgrade from FIDO U2F to WebAuthn. At Yubico, our team is busier than ever supporting hundreds of services across the globe in their process of making support for the YubiKey, Security Keys and WebAuthn.

Initially deployed by all the leading internet companies, we are excited to see WebAuthn adoption expanding across a wider range of industries,regions, and use cases including the protection of electronic identities for European citizens, blockchain technology services and financial institutions. One of the leading banks was encouraged to make support for WebAuthn after one of their customers approached them with the question, “How come authenticating to my Google and Facebook account is more secure than the service that holds my money?”

The FIDO U2F, FIDO2 and WebAuthn names can be confusing, but they are all part of the same standards initiative. The varying naming conventions are a result of the further development and expansion from the industry consortium FIDO Alliance (FIDO U2F and FIDO2) to the W3C web standards organization (WebAuthn). In March 2019, W3C approved the WebAuthn standard, which is built-on, and backward compatible with U2F.  

We encourage all services to implement or migrate to WebAuthn so their end users have more choices from  an ever-expanding list of browsers and authentication options including one-factor, two-factor and passwordless login. With free open source servers and development resources available from Yubico and others, service providers are rapidly making support for WebAuthn to stop phishing and radically cut support costs. Users enjoy safer and easier login with the growing options of built-in and external FIDO/WebAuthn authenticators, also known as security keys. This award winning web authentication standard let’s everyone win — except the fraudsters!

To learn more about the WebAuthn open standard and how it can benefit your organization, read our ‘Going Passwordless’ whitepaper. We also offer full development resources on our developer site to enable rapid WebAuthn implementations.

Ronnie Manning

YubiKey Summer Showcase: InfoSecurity, Gartner Security & Risk, Identiverse

We’re gearing up for a busy and exciting month here at Yubico. We have a full event schedule, a handful of speaking sessions on trending security topics, and we will be showcasing many of our Works with YubiKey partners. In other words, you won’t want to miss this.  

YubiStyle Covers

If you are looking to integrate the YubiKey into your application or service, please check out our Works with YubiKey program for all the details and how you can get involved.  

So, where will we be during the month of June? Here are all the places you can find us and our partners in the coming weeks — and don’t forget to pick up a YubiStyle cover when you see us.


InfoSecurity Europe, London — June 4-6, Booth #J120

Stop by Yubico booth #J120 at InfoSecurity Europe and catch our latest passwordless login demos. We will be demonstrating the multi-protocol authentication capabilities of the YubiKey and also an early look at our YubiKey for Lightning Private Preview device for iOS.

Several Works with YubiKey partners will also be at InfoSecurity Europe showcasing the benefits of YubiKey authentication. Curious how the YubiKey works with Duo (booth #F140), ManageEngine (booth #D80), OneLogin (booth #C225), Microsoft (booth #D220), Thycotic (booth #C230), and StrongKey (booth #M147)? Be sure to stop by their booths to find out.

“Yubico is a key player in the FIDO community and it’s exciting to partner with them to help promote a world without passwords.” — Jake Kiser, COO, StrongKey

“In an age where identity theft is on the rise and almost every data breach involves a compromised user account, strong authentication should be an organization’s first line of defense.” — ManageEngine

Gartner Security & Risk, National Harbor, MD — June 17-20, Booth #450

Visit us at booth #450 to talk all things cybersecurity and privacy. Once again, we’ll be demo-ing passwordless account logins using WebAuthn and the YubiKey.

Don’t miss Works with YubiKey integrations at our partner booths as well. Drop by and say hello: ForgeRock (booth #625), Thycotic (booth #651), Microsoft, and Okta (booth #629).

“Yubico provides a standardized way to balance usability and security. When using YubiKeys with ForgeRock’s out-of-the-box FIDO2 support, our joint customers get secure multi-factor authentication paired with an outstanding user experience.” Ben Goodman, Senior Vice President, ForgeRock

Identiverse, Washginton, D.C. — June 25-28, Booth #417

Stop by Yubico booth #417 for Yubico’s latest announcements and YubiKey demos during Identiverse. Several Yubico experts are also taking the stage at Identiverse to discuss everything from passwordless authentication to open standards and identity anchors.

  • Wednesday, June 26 | 2:00 – 2:15pm | Portable Root of Trust Explained
    In the Solutions Theater in the expo hall, Nick Charpentier, Solutions Engineer at Yubico, will discuss the concept of hardware authenticators as a portable root of trust to achieve a secure, ubiquitous experience across all devices.
  • Wednesday, June 26 | 5:35 – 6:00pm | Netflix’s Journey with WebAuthn
    Jerrod Chong, Chief Solutions Officer at Yubico, and Tejas Dharamshi, Senior Security Software Engineer at Netflix, will discuss Yubico and Netflix’s collaboration on a move to modern strong authentication with WebAuthn while maintaining a frictionless user experience.
  • Wednesday, June 26 | 4:25 – 4:50pm | Is Your 2FA Broken?
    John Bradley, Senior Solutions Architect at Yubico, will discuss various second-factor authentication techniques and how effective they are against advanced phishing threats.
  • Thursday, June 27 | 9:00 – 9:30am | Standards: The Bedrock of Identity
    John Bradley, Senior Solutions Architect at Yubico, will join a panel of standards experts on the keynote stage to discuss, debate, and provide insight into the world of open standards and how they may change our world in the next five years.
  • Thursday, June 27 | 4:25 – 4:50pm | Understanding Identity Trust Anchors
    Derek Hanson, Vice President of Solutions Architecture and Standards at Yubico, will discuss how identity attributes are managed, validated, secured and updated so that the systems and processes that are reliant on identity proofing have a solid foundation.

That’s not all. See what’s new with current and future Works with YubiKey integrations by stopping by any of our partner booths: Axiad IDS (booth #419), Microsoft (booth #303), Ping Identity (booth #601), ForgeRock (booth #411), Okta (booth #516), and OneLogin (booth #416).

“In today’s digital world, trusted identity requires that all the entities that interact with an organization be authenticated. Mobile and cloud identity solutions eliminate the need for organizations to choose between security, ease-of-use and ease-of-management.” — Yves Audebert, Chairman, President and Co-CEO, Axiad IDS

To stay up to date on these events, or to receive year-round updates on Yubico news, sign up for our newsletter and other mailing lists here.

Stina Ehrensvard

The YubiKey as the WebAuthn Root of Trust

The new web authentication standard, WebAuthn, that was recently announced by W3C, is rapidly gaining adoption by leading platforms and services. WebAuthn is an evolution of the FIDO U2F standard, spearheaded by Yubico and Google, and successfully deployed since 2014 by millions of users with YubiKey security keys. Yubico helped to create WebAuthn to extend the standard beyond external security keys to include new internal built-in fingerprint readers and facial recognition technologies. Having these choices is important to drive widespread support for simple, strong and passwordless authentication methods.  

In this new authentication landscape, an external security key, such as the YubiKey, takes on the important role of a root of trust. As users move between different platforms and computing devices, having this portable root of trust is essential for enabling rapid bootstrapping on new devices and for recovering when devices are lost, stolen or replaced.

Below is a roundup of some of the best use cases for an external hardware-based authenticator:

  • Device Loss, Theft, or Compromise —In the case that a phone or computer is lost, stolen or replaced, the YubiKey can be used as an easy method to re-establish trust with online accounts and re-register the internal authenticator on a new device. With an external root of trust like the YubiKey, where the user’s credential cannot be tampered with, it allows a high degree of trust to be transferred from device to device and establish all of them as a trusted entity, thereby protecting the account.
  • Multi-Device Access — In today’s digital age, users rarely work from a single device or platform. It’s common to move from a mobile device to desktop, laptop, or tablet, and even between personal and work devices. Having a portable external authenticator that can work across computing devices makes these transitions seamless. With options to connect via NFC, USB-A, USB-C, and soon Lightning, the YubiKey meets the needs of every internet user.
  • Mobile-Restricted Environments — Not all work environments allow employees or contractors to have a mobile phone. Call centers, manufacturing floors, and remote locations are some of the environments where a hardware authenticator is a preferred solution.
  • High Security Applications — Without ties to the internet or a multi-purpose chip or computing device, the attack vector naturally becomes much smaller on an external hardware authenticator. There are certain scenarios where services may choose to require step-up authentication to complete a high-risk action, such as transferring a large sum of money between bank accounts, or updating an address. The YubiKey can be used as an additional form of validation and quickly re-verify the user before the action is taken.  
  • Uninterrupted Access – We designed the YubiKey to provide optimal levels of durability. It is crush and water resistant and does not require batteries, so it eliminates the chance of the device being uncharged.
  • Integration with Legacy Systems — Most enterprises use a variety of systems, platforms, and devices, and not all of these support newer authentication standards such as FIDO and WebAuthn. Also, for use cases that require a corporate credential for computer login and remote access, digital signatures for code signing, key escrow for email encryption, or privilege access for older operating environments, the YubiKey’s multi-protocol functionality helps address a wider range of enterprise security needs.  
  • Authentication Backup — Regardless of how users are securing their accounts, it is always a best practice to have a backup method in case the primary method of authentication is lost, stolen, broken, or inaccessible. The YubiKey is an affordable, simple option that users can carry on their keychain, tuck into a wallet, or store in a safe place for convenient access at any time.

With a growing list of strong authentication options supported by WebAuthn, and the ability to solve use cases across device type, operating system and service, now is the time for companies to add WebAuthn to their services. Developers can take advantage of Yubico’s developer resources to extend user authentication options. To try out the WebAuthn authentication experience please visit the Yubico WebAuthn demo site.

There are more than 3 billion people in the world connected to the internet who need — and deserve — a better more secure experience. Let’s work together toward making the internet a safer place for everyone!

Alex Yakubov

YubiHSM 2 Now Compatible with EJBCA from PrimeKey

The YubiHSM 2, the world’s smallest hardware security module from Yubico, is now compatible with EJBCA software for a range of public key infrastructure (PKI) use cases. Available for all YubiHSM 2.1 and newer devices, Yubico’s updated Setup Tool, which adds support for PrimeKey EJBCA, is accessible in our latest YubiHSM 2 open source software development kit (SDK).

When it comes to maintaining your customers’ trust, it’s imperative to protect against data theft and compromise, and hardware security modules (HSMs) are table stakes. Traditionally, this has meant dedicating an entire rack—or more—in the server room.

Enter the YubiHSM 2. These thumbnail-sized hardware devices deliver enhanced protection for cryptographic keys, are more affordable than traditional HSMs ($650 MSRP), require very low power, are ultra-portable, and plug into any USB-A port—minimizing space requirements for deployment. The sheer size and cost alone open up incredible new use cases. Imagine an autonomous vehicle with its own YubiHSM 2—no need to compromise on trunk space.

“The priorities for us in developing PrimeKey’s EJBCA have always been flexibility and the ability to support different use cases. With the YubiHSM 2, we enable a cost efficient and portable HSM alternative that simplifies the process to secure your CA keys,” said Chris Job, Team Leader, PrimeKey Professional Services.

With our latest YubiHSM 2 open source SDK, and support for PrimeKey EJBCA, YubiHSM 2 users can leverage PrimeKey and Yubico open source software and tools for implementing PKI. Collaborating with PrimeKey, and adding support for PrimeKey EJBCA on the YubiHSM 2 further delivers Yubico technology to organizations where open source is preferred or even required. The YubiHSM 2 now supports two certificate authorities—Microsoft Windows CA and PrimeKey EJBCA—offering greater flexibility to those looking to secure an organization’s most important data with an HSM.

Interested in learning more?

Licensing Information

The YubiHSM 2 SDK is intended for use in development and production environments in conjunction with YubiHSM 2, pursuant to Yubico’s terms and conditions of sale and license. By downloading and installing the SDK you agree to the terms of this license. The released SDK source code is licensed under the Apache 2.0 license. Third party software included in the YubiHSM 2 SDK, and their respective licenses, are listed in the licenses directory inside the SDK package.

Derek Hanson

Yubico Login for Windows Application Now Available in Public Preview

Every day, YubiKey users are protecting access to their data in cloud services like Gmail, Dropbox, and password managers, but these very same people also need to protect access to desktop and laptop computers as well. Thanks to the multi-protocol capabilities of the YubiKey, they can. The YubiKey can be used to log in to Linux, Mac, or Windows machines.

One of the more popular use cases we hear about is logging into Windows machines, which is why we designed the Yubico Login for Windows Application. The tool provides a simple and secure method for YubiKey users to secure access to their Windows computers. Today, we are opening the public preview program for the application.

Yubico Login for Windows Application

The Yubico Login for Windows Application will deliver a simplified configuration experience, enabling users to help protect their computers with a YubiKey. In addition, this application will enable new core features such as enrollment for backup YubiKeys and lost YubiKey recovery mechanisms.

These features make this application the most robust authentication tool that Yubico has provided for standalone Windows computers.

The preview program gives participants the ability to download the new Yubico Login for Windows Application, test the application, and provide feedback on the experience. This is your chance to influence the features prior to the upcoming official release.

The Yubico Login for Windows Application is best suited for:

Individuals that have local accounts on Windows 7, Windows 8.1 or Windows 10 computers.

Individuals or organizations that prefer local accounts created on their computers in order to keep sensitive information localized as opposed to taking advantage of a more connected Windows 10 experience (such as using, OneDrive,, etc.).

Organizations that have a mix of Windows 7 and Windows 10 computers and do not use Azure Active Directory or Active Directory.

The Yubico Login for Windows Application is not ideally suited for:

Users who typically log into Windows computers with a Microsoft Account (e.g.,,, etc.).

Users who utilize the following sign-in options for their local account: Windows Hello (face, fingerprint, or iris), PIN, or picture password.

If you are interested in joining the public preview program for Yubico Login for Windows Application please sign up here. The preview offering and a configuration guide will be made available after sign-up.

Stina Ehrensvard

A Big Day for the Internet: W3C Standardizes WebAuthn

Today’s standardization of WebAuthn by the World Wide Web Consortium (W3C) marks a milestone in the history of open authentication standards and internet security, and Yubico is excited to be a part of it. Through close collaboration with the global internet standards community and the internet giants, Google and Microsoft, we achieved the near-impossible: the creation of a global standard for web authentication that is on track to be supported by all platforms and browsers.

With much of our personal and business lives now online, the need for stronger security has never been more important to protect our digital identities. With WebAuthn, we are addressing the problem behind the vast majority of security breaches — account takeovers due to stolen online credentials.

We have invested considerable time from our engineering staff in the development of this new standard, including being one of nine Specification Editors, being one of two co-chairs for the W3C WebAuthn group, and having six working group members. When I asked one of our engineers from this group how he liked his job, he responded, “It’s one of the most interesting and scary projects I’ve ever had. We are writing code that will impact the internet security of billions of people, so we feel the responsibility to get this right!”

From start to finish, the WebAuthn spec development has been more than a three-year process, but for Yubico, this is a culmination of more than a decade of innovation and seven years of standards work. Starting first with FIDO U2F, then FIDO2 and now WebAuthn, these standards are a natural evolution built upon each other to bring together new important security capabilities for the modern web:

Driverless, one-touch authentication with a single authenticator that can be used across any number of services with no shared secrets.

Public key cryptography to defend against phishing and man-in-the-middle attacks at scale.

Single-factor, multi-factor and passwordless authentication for web and mobile applications.

WebAuthn recognizes the importance of security keys as well as platform authenticators, such as built-in biometric sensors, by embracing broad support for a choice of authentication devices and modalities. Yubico supports this approach because it fosters widespread adoption of stronger authentication. We contributed to this standard to help as many people as possible stay safe online. Moving forward, the YubiKey will be valued as a high-privacy, high-security authentication choice. In addition, it will take on the important role of the Root of Trust, enabling seamless bootstrapping to new devices and rapid recovery from lost and stolen devices when built-in authenticators are not enabled or no longer accessible.

Microsoft Edge, Mozilla Firefox, Google Chrome and Google Android have already added support for WebAuthn, and Apple Safari is actively testing the API. Additionally, Microsoft Accounts and Dropbox have WebAuthn support. Many more online services will soon follow.

Since FIDO U2F was first launched in Gmail in 2014, Yubico has provided free open source code, and guided the vast majority of online services integrating the standard. We continue this work with WebAuthn. Developers and online services can rapidly add support, including “upgrading” from an existing U2F deployment, by signing up to join the Yubico Developer Program to be informed on the latest reference documentation, testing tools and open source servers.

Individuals and companies who want easy, secure access to their daily online accounts — including those in financial, healthcare, and government services — can accelerate adoption by requesting support for YubiKey and WebAuthn. WebAuthn works with all existing U2F and FIDO2 YubiKeys.

WebAuthn standardization is the foundation for the first-ever web authentication standard designed with scalable public key cryptography and phishing protections, and we can now all help to make the internet safer for everyone.

Want to see WebAuthn in action? Stop by the Yubico booth this week at RSA (#S2162), Scale17x (#519), or Gartner IAM Summit Europe (#S12).

Ronnie Manning

Yubico Releases the 2019 State of Password and Authentication Security Behaviors Report

In conjunction with Data Privacy Day, Yubico is releasing today new research in a report entitled, The 2019 State of Password and Authentication Security Behaviors Report, conducted by Ponemon Institute. The findings reveal that despite a growing understanding of security best practices, user behavior is still falling short. The problem? Passwords continue to trip up users and compromise security and many users are not taking advantage of stronger two-factor authentication solutions that are available.

The annual Data Privacy Day initiative, led by the National Cyber Security Alliance (NCSA), has grown in popularity each year — and with good reason. Massive data breaches like the recent Collection #1 continue to happen. With nearly 773 million records exposed, including email addresses and passwords, Collection #1 is one of the largest breaches to date; and yet, are individuals taking the actions needed to protect their online accounts? According to the report findings, it appears not.

Are we becoming more security-minded, and better yet, are we following best practices? Some of the most interesting stats revealed that: (Click to Tweet your favorites!)

2 out of 3 (69%) respondents share passwords with colleagues to access accounts

51 percent of respondents reuse passwords across business and personal accounts

57 percent of respondents who have experienced a phishing attack have not changed their password behaviors

67 percent of respondents do not use any form of two-factor authentication in their personal life and 55 percent of respondents do not use it at work

57 percent of respondents expressed a preference for a login method that does not involve the use of passwords

Beyond the above listed highlights, the full 2019 State of Password and Authentication Security Behaviors Report delivers further data on the following topics:

How privacy and security concerns affect personal password practices

Risky password practices in the workplace

Authentication and account security in organizations

Differences in password practices and authentication security behaviors by age

Differences in password practices and authentication security behaviors by country (Germany, France, UK, USA)

To read more of the research highlights, please check out our infographic below or download our full research report here.

Stina Ehrensvard

Yubico Expands Executive Team with Addition of Guido Appenzeller, Chief Product Officer

Happy New Year from Yubico! We are very excited for the upcoming year and 2019 has already kicked off with two new product announcements at CES, and now we’re expanding the Yubico family.

As of two weeks ago, we added another member to our executive team: Guido Appenzeller. Guido joins us as the Chief Product Officer of Yubico to focus on product development and strategy, a critical role to the company’s continued innovation and success in making strong authentication truly ubiquitous. Previously, he served as CTO of VMWare, Consulting Professor at Stanford, and the founder of two start-ups.

Please join me in welcoming Guido into the YubiFamily. To learn a little more about Guido here is an excerpt from a recent interview between Ronnie Manning, our VP of Communications, and Guido.

From founding two different start-ups to working as CTO for VMWare, you have had experience with both large and small companies. While each phase of company growth presents its own set of challenges, which growth phase would you say you enjoy the most and why? 
Both have been incredible experiences. I love small companies because of their agility and speed. You spot a new opportunity and with a good team you can have a product in the market months later. On the other hand, being an executive in a large company puts huge resources at your disposal. At VMware, we entered new markets by buying the market leader and then accelerating it with an enterprise sales team of several thousand people. In the end for me, it boils down to where I can have more overall impact and usually that is in a smaller company.

What’s the single biggest lesson you’ve learned in your career about successfully growing a company, and how do you plan to bring that to your role at Yubico? 
The two most important things about growing a company is the market and the team. Yubico is in a great market and solving a key problem: how to make the internet secure. Stina, Jakob and the team have done a great job creating a culture that focuses on security while at the same time emphasizing a fun user experience. That’s actually pretty rare for a security company. My goal is to keep this culture while building the lightweight process that’s needed to take Yubico through the next phases of its growth.

You have a long history of leading companies through successful growth periods. In an ideal world, how do you envision Yubico’s growth to unfold over the next 1-5 years?
The short-term opportunity for Yubico is to replace passwords as the main authentication method in the internet. This is a huge shift. It would all but eliminate phishing while actually improving usability. But this is just scratching the surface. Having inexpensive hardware with advanced cryptographic functionality opens up new applications for payments, messaging security, IoT security and secure infrastructure. Long term, these are the areas that excite me most.

What are the most exciting and daunting aspects of working in the cybersecurity industry?
Security is often an afterthought. We have a rich history in the technology industry of first building systems where we ignore security, then recognizing our error and eventually bolt on a security solution that is awkward to use and difficult to understand. I think what initially got me excited about the YubiKey is that it is one of the very few security products that is easy to understand and that end users actually love to use.

When you’re not busy tackling the roles and responsibilities of a Chief Product Officer, what are most likely to be doing?
I love the outdoors and like exploring the world on foot, scuba diving or behind the controls of a small airplane that I have flown all the way from California to the Caribbean. I am an avid gamer with my kids or alone, and recently have been spending more and more time in Virtual Reality.

The Yubico team will continue to grow in 2019. If you’re interested in a career in cybersecurity at Yubico, check out our open job opportunities here.

Ronnie Manning

Yubico Launches the Security Key NFC and a Private Preview of the YubiKey for Lightning at CES 2019

Hello from Las Vegas. Today, we have some exciting news for you that’s coming straight from the CES show floor. We are introducing two new device form factors: our latest next-generation security key, Security Key NFC by Yubico, and a private preview of our YubiKey for Lightning. We are giving live demos of both of these keys at the CES Yubico booth (#312).

The Security Key NFC

The Security Key NFC is our newest addition to our distinctive blue Security Key Series, offering USB-A and NFC (near-field communication) for tap-and-go authentication over the FIDO U2F and FIDO2/WebAuthn protocols on computers and supported mobile devices (like an Android phone or a NFC reader attached to a Windows 10 computer). With the option of multiple communication methods, this one key is able to deliver a simple and seamless user experience across multiple devices for strong multi-factor, two-factor (2FA), and single-factor passwordless authentication.

Today, the Security Key NFC works out of the box with hundreds of services already supporting FIDO U2F and FIDO2 authentication protocols: including Microsoft (for passwordless login), Google, Facebook, Twitter, Dropbox, a growing list of password managers, and many more FIDO2 and U2F compatible websites. And as the the latest hardware authenticator from Yubico, it’s built to last. It’s made in the USA and Sweden with reinforced fiberglass that is hermetically sealed and injection molded into a monolithic block, delivering exceptional physical durability.

The Security Key NFC by Yubico is available beginning today for $27 at the Yubico online store.

YubiKey for Lightning — Private Preview

If you are a Yubico follower, you’ve probably heard that Yubico’s goal is to make strong, simple authentication truly ubiquitous, across all services, devices, and operating systems. Historically iOS has presented some challenges to achieving that mission, which is why we’re extremely excited to announce a private preview of our newest YubiKey for Lightning.

YubiKey for Lightning

The YubiKey for Lightning is a multi-protocol hardware authenticator designed with both USB-C and Lightning connectors. By supporting the two most common connectors for Mac and iPhones, the new YubiKey for Lightning, is designed to provide seamless authentication across compatible desktop and mobile devices.

We are also formally launching the YubiKey for Lightning Program as an extension of our Lightning Project announced in August 2018. If you are a developer or service that would like to support strong hardware authentication on iOS, we invite you to work with us by applying to participate in the YubiKey for Lightning Program. Selected participants will have access to the private preview of YubiKey for Lightning and also the Yubico Mobile iOS SDK for Lightning.

Today the YubiKey for Lightning is in private preview to selected participants in the Yubikey for Lightning Program, with general availability still to be announced.


Stina Ehrensvard

2018: A Year in Review for Yubico

2018 was an awesome year for Yubico. It was full of new product launches, business milestones, a growing team of super stars, and industry-leading innovations. It’s hard to believe that all of that happened in just one year, but it’s amazing to see how much can be accomplished together when we focus on our mission of making security available for all.  

Over the years, I’ve also learned that it’s necessary to reflect on all of these accomplishments as an entrepreneur, a CEO, or an employee. This time of pause allows us to evaluate the lessons learned, set new goals, and carefully build upon the work we’ve already done. So, as we cross into 2019, here’s a quick look back at some of Yubico’s finest moments of 2018.

We invested a significant amount of time and resources into product innovation and released several major new products, all of them being the first of their kind on the market.

The YubiKey 5 Series

The Security Key by Yubico is the first-ever security key to support FIDO2 and WebAuthn, the new global authentication standards for passwordless logins that Yubico is also the leading contributor to.

The YubiKey 5 Series is the first-ever multi-protocol security key series to support FIDO2 and WebAuthn.

The YubiKey FIPS Series is the first-ever multi-protocol FIPS 140-2 validated security key series.

A major part of the Yubico mission is spent on working with the larger internet ecosystem, providing them with the insight and resources they need to be successful in protecting their users’ data and privacy. As a result, several major services and leading platforms and browsers have made support for FIDO2, WebAuthn, and YubiKey strong authentication.

Twitter adds support for FIDO U2F authentication with a YubiKey.

AWS Identity and Access Management adds support for FIDO U2F authentication with a YubiKey.

LastPass is the first iOS app to add support for strong YubiKey authentication via NFC.

Microsoft Accounts adds support for YubiKey and FIDO2 to allow users to login to their accounts without a username and password.  

Additional browser support continues for WebAuthn from Chrome, Firefox, Edge, and Safari.

The developer community is core to what we do here at Yubico, and while we’ve offered free and open source code since our launch in 2008, this year we created dedicated resources to expand our offerings.

Mobile SDK for iOS enables YubiKey authentication on the iPhone

The Yubico Developer Program is the first source for developers to gain access to YubiKey integration resources such as webinars, SDKs, implementation guides, and more.

Yubico launches the official Works with YubiKey Program to further guide and promote service provider’s YubiKey integrations.  

The Mobile SDK for iOS was released to allow any iOS mobile app to rapidly add support for hardware-based two-factor authentication using YubiKey OTP over NFC.

The Yubico Lightning Project was announced, extending the capabilities of the Yubico Mobile SDK for iOS to support FIDO U2F/2 authentication over a lightning connection.

The YubiHSM open source SDK was released to allow developers to integrate with the YubiHSM 2 and enable its security capabilities for greater protection of cryptographic key material.

Last but not least, we continued to grow Yubico as a trusted leader in strong authentication with new financial investments and the addition of new talent across the globe.

The Yubico team reached 160 people, representing 25 different nationalities, and based in eight countries: Sweden, USA, Germany, UK, Chile, Singapore, Australia and Japan.

Yubico received investment from top-tier investor Andreessen Horowitz (a16z) in support of our mission to create a safer internet at scale. Martin Casado, general partner for a16z, also joined the Yubico board of directors.

2018 was incredible, and we plan to top it with what’s to come in 2019! Be the first to know about new products and more by signing up for our mailing list.

Alex Yakubov

YubiHSM 2 Now Qualified for AWS IoT Greengrass Hardware Security Integration

We are excited to announce that Amazon Web Service (AWS) Internet of Things (IoT) Greengrass users can now use  the YubiHSM 2, Yubico’s ultra-portable hardware security module, for secure key storage. AWS IoT Greengrass software provides local compute, messaging, and data caching for the IoT devices, enabling users to run IoT applications across the AWS cloud and local devices.

The Internet of Things (2018) research report from Business Insider Intelligence predicts that there will be more than 55 billion IoT devices by 2025, up from about 9 billion in 2017. While reaping many advantages like increased efficiency and productivity, this rapid growth in adoption provides a new playground for malicious actors creating real challenges for security and privacy.

Connecting everything to the cloud creates the potential for a single point of failure, which is why protecting access to servers is of paramount importance. A prime threat to access is storing root keys for servers in software. Root keys stored in software can be stolen, accidentally distributed, or misused, and can potentially lead to catastrophic security breaches.

AWS IoT Greengrass enables customers to leverage a hardware root of trust, such as the YubiHSM 2, for private key storage, and end-to-end encryption for messages sent between AWS IoT Greengrass Core and the AWS cloud, as well as between the AWS IoT Greengrass Core and compatible local devices. This provides AWS IoT Greengrass customers with the option to configure their AWS IoT Greengrass Core to use the private keys generated and stored on the YubiHSM 2.

“Security and compliance are primary considerations for customers as they begin their respective cloud journeys. Organizations need true cloud visibility, which is the foundation of security and controls. The integration of YubiHSM 2 with AWS IoT Greengrass is a great example of a way for customers to have greater visibility into local compute, messaging, and data caching for the Internet of Things (IoT), ” said Troy Bertram, General Manager, Worldwide Public Sector Business Development, AWS. “The integration of YubiHSM 2 with AWS IoT Greengrass provides AWS customers with another avenue to maintain the strong hardware-backed security for cryptographic digital key generation, storage, and management.”

Since our initial launch of the YubiHSM 2 last year, many of our customers have approached us looking for a way to protect keys on servers. Complaints of traditional rack-mounted and card-based HSMs offering limited applicability at a significantly higher cost have led customers to our innovative alternative hardware security module. The YubiHSM 2 provides strong hardware-backed security for cryptographic digital key generation, storage, and management. The nano-sized YubiHSM 2 fits inside a server’s USB port and does not require additional hardware, significantly bringing down costs and simplifying the deployment process.

We’re excited for the collaboration with AWS IoT Greengrass. This announcement follows our recent release of our open source software development kit (SDK) for the YubiHSM 2. Now, more developers can rapidly integrate the YubiHSM 2’s capabilities into apps across a wider array of architectures and platforms. The YubiHSM 2 SDK enables developers to build products that communicate seamlessly with the YubiHSM 2 through the industry standard PKCS#11, and extend a range of high security functions and use cases for the greater protection of cryptographic keys.

The open source YubiHSM 2 SDK highlights Yubico’s commitment to transparency and trust. We continue to encourage the developer and security communities to join us in our mission to make strong hardware-backed security more accessible to organizations of all sizes.

Learn more about this new feature, and how AWS IoT Greengrass works with the YubiHSM 2. Want to integrate Yubico technology into your solution? Start here.

Ronnie Manning

Password-less Login with the YubiKey 5 Comes to Microsoft Accounts

We’ve done it! Together, with Microsoft, we’ve officially made it possible for hundreds of millions of Microsoft users around the world to log in without a password on their personal Microsoft accounts (MSA), with a YubiKey 5 or Security Key by Yubico.

With the latest update to Windows 10 (version 1809) and existing native support in Edge, all consumer Microsoft accounts now support password-less login via FIDO2/WebAuthn. Yes, no passwords.

With a Microsoft account and the YubiKey, you can quickly and securely log in (and automatically single-sign-on) to all of these Microsoft services on Edge:

That’s one login, zero passwords, and effortless access to your most loved Microsoft services.
Let’s just take a moment for that to sink in.

Today’s announcement from Microsoft is a landmark in the history of authentication. The first driverless, one-touch authentication USB device was launched in 2008, in the form of the original one-time password (OTP) YubiKey. To improve protection against phishing and advanced attacks, and make it work with any number of services with no shared secrets, Yubico co-created U2F with Google, that was later contributed to the FIDO Alliance.

To remove the need for a username and long complicated passwords, we worked with Microsoft and the FIDO Alliance to evolve U2F into FIDO2 for password-less login.  We say thank you to everyone who has been part of making this a reality. 

“Password-less sign-in is a transformational change to how business users and consumers access devices and applications. It combines industry-best ease of use and security to create an experience people are going to love and hackers are going to hate,” said Alex Simons, Corporate Vice President, Microsoft Identity Division. “FIDO2 is a key part of Microsoft’s push to eliminate passwords and devices like the YubiKey 5 are a great example of how we’re working with partners to make this transformation a reality.”

How To Register A YubiKey with Your Microsoft Account

To take advantage of this new, advanced security feature, you will need to simply register your FIDO2-enabled YubiKey 5 Series or Security Key by Yubico with your Microsoft account. This feature is available on any Windows PC with the Windows 10 version 1809 update and Microsoft Edge installed.

You have the option to do so either by USB-A or USB-C port (YubiKey 5 NFC, YubiKey 5 Nano, YubiKey 5C, YubiKey 5C Nano, Security Key by Yubico) or by NFC (near-field communication) wireless connection (YubiKey 5 NFC).  

  1. To begin, launch Microsoft Edge on the latest Windows 10 update (version 1809) an visit Microsoft account page and sign in as you normally would and click on Security > More security options, select Set up a security key.
  2. Identify what type of YubiKey you have (USB or NFC) and select Next.
  3. You will be redirected to the setup experience where you will insert or tap your YubiKey 5 or Security Key. This action generates a unique public-private key pair between your YubiKey and your Microsoft account, and only the YubiKey stores the private key. It never leaves your device.The public key is stored with the Microsoft service to allow for verification of your authentication.  
  4. You will then be prompted to set a unique PIN to protect your key. This PIN is stored locally on the YubiKey—not with Microsoft accounts.  
  5. Take the follow-up action by touching YubiKey gold sensor.
  6. Name your security key so that you can distinguish it from other keys (we always recommend setting up an additional YubiKey for back up)
  7. Sign out and open Microsoft Edge, select use security key instead, and sign in by inserting or tapping your key and entering your PIN.

That’s it! You have successfully replaced your Microsoft account password with strong, hardware-based authentication using public key cryptography to protect against phishing and man-in-the-middle. For more details, visit and if you want to see more, check out our fun promo videos here and here!!!

Authenticating Beyond Your Microsoft Account

In addition to FIDO2, the YubiKey 5 series supports: FIDO U2F, PIV (smart card), OpenPGP, Yubico OTP, OATH-TOTP, OATH-HOTP, and challenge-response. This means the same device that you use to protect your Microsoft account can be used to protect your password manager, social media accounts, and your logins to hundreds of services. Check out the Works with YubiKey catalog to discover other services that support the YubiKey.

Alex Yakubov

The Modern Workplace Journey: Experience MFA Everywhere with PingID and the YubiKey

One of the most frequent questions I’m asked to talk about is what sets the YubiKey apart from other security keys. At Yubico, we pride ourselves on making the highest quality, most durable and innovative authentication devices on the market, including the first-ever multi-protocol security keys which combine FIDO2, U2F, one-time password (OATH-HOTP and OATH-TOTP), PIV-compatible smart card, and OpenPGP in one authenticator. This multi-protocol support is a critical feature for organizations in the process of modernizing strong authentication for everything that employees, vendors, and users access on a daily basis, as one single YubiKey can meet varying authentication needs.

The journey to modernizing authentication also often starts with finding the right Identity Access Management (IAM) solution, which is why Ping Identity, the leader in Identity Defined Security solutions, is a critical member of the Yubico Ecosystem. Yubico is excited to work with Ping Identity to strengthen the authentication choices for PingID customers.

Starting today, current and prospective PingID customers considering a YubiKey implementation are invited to learn more about our joint solution through Ping Identity’s YubiKey Experience Pack initiative. A co-branded experience pack will be available to PingID customers as a special complimentary offer designed for admins to experience the many benefits of our joint solution. Each pack features two (2) of our latest YubiKey 5 Series devices and a PingID Quick Start Guide. The YubiKey 5 Series supports two-factor, multi-factor and passwordless authentication, so as the future of authentication progresses toward passwordless logins, PingID customers will be equipped with an authentication device that can do it all.

Setting up YubiKey authentication with PingID is easy. Users can self-register the YubiKey with their PingID account without needing additional software or drivers.

“Ping Identity is committed to providing the most secure multi-factor authentication experience and emerging authentication standards for its customers,” stated Monica Hamilton, Head of Technology Alliances and Business Development at Ping Identity. “By working with Yubico, we are able to provide secure login options with a hardware device for added user convenience, especially in scenarios where a mobile phone cannot be utilized or is not preferred.”

Yubico is also thrilled to be one of Ping Identity’s Global Sponsors for IDENTIFY 2018. Today, we’re kicking off IDENTIFY San Francisco, and November 7 marks the third and final event in the series, IDENTIFY New York. Stop by our kiosk and chat with us about your journey to modernizing the workplace. Still need a ticket to IDENTIFY 2018? Use code YUB524 in the online registration portal for a complimentary pass courtesy of Yubico. Qualifying customers can request the YubiKey Experience Pack for PingID customers by contacting while supplies last! Learn more about how Yubico and Ping Identity work together.

Alex Yakubov

The Modern Workplace Journey: Experience MFA Everywhere with PingID and the YubiKey

One of the most frequent questions I’m asked to talk about is what sets the YubiKey apart from other security keys. At Yubico, we pride ourselves on making the highest quality, most durable and innovative authentication devices on the market, including the first-ever multi-protocol security keys which combine FIDO2, U2F, one-time password (OATH-HOTP and OATH-TOTP), PIV-compatible smart card, and OpenPGP in one authenticator. This multi-protocol support is a critical feature for organizations in the process of modernizing strong authentication for everything that employees, vendors, and users access on a daily basis, as one single YubiKey can meet varying authentication needs.

The journey to modernizing authentication also often starts with finding the right Identity Access Management (IAM) solution, which is why Ping Identity, the leader in Identity Defined Security solutions, is a critical member of the Yubico Ecosystem. Yubico is excited to work with Ping Identity to strengthen the authentication choices for PingID customers.

Starting today, current and prospective PingID customers considering a YubiKey implementation are invited to learn more about our joint solution through Ping Identity’s YubiKey Experience Pack initiative. A co-branded experience pack will be available to PingID customers as a special complimentary offer designed for admins to experience the many benefits of our joint solution. Each pack features two (2) of our latest YubiKey 5 Series devices and a PingID Quick Start Guide. The YubiKey 5 Series supports two-factor, multi-factor and passwordless authentication, so as the future of authentication progresses toward passwordless logins, PingID customers will be equipped with an authentication device that can do it all.

Setting up YubiKey authentication with PingID is easy. Users can self-register the YubiKey with their PingID account without needing additional software or drivers.

“Ping Identity is committed to providing the most secure multi-factor authentication experience and emerging authentication standards for its customers,” stated Monica Hamilton, Head of Technology Alliances and Business Development at Ping Identity. “By working with Yubico, we are able to provide secure login options with a hardware device for added user convenience, especially in scenarios where a mobile phone cannot be utilized or is not preferred.”

Yubico is also thrilled to be one of Ping Identity’s Global Sponsors for IDENTIFY 2018. Today, we’re kicking off IDENTIFY San Francisco, and November 7 marks the third and final event in the series, IDENTIFY New York. Stop by our kiosk and chat with us about your journey to modernizing the workplace. Still need a ticket to IDENTIFY 2018? Use code YUB524 in the online registration portal for a complimentary pass courtesy of Yubico. Qualifying customers can request the YubiKey Experience Pack for PingID customers by contacting while supplies last! Learn more about how Yubico and Ping Identity work together.

Jerrod Chong

Introducing the YubiKey 5 Series with New NFC and FIDO2 Passwordless Features

Today, we are announcing some exciting news that we know you’ve all been waiting for. The 5th generation YubiKey has arrived!

Our new YubiKey 5 Series is comprised of four multi-protocol security keys, including two much anticipated new features: FIDO2 / WebAuthn and NFC (near field communication).

The YubiKey 5 Series is the industry’s first set of multi-protocol security keys to support FIDO2 / WebAuthn, the open authentication standard that Yubico helped to pioneer, along with Microsoft and others. All leading platforms and browsers have either made support or are engaged in this standards work, expanding authentication choices using authentication devices, such as a YubiKey, with or without a username and password. Each key in the YubiKey 5 series supports: FIDO2 / WebAuthn, FIDO U2F, PIV (smart card), OpenPGP, Yubico OTP, OATH-TOTP, OATH-HOTP, and challenge-response.

With the new YubiKey 5 series, Yubico provides a solution that not only works for today’s authentication scenarios, but into tomorrow’s, helping to bridge the gap from existing solutions to a future of passwordless login. Users will receive the same trusted security, ease of use, and durability expected from a YubiKey, but will now have the added option of passwordless logins using FIDO2:

Authentication options with the YubiKey 5 Series.


Single-Factor Authentication (Passwordless) with the YubiKey 5 Series – The YubiKey 5 security keys can be used alone for strong single-factor authentication, requiring no username or password to login — just tap or touch to authenticate.

Second-Factor Authentication with the YubiKey 5 Series – Used alongside a username and password, the YubiKey 5 series offers a strong second factor of authentication. This is the YubiKey integration that exists today with services like Google, Twitter, and Facebook, and it is most familiar to our users.

Multi-Factor Authentication (Passwordless + PIN + Touch) with the YubiKey 5 Series – The YubiKey 5 series can be used in conjunction with a PIN for user verification. In this case, the PIN unlocks the device locally and touch is still required for the YubiKey to perform the authentication.


With this expanded choice of authentication modes, developers choosing to add support for the YubiKey will have the option to choose the authentication model that best suits their use cases and customers. Implementation resources for all of the YubiKey-supported protocols can be found on the Yubico Developer website or through the Yubico Developer Program mailing list.

Another much anticipated feature added with the YubiKey 5 series, is the addition of NFC to the YubiKey 5 NFC device, allowing for a seamless and secure tap-and-go experience with mobile devices or external NFC readers.

YubiKey 5 NFC

YubiKey 5 NFC

Combining the security and usability features of FIDO2 passwordless authentication and tap-and-go NFC provides an optimal user experience, and drastically improves security and productivity. This is especially beneficial in fast-paced, dispersed working environments within sectors such as financial services, healthcare, and retail point-of-sale (POS). FIDO2 is the first open standard authentication protocol that can take tap-and-go authentication to the masses.

The YubiKey 5 Series includes: YubiKey 5 NFC, YubiKey 5 Nano, YubiKey 5C, and YubiKey 5C Nano. To determine the key that is best for you, please reference the online comparison chart, or take our YubiKey quiz!

Beginning today, YubiKey 5 Series security keys are available for purchase exclusively at Shop our store, and be one of the first to own a YubiKey 5!

Alex Yakubov

Taking strong, hardware-backed MFA where mobile phones can’t go

With security breaches becoming a growing and expensive problem, organizations are embracing identity and access management (IAM) platforms with multi factor authentication (MFA). This technology enables organizations to address expanding security concerns and regulatory requirements within and beyond their employee base, while also reducing complexity for the end user by having as few as one identity to access all the different tools, systems, and programs required to do their jobs.

Our work with the IAM vendor community has proven there are many scenarios where mobile phone use is restricted or even prohibited for varying reasons. Call centers and hospitals, as well as high-security environments like government agencies and financial institutions, require strong authentication to protect sensitive data and assets.

For instance, call centers are tightly controlled environments from a time/work perspective. Performance control is another important aspect—the less distractions, the higher throughput from staff. Arguably more important is privacy. Call centers do not allow mobile phones in an effort to protect customer data from misuse and abuse, which means another form factor becomes essential to enabling MFA.  

Yubico Partner, Ping Identity, offers an Identity as a Service (IDaaS) platform called PingID. With the YubiKey and PingID together, customers receive a comprehensive hardware-backed MFA solution for both high-security and phone-free environments. The joint enterprise-wide solution offers tailored authentication policies for administrators, and at the same time, provides simple, secure access for users.

“Ping Identity’s partnership with Yubico gives an enterprise the convenience and flexibility of mobile app-based or hardware-based MFA to deliver the right level of assurance to match risk across an ever-increasing number of access points. With MFA everywhere these days, admins are looking for a way to centrally manage all MFA use cases. Native support for YubiKey helps an organization get much closer to that goal,” said Edward Killeen, Partner Marketing Manager, Ping Identity.

With PingID, admins easily define advanced authentication policies and layer strong YubiKey MFA when and where needed. This affords users the flexibility to harness hardware-backed protection at any time and from anywhere. PingID’s native support for certified YubiKey hardware and YubiOTP (One Time Password) also enables enterprises to eliminate the need to manually type codes, not only saving on time, but also improving employee productivity. A strong testament to durability and reliability, the YubiKey does not require batteries or network connectivity, so it is always on and accessible.

Using PingID and the YubiKey together helps enterprises safeguard their most sensitive data, and effectively mitigates the risk of security breaches. For more information on how PingID and the YubiKey work together, download our joint solution brief here or visit

Heavy Thunderstorm and lightning over the night City, Storm and Rain
Jerrod Chong

Yubico Extends Mobile SDK for iOS to Lightning

Earlier this year, Yubico announced a Mobile SDK for iOS to enable Yubico OTP authentication over NFC on iPhones. Today, we are pleased to announce that we are extending the Yubico Mobile SDK to enable rapid implementation of FIDO U2F over a lightning connection for iOS apps. We invite developers to join the Yubico Lightning Project to work with us to broaden authentication options for iOS applications.

The reality is, overall usage of mobile devices is on the rise. In fact, 79% of internet use is predicted to be on mobile by the end of 2018. Yubico’s goal has always been to make strong, simple online security truly ubiquitous, regardless of service, device, and/or operating system. However, making a hardware authenticator, such as the YubiKey, work in a secure and seamless way with iOS has been a challenge for us and the rest of the industry over the past few years.

We have researched and prototyped various iOS solutions and believe that NFC (near field communication) and USB are optimal communications transports for external authenticators because of security and usability. While it’s always possible that Apple may further open up support for NFC or USB interfaces in the future, this is currently limited or not accessible on today’s iOS devices.

The Yubico Lightning Project is designed to address these issues, with rollout in several phases. Phase one introduces our extended Mobile SDK for iOS, which enables developers to add U2F authentication to iOS apps via a lightning connection. This approach enables apps and services to have out-of-the-box U2F support. Following phases will be communicated in the future.

“Our customers love the security and ease of use of U2F Yubico security keys on their Keeper desktop and web app. Providing this ability to all users on their iPhone and Android devices is an amazing and exciting capability we’ll be ready to deploy as soon as it becomes available,” said Craig Lurey, CTO and Co-Founder of Keeper Security.

“Multi-factor authentication is a must for all organizations, helping to mitigate credential-based attacks and ensuring only the right people have access to the information they need to do their work. By working with companies like Yubico alongside our own MFA offering, we’re able to continue to provide organizations with options for simple, seamless ways to layer security on all of the devices the modern workforce is using today,” said Joe Diamond, Sr. Director of Security Product Marketing, at Okta.

Developers who are interested in taking advantage of strong U2F authentication for iOS apps, are invited to sign up here to receive more information about the Lightning Project. We also encourage you to sign up for the Yubico Developer Program mailing list to stay updated on new developer resources as they become available.

Ronnie Manning

Let’s Meet! Catch YubiKey Demos, Developer Resources & More at Black Hat

This week, we’re headed to Las Vegas for none other than the Black Hat Expo, and we’ll be showcasing all kinds of YubiKey goodness. We’ll be at booth #463, so if you’re there stop by to say hello.

Here’s a taste of what you can expect:

Passwordless Login Demos

If you’ve been keeping up with us and the authentication space, you’ll know that a passwordless future is here thanks to the introduction of the new FIDO2 open standard.

Yubico is a core contributor to this standard, and we’ve got a device that can deliver on the passwordless login experience — the Security Key by Yubico. And you guessed it, we’ll be demoing a tap-and-go login flow (no passwords needed) at Black Hat on an Azure Active Directory environment with the Security Key by Yubico. Catch a sneak peek!

New Developer Resources

We’ve been hard at work on our recently launched Yubico Developer Program, and we’re happy to share some of our latest resources with you at BlackHat.

One of our hottest new offerings is our Mobile SDK for iOS. In case you missed it, LastPass leveraged our Mobile SDK for iOS to enable the YubiKey NEO to authenticate to the LastPass iOS app via NFC (we’ll have demos at the booth). The Mobile SDK for iOS is hosted on our developer site and open for all developers to use.

If you haven’t heard about our Developer Program, sign up for our mailing list and we’ll keep you in the loop on what’s new.

Look for me!

Featured YubiKey Integrations

Here at Yubico, we like to say, “The YubiKey works with many, many locks.” We’ve built so much power, security, and usability into one little device, and those features are built upon by all of the services and applications that support the YubiKey.

That’s why we love our technology partners so much. Keep your eyes peeled and see if you can spot the “Works with YubiKey” standees when you’re walking the show floor.

Several of our partners will have these featured at their booths and will be giving demos of their own YubiKey integrations.

If any of this sounds interesting, or even if you’d just like to meet the people behind the key, please come say hi. We’re at booth #463, and we’d love to meet you and talk all things YubiKey.

Jerrod Chong

One Step Closer to Passwordless Login with Microsoft Edge Support for FIDO2 & WebAuthn

The industry moved one step closer to passwordless login with this week’s Microsoft announcement that starting with Microsoft Edge build 17723, the browser will support FIDO2 strong first-factor and multifactor passwordless login, and second-factor authentication.

Now, with Chrome, Firefox, and Edge all engaged to support WebAuthn, we have two-thirds of all major web browsers backing this next-generation protocol. In March this year, W3C Web Authentication Working Group announced that WebAuthn reached Candidate Recommendation (CR) status, meaning with high interoperability, any browser could add support.

This is exciting news for developers, application creators, and those who want to secure their services with WebAuthn and FIDO2 to enable a passwordless login experience.

As a leading contributor and driver of the FIDO2 and WebAuthn open authentication standards, Yubico is committed to helping the larger developer community navigate implementation. Earlier this year we launched a new Developer Program to help developers rapidly integrate with these new standards. Over 1000 companies have registered to date with the program to find resources to help them become successful in integrating FIDO2. Most recently Yubico hosted an expert FIDO2/WebAuthn webinar series focused specifically on FIDO2 and WebAuthn education and deployment:

  • FIDO2 Authentication Demystified
  • FIDO2 WebAuthn Data Flows, Attestation, and Passwordless Technical Overview
  • FIDO2 WebAuthn Server Validation Technical Overview

With new WebAuthn browser support available in Edge, Chrome, and Firefox, a FIDO2 compatible hardware-based authenticator — such as the Security Key by Yubico — can replace a username and password as a much stronger form of single-factor authentication. WebAuthn still allows for the second-factor authentication and also support the use of PIN or biometrics with both external and platform authenticators for a multi-factor passwordless login experience.

The FIDO2 momentum is strong and we encourage developers and security architects interested in the new standard to sign up for our Yubico Developer Program mailing list to stay up-to-date on workshops, webinars, implementation guides, reference code, APIs and SDKs. New content is being added on an ongoing basis with the next FIDO2 resources becoming available later this month.

For those that are still unfamiliar with FIDO2 and WebAuthn, visit our latest blog that answers some of the most common questions we’ve received about the standard so far.

(Browser market share percentage via statcounter)

FIDO2, Security Key by Yubico
Jerrod Chong

10 Things You’ve Been Wondering About FIDO2, WebAuthn, and a Passwordless World

Armed with a mission to deliver a more secure internet, Yubico has been working closely with Microsoft, Google, the FIDO Alliance and W3C to create and drive open standards that pave the way for the future of passwordless login. The FIDO2 standard is the new standard enabling the replacement of weak password-based authentication with strong hardware-based authentication using public key (asymmetric) cryptography.

FIDO2 has created quite a buzz in the security community, and as with any new technology, there’s always a bit of a learning curve. Earlier this year, we introduced our updated Yubico Developer Program to help developers get up to speed quickly with FIDO2 and WebAuthn.  

In the past few weeks, we have run a FIDO2 webinar series for developers to provide background on the FIDO2 specification and how to implement. During the course of this webinar series, we have answered many questions about the specifics of the FIDO2 standard and WebAuthn, including how it relates to our new Security Key by Yubico, and the evolution of a passwordless world. We wanted to share the most commonly asked questions and answers, that you also may have wondered about.

Are FIDO2 and WebAuthn the same thing? If not, how are they different?

FIDO2 is comprised of two standardized components, a web API (WebAuthn) and a Client to Authenticator Protocol (CTAP). The two work together and are required to achieve a passwordless experience for login. The earlier FIDO U2F protocol working with external authenticators is now renamed to CTAP1 in the WebAuthn specifications.

With Chrome and Firefox announcing WebAuthn API and CTAP1 support as the client, and Dropbox now integrating with the WebAuthn API, this has kicked off a flurry of integration activities by other services. Most recently, Microsoft Edge released support for WebAuthn API, CTAP1 and CTAP2, making it the browser with the widest authentication support.

Is FIDO2 backwards-compatible with current YubiKey models?

The WebAuthn component of FIDO2 is backwards-compatible with FIDO U2F authenticators via the CTAP1 protocol in the WebAuthn specifications. This means that all previously certified FIDO U2F Security Keys and YubiKeys will continue to work as a second-factor authentication login experience with web browsers and online services supporting WebAuthn.

The new FIDO2 passwordless experience will require the additional functionally of CTAP2, which is currently only offered in the new Security Key by Yubico. CTAP2 is not supported in previous FIDO U2F Security Keys, or current YubiKey 4 series, or the YubiKey NEO.

Is FIDO2 considered single factor, two-factor or multi-factor authentication?

Login with a FIDO2-enabled hardware device, such as the Security Key by Yubico, offers a greater choice for strong authentication including:

  • single factor passwordless
  • two-factor (2FA)
  • multi-factor authentication (MFA)

With FIDO2, a hardware-based authenticator — such as the Security Key by Yubico — can replace a username and password as a much stronger form of single factor authentication. Users can also continue to use the Security Key by Yubico as a second factor. Finally, for added security, a FIDO2 hardware authenticator can be combined with an additional factor, such as a PIN or biometric gesture, to enable strong multi-factor authentication.

How secure is FIDO2 compared to FIDO U2F and other 2FA solutions?

Single factor login with FIDO2 offers strong authentication as a single factor. In many cases, this single factor authentication is more secure than other forms of two-factor authentication (such as SMS), as there are no secrets that can be phished remotely when using FIDO2. FIDO2 single factor uses the same strong public key cryptography with origin checking to prevent phishing just like FIDO U2F, but with the additional convenience of not needing usernames and passwords as the first factor to identify the user.

Will FIDO U2F become obsolete with the expansion of FIDO2?

FIDO2 WebAuthn is backwards compatible with FIDO U2F authenticators, so over time, we expect FIDO2 will subsume FIDO U2F.

Is there an option to use FIDO2 in conjunction with an additional factor such as a pin or biometrics? Is this recommended?

Hardware authenticators supporting CTAP2 can add user verification by requiring users to use a PIN or biometric to unlock the hardware authenticator so it can perform its role. This preference is primarily dependent on the implementor’s threat vectors as well as use cases. For example, a large banking institution may want to consider the use of a PIN in conjunction with a security key for a higher level of assurance, while a warehouse-based shared kiosk environment may not.

The Security Key by Yubico is enabled with the full CTAP2 specs, and is fully enabled to support several passwordless experiences including single factor touch-and-go using the hardware authenticator (no need for a username) as well as use of a PIN with touch of the hardware authenticator.

What’s the difference between a PIN and password?

As stated above, one of the allowances with FIDO2 is the option to combine hardware-based authentication with an additional factor such as a PIN. This has many of you wondering, “Well, isn’t that the same as needing to remember a password?”

A PIN is actually different than a password. The purpose of the PIN is to unlock the Security Key so it can perform its role. A PIN is stored locally on the device, and is never sent across the network. In contrast, a password is sent across a network to the service for validation, and that can be phished. In addition, since the PIN is not part of the security context for remotely authenticating the user, the PIN does not need the same security requirements as passwords that are sent across the network for verification. This means that a PIN can be much simpler, shorter and does not need to change often, which reduces concerns and IT support loads for reset and recovery. Therefore, the hardware authenticator with a PIN provides a passwordless, phishing-resistant solution for authentication.

How does FIDO2 affect a company’s password policy of replacing passwords every 90 days?

With FIDO2, there’s no need to replace passwords, as there are no passwords required.

For those combining a hardware authenticator with a PIN, it’s important to note that PINs do not demand the same security requirement as a password. A PIN and a password are different. Since a PIN is not part of the security context for remotely authenticating the user (the PIN is not sent over the network for verification), it can be much simpler and less complex than a password, and does not need to be changed with the same frequency (or at all), which eases enterprise concerns about PIN reset and recovery.

What services provide support for FIDO2? When can we expect additional services to roll out support?

Chrome, Firefox, and Dropbox have implemented support for WebAuthn second-factor login flow. Beginning with build 17723, Microsoft Edge now supports the candidate release version of WebAuthn. This latest version of Edge is able to support FIDO2 strong single factor and multi-factor authentication, in addition to the second factor. The Yubico Developer Program offers comprehensive resources for those interested in adding support for FIDO2.

What if I lose my Security Key by Yubico? Without a password, am I locked out of my account?

Best practice is always to ensure that you have a backup Security Key in place, should you misplace your primary device. The Security Key by Yubico contains no identifiable information, so if it were to be found, it could not immediately be used to login without knowing the identity of the owner and to which accounts it is registered. The reality is that the primary attack vector for consumers and enterprises is remote account takeover — whether by credential theft, phishing scams, or man-in-the-middle attacks. FIDO2 and the Security Key by Yubico are specifically designed to protect against these types of threats.

For those who are concerned with physical threats, the option is there to require multi-factor authentication using a PIN for additional protection. That way, if someone obtains a stolen Security Key, they will still need to know which accounts it is registered with, and also have access to your additional factor (PIN) to be able to log in.

A significant benefit of an open authentication standard is that the number of implementations are limitless. With Microsoft Edge, Google Chrome and Mozilla Firefox working as the client and Dropbox working as the service, all have announced WebAuthn support with many more in the works. We’re well on our way to the future of passwordless login!

Do you want to be a part of the future of passwordless login?

If you are a developer who is interested in adding support for FIDO2, sign up for our Developer Program mailing list to stay up-to-date on workshops, webinars, implementation guides, reference code, APIs and SDKs. Also, our series of FIDO2 virtual events is now available for on-demand viewing.

If you’d like to read more about FIDO2, check out our recent blog post, “What is FIDO2?”

Intuit Developer Hangout Blog Crown
Alex Yakubov

Accountants Protecting Sensitive Data and Yubico Developer Program Updates

We just received some stats from our friends over at QuickBooks—the number of apps used by the Small Business Market is projected to grow threefold in the next few years. The QuickBooks Online Community is comprised of more than 3.2 million small businesses, 200 thousand accountants/bookkeepers, and thousands of 3rd party app developers. That’s a lot of apps and accounts with access to sensitive data!

With similar visions and missions targeted at developers, it’s about time we joined forces to share tips and resources across communities. Join Yubico and Intuit’s David Leary, host of the Intuit Developer Friday Morning Hangout, this Friday at 9am PT for a chat about YubiKeys and why security is vital to the QuickBooks Online Ecosystem of small business owners, accountants, bookkeepers, and 3rd party app developers.

Check out this video to learn more about the QuickBooks Online Ecosystem and APIs:

Yubico Developer Program Updates

The Yubico team is continuously improving the Yubico Developer Program with input and feedback received directly from our community members. We appreciate hearing from so many of you since announcing our revamp plans earlier this year. Top requests include more instructional content, code samples in additional languages, a path to obtain early access to alpha/beta hardware, guidance on how to connect with other developers, and general clarity on the developer program. We’re actively working on each of these areas and look forward to your continued feedback and input.

In case you missed it: We recently hosted three instructional webinars on FIDO2, which you can view on demand here. Also, today, we expanded our mailing list to include the option to select the types of email communications you choose to receive from us. The different sub-categories include a Developer Program Updates newsletter, product announcements, surveys, event invitations, and alpha/beta program invitations. Fear not — this doesn't mean we're going to email you at all hours of the day. It's important to us that you only receive the types of communications you care about most.

You can join the Yubico Developer Program mailing list here. Shortly after, you'll receive a welcome email and the ability to manage your email preferences. View a copy of our July Newsletter here.

Curious about the Yubico Developer Program? Learn more here and check out our developer site, including how to connect with the Yubico developer community.

Stina Ehrensvard

The Key to Trust

As the principal inventor behind both the Security Key and U2F protocol, we are true supporters of open standards. To realize our mission of making secure login ubiquitous, we designed the original Security Key, and provided the majority of the open source code and test tools for FIDO U2F and the latest version of the standard, FIDO2, which offers a passwordless experience.

Innovation is core to all we do, and as the ecosystem continues to mature, U2F and FIDO2 functionality will come in many different form factors, communications methods (USB/BLE/NFC) and features, from Yubico and others.

Over the past several years, Google has deployed hundreds of thousands of FIDO U2F-enabled Yubico devices internally with amazing results. Today, Google released their own version of a security key, and while we have received the question if we were part of this production, these devices are not manufactured by Yubico.

Yubico strongly believes there are security and privacy benefits for our customers by manufacturing and programming our products in the USA and Sweden.

Google’s offering includes a Bluetooth (BLE) capable key. While Yubico previously initiated development of a BLE security key, and contributed to the BLE U2F standards work, we decided not to launch the product as it does not meet our standards for security, usability and durability. BLE does not provide the security assurance levels of NFC and USB, and requires batteries and pairing that offer a poor user experience.

Yubico is a believer in NFC, and the YubiKey NEO design has proven at scale to deliver a superior contactless user experience for U2F.  Also, Yubico will soon announce another secure and user friendly solution for iOS.

YubiKey authentication devices

The FIDO U2F and FIDO2 standards work has been a long, challenging and inspiring journey convincing and engaging all leading platforms and browsers to subscribe to the Yubico mission: to make secure login easy and available for everyone.  

U2F is just one tool in the YubiKey toolbox. Today, the majority of our customers use our multi-function YubiKeys across multiple applications, services, and operating systems. In addition to FIDO U2F, we offer smart card (PIV), Yubico OTP, OpenPGP, and OATH-HOTP/TOTP, in a single device, over both USB and NFC, as well as in USB-C form factors. 

Yubico continues to work closely with Microsoft, Google and the global open standards community on FIDO2, the passwordless evolution of U2F. This next-generation standard enables the option to use a security key as a single factor, with an optional PIN or biometrics on the user device, removing the need for service providers to store and manage passwords.

We will continue to create market defining authentication products, which we are currently demonstrating at Google Cloud Next, booth #S1426. We welcome you to join us.

Ronnie Manning

5 Simple Ways to Get Started with Your YubiKey

What are your go-to apps? There are several applications and services that many of us use weekly, and in most cases, daily — Gmail, Facebook, Dropbox, a password manager — and the good news is that all of these support the YubiKey for strong authentication. And now, there is one more to add to the list!   

As of last month, Twitter users can now protect their accounts with FIDO U2F two-factor authentication using a YubiKey or Security Key by Yubico. This new feature is now available to all 328 million of Twitter’s monthly active users for both personal and business accounts.

Twitter has some simple set up instructions here for using on your computer. Once you register your YubiKey with Twitter, you will be required to present the key each time you login to your account in the future. It will ask for your username and password, and then it will ask for your YubiKey. Just insert the YubiKey into your computer’s USB port and after it starts blinking, tap it.

The YubiKey NEO is our mobile-friendly device that is equipped with near field communication (NFC). This works by just tapping the YubiKey NEO to the back of your phone. However, Twitter does not yet have support for the YubiKey in their mobile app, but we hope that this will be a feature they add in the near future.

The YubiKey is great for protecting against remote hackers trying to access your account, but you may be thinking, “What if I forget my key?” Twitter has it set up for you to have a backup form of two-factor authentication on your account as well. For example, you could use Google Authenticator or our Yubico Authenticator app to set up your backup on a second YubiKey. These forms of authentication will also be useful for mobile users. That way, you can use a YubiKey on your computer and an authenticator app for your phone.

Best practice is to have multiple YubiKeys set up for your accounts. One on your keychain, or one in your wallet, or one in a safe place at home will help to make sure you’ve always got a backup YubiKey nearby. Many services let users set up multiple YubiKeys with their account for this very reason. Twitter only allows one key at the moment. If you want more than one YubiKey on your Twitter account, or would like to have YubiKey support on mobile, help us out by sending a tweet to tell them what you’d like to see.

One of the best features of the YubiKey is that you can use just one key for any number of services and accounts. Here are the instructions on how to quickly get your other accounts secured with a YubiKey:

Google: Fun fact. Google was the first web service to support the use of U2F and YubiKeys. See how to get started with Google and the YubiKey here.

Facebook: Don’t make the mistake of overlooking the need to protect this social media account. Facebook contains a lot of personally identifiable information that can be used to advance a hacker’s efforts. See how to get started with Facebook and the YubiKey here.

Dropbox: Whether you’re sharing vacation photos or business documents, make sure your files stay safe from prying eyes. See how to get started with Dropbox and YubiKey here.

Password Managers: Did you know that the YubiKey works with 17 password managers? See how to get started with your favorite password manager and the YubiKey here.

Don’t see one of your favorites? Don’t worry. We have plenty of other services — for individual users and businesses — that support the YubiKey. You can see the full list here.

If you’d like to get started using a YubiKey, head over to the Yubico store to shop for the key that suits you best!

Ronnie Manning

Stina Ehrensvard Wins 2018 Female Executive of the Year

Today, we are excited to announce that Yubico’s CEO and Founder, Stina Ehrensvard, was named Female Executive of the Year by the Women World Awards for the second year in a row!

This news comes on the heels of several major announcements that we’ve shared over the past few weeks — YubiKey for iOS, FIPS 140-2 YubiKey Series, Andreessen Horowitz investment, FIDO2 passwordless logins — and we couldn’t be happier to keep the momentum going by celebrating Yubico’s founder and the milestones we’ve achieved together.

The Women World Awards are an annual industry and peers recognition program honoring women in business and the professions and organizations of all types and sizes from around the world. The program encompasses the world’s best in leadership, innovation, organizational performance, and new products and services from every major industry in the world.

The Female Executive of the Year category highlights individual women whose accomplishments in the last year set an impressive standard for the company as well as industry norms. Stina was selected as the Gold Winner in this category due to her significant contributions and innovations to advance the current state of internet security. Most notably, Yubico’s work in developing FIDO2 and driving new paths for the next generation of online security: passwordless logins.

“It’s an honor to be named a winner by Women World Awards,” said Stina. “These awards are an encouraging reminder that each year, Yubico is one step closer to seeing our vision of a safer internet for all become a reality. I’m proud of everything the Yubico team has done to get us there, and has been able to accomplish over the last year.”

To read more about Stina’s entrepreneurial journey and Yubico’s mission, check out her recent interview with Compelo magazine.

Jerrod Chong

Now available! FIPS 140-2 validated YubiKey series

Today, we’re excited to announce the certification and availability of our YubiKey FIPS series, the first multi-protocol FIPS 140-2 validated security keys.

FIPS 140-2 is a US government computer security standard, published by the National Institute of Standards and Technology (NIST), that covers the use of cryptographic functionality such as encryption, authentication, and digital signatures. The FIPS 140-2 validated YubiKeys meet the most stringent security requirements of US federal agencies.

The YubiKey FIPS Series includes keychain and nano form-factors for USB-A and USB-C interfaces.

The YubiKey FIPS series uses the YubiKey 4 Cryptographic Module that received FIPS 140-2 validated at Overall Level 2, Physical Security Level 3 with certificate number 3204. At this level, the YubiKey FIPS series meets Authenticator Assurance Level 3 (AAL3) as defined in NIST SP800-63B, that enables compliance with Federal Risk and Authorization Management Program (FedRAMP)  and Defense Federal Acquisition Regulation Supplement (DFARS) requirements.

FIPS certification is essential for many branches of the US government and contractors, in addition to those in the private sector that collect and transmit sensitive but unclassified (SBU) information.

The YubiKey FIPS Series hardware authentication devices include keychain and nano form-factors for USB-A and USB-C interfaces. The YubiKey FIPS Series is the only FIPS validated multi-protocol security key in the market supporting five authentication protocols; FIDO U2F, smart card (PIV), Yubico OTP, OpenPGP, and OATH-HOTP/TOTP.  Now, federal entities and federal-compliant enterprises can comply with the high assurance security requirements for on-premise or cloud deployments using the YubiKey FIPS Series.

Companies including Google, Facebook, Salesforce and thousands more trust the YubiKey to protect account access to computers, networks and online services. Now, we are able to deliver the same simple, trusted protection as a FIPS validated solution.

For more information and technical details on the new product line, visit the YubiKey FIPS page. Starting at $46, YubiKey FIPS Series security keys are available now for purchase online at the  Yubico store or by contacting Yubico Sales.

WebUSB in Google Chrome and Responsible Disclosure

Authored by Venkat Venkataraju & Jesper Johansson

Yubico Blog Update and Statement – 6/18/18

On June 13, 2018 we published this blog post and security advisory regarding WebUSB issues in Chrome. In hindsight we realize that we did not give enough credit in our blog post and security advisory to the foundational work done by Markus Vervier and Michele Orrù, who highlighted and demonstrated the first security vulnerability in WebUSB at OffensiveCon, and which was subsequently written up in a WIRED article. After posting, we communicated with them, apologized for this, and made updates to the blog post and security advisory to make sure proper credit was given.

Building on the publicly available information about work by Markus and Michele described in the article, Yubico investigated the issue and developed our own proof of concept (PoC) test tools. In the process we discovered additional issues with WebUSB and began outreach with Google on March 1st. Yubico first spoke with the researchers on March 2nd. The formal bug report which Yubico submitted to Google on March 5th, referenced the OffensiveCon talk by Markus and Michele and their original public announcement of the CCID issue in the first sentence. We submitted this privately to protect our customers and the broader U2F ecosystem.

Markus and Michele’s research provided a critical foundation, and we made a mistake by not clearly acknowledging them for their original research in our security advisory. We learned only on June 13, after we published our advisory, that Markus and Michele also discovered and reported HID issues to Google. We understand that better communication after the issue was fixed would have ensured that all parties were in sync, and will use this as an opportunity for improvement.

Yubico has always strived to be transparent and we regret the missed opportunity to work more collaboratively with Markus and Michele. Historically, Yubico has worked closely with security researchers across the globe and we are committed to continue to do so.

————-end update—————–

To improve the entire security ecosystem, Yubico is a strong believer in responsible disclosure practices. We believe that the best outcome happens when security researchers  confidentially provide research and reporting to an impacted company, so a fix can be in place before any public disclosure to help protect users from the exploitation of the vulnerability.

This year, Yubico worked with Google under responsible disclosure to address WebUSB vulnerabilies in Google Chrome that affected the entire ecosystem of FIDO U2F authenticators, manufactured by Yubico and well as other vendors.

The original issue first surfaced in a news article in March 2018 describing how security researchers Markus Vervier and Michele Orrù had demonstrated how to circumvent the FIDO U2F origin check using WebUSB functionality in Google Chrome and the YubiKey NEO’s USB CCID U2F interface.

Once Yubico was informed of the CCID issue, our own researchers quickly discovered there was a broader set of security concerns within WebUSB that affected the entire ecosystem of FIDO U2F authenticators. To help protect the U2F ecosystem, we disclosed these issues to Google in early March and worked closely with their engineering teams on a mitigation plan to address this issue and secure all U2F customers.

With the May 29, 2018 release of Chrome 67, Google fixed the WebUSB vulnerability and the issue could no longer affect any (Yubico or other) U2F authenticators. To read the detailed report of the WebUSB issue in Chrome, please visit our Security Advisories page for full analysis.  

For this research and disclosure, Google awarded Yubico a bug bounty in the amount of $5,000, which Yubico has opted to donate to charity. Yubico chose Girls Who Code, a non-profit that aims to support and increase the number of women in computer science. Additionally, Google has matched the donation with another $5,000, resulting in a $10,000 donation to Girls Who Code, to further support efforts at increasing diversity in our field.

The security ecosystem is only as strong as the weakest link and if we, as a community of vendors and security researchers effectively and respectfully work together, we can secure not only end users, but the entire ecosystem from continually evolving threats.  

For the protection of everyone, we encourage all researchers to responsibly disclose any discovered security concerns to the affected company so they may implement a fix before any public disclosure. To contact the security team at Yubico please email

June 13th Update:
We were just made aware that the original researchers reported the Windows HID issue to Google around the same time we submitted it to Google. We were not aware of this at the time, we independently discovered it while investigating the public CCID issue, and followed standard responsible disclosure practices by sending all our findings, including the Windows HID issue, only to the affected vendor in order to afford maximum protection for the ecosystem. 


Alex Yakubov

Yubico showcases FIDO2 at InfoSecurity Europe 2018

We’re gearing up for Europe’s biggest information security event of the year: InfoSecurity Europe 2018. Following our announcement with Microsoft at RSA 2018, we’re excited to showcase in Europe the new use cases made possible by the FIDO2 standard, including passwordless single factor, second factor and multi-factor authentication. Come see the new Security Key by Yubico in action at booth J120 at Olympia London from June 5 to 7. Yubico will be demonstrating passwordless login on Windows 10 and the latest iOS mobile offering with LastPass.

Along with the recent announcement of our new FIDO2-enabled security key, we introduced a new Yubico Developer Program with a FIDO2 track. InfoSecurity Europe attendees (and those who are reading this blog) can sign up for early access to resources to support implementation of FIDO2, including the first How-to FIDO2 webinar scheduled for June 14.

Also, joining us in the exhibit hall are five Yubico Technology Partners. Stop by the Yubico booth to learn about these valuable partnerships. We also encourage you to visit their booths, see what they have to offer, and the integration of the YubiKey with their services!


Not attending the event? Learn more about these partnerships by clicking the logos.

Ronnie Manning

Yubico Lands a16z Investment and Grows Board of Directors

Today, Yubico is proud to announce its latest round of investment from Andreessen Horowitz (a16z). a16z is supporting Yubico’s mission to create a safer internet for everyone by providing ubiquitous secure access to computers, networks and servers. The company has been growing with profits over the last six years, and funds from the new investment will be used for scaling engineering, product and development teams.

In addition to company backing, Martin Casado, general partner for a16z, will be joining the Yubico board of directors. With an extensive background in computer science, software-defined networking, and security, Martin will support the company in a rapid growth phase. Helping Yubico scale as the hardware root of trust for users and servers, as we move toward the passwordless future.  

“Internet security is an area I’m personally very passionate about and I’m a true believer in the Yubico vision and approach. I’m thrilled to be joining the board and working with the team on this journey forward,” said Casado.

The YubiKey is the authenticator of choice for thousands of business customers and millions of users in more than 160 countries, including a16z, who currently deploy YubiKeys to every employee. This decision was made prior to the investment in Yubico, as a16z determined that the YubiKey was the most secure approach for protecting accounts and sensitive company data.  

Yubico CEO and Founder Stina Ehrensvard worked with Martin Casado on the a16z Podcast episode ‘The State of Security’ from earlier this year to provide insight into the crossroads of software and hardware in the security space. Specifically, Stina spoke about the increasingly important role of authentication  in a world where we hear of new data breaches and stolen user credentials on a daily basis.

Previous Yubico investors include NEA and renowned Silicon Valley entrepreneurs Marc Benioff, CEO of Salesforce, and Ram Shriram, Yubico Chairman and Google founding board member.

Stina Ehrensvard

What is FIDO2?

Last month, open authentication standards reached an important milestone; Microsoft launched support for FIDO2 and CTAP, and the World Wide Web Consortium (W3C) won approval for WebAuthn. Since then, Yubico has received questions on how these efforts are related, what role FIDO U2F and Yubico have in the mix, and what organizations can implement now — and in the future — to enable simple, strong authentication for employees and end-users. This blog will bring some clarity to those questions.

What is the difference between FIDO U2F and FIDO2?

U2F was developed by Yubico and Google, and contributed to the FIDO Alliance after it was successfully deployed for Google employees. The protocol is designed to act as a second factor to strengthen existing username/password-based login flows. It’s built on Yubico’s invention of a scalable public-key model in which a new key pair is generated for each service and an unlimited number of services can be supported, all while maintaining full separation between them to preserve privacy.

Essentially, FIDO2 is the passwordless evolution of FIDO U2F. The overall objective for FIDO2 is to provide an extended set of functionality to cover additional use-cases, with the main driver being passwordless login flows. The U2F model is still the basis for FIDO2 and compatibility for existing U2F deployments is provided in the FIDO2 specs.

What is WebAuthn & CTAP?

A new, extensible web authentication API, called Webauthn, has been developed within W3C, which supports both existing FIDO U2F and upcoming FIDO2 credentials.

The FIDO U2F client-side protocol has been renamed CTAP1, and a new, extensible client-to-authenticator protocol (CTAP2) has been developed to allow for external authenticators (tokens, phones, smart cards etc.) to interface with FIDO2-enabled browsers and Operating Systems

WebAuthn and CTAP2 are both required to deliver the FIDO2 passwordless login experience, but WebAuthn still supports FIDO U2F authenticators, since CTAP1 is also part of the WebAuthn specification.

How can organizations deploy FIDO2?

So, what can organizations do if they are aiming to provide support for FIDO2? We recommend making support for WebAuthn as it works with existing FIDO U2F authenticators and also FIDO 2 authenticators.

Mozilla Firefox 60 recently added support for WebAuthn, Chrome 67 will be shipping with WebAuthn support in the near future, and Microsoft has already announced they will support WebAuthn in Edge browsers. The U2F web API continues to work for U2F authenticators, but is limited to the Chrome and Opera browsers.

To evaluate WebAuthn with FIDO U2F and FIDO2 authenticators today, Yubico offers a test service at, and soon we will provide more complete open source FIDO2 servers on GitHub. Organizations can sign up for updates from the Yubico Developer Program to get information on FIDO2 and WebAuthn resources.

So, what’s our role in all of this?

From Yubico’s perspective, we’re proud and pleased to see our vision of one single security key to any number of services become a reality. We’ve watched this vision progress from our launch of the first YubiKey in 2008, to early U2F development in 2011, to the launch of FIDO2 in 2018.

With WebAuthn providing a seamless evolution from U2F to FIDO2, and with upcoming support for built-in authenticators and additional use-cases, WebAuthn becomes the center of a ubiquitous ecosystem for authentication.

Our mission has always been to drive standards and adoption by providing technical specifications, open source components, and developer tools; and to be the gold standard for authenticators. With the open standards ecosystem growing, we see the vision of providing strong authentication for everyone coming true.

Interested in exploring FIDO2 and passwordless login? Get started today with the Security Key by Yubico.

Ronnie Manning

YubiKey comes to the iPhone with Mobile SDK for iOS and LastPass support

It’s a question that we receive often, ‘so how does the YubiKey work with iPhone?’ Until now, the answer to that question has been a bit unclear because of limited support for NFC in iOS. But today, we have a clear answer: YubiKey iOS support is here, now, with two exciting pieces of news.

For application developers, we are introducing a new Mobile SDK for iOS that allows any iOS mobile app to rapidly add support for hardware-based two-factor authentication (2FA) using YubiKey OTP over NFC. Second, LastPass, one of our longest and most prominent integrations, has released the latest version of its password management app with fully integrated support for the YubiKey NEO over NFC on iOS. This was completed using our Mobile SDK for iOS, but we’ll share more on this milestone a little later.

A user authenticates to their LastPass app on iPhone using a YubiKey NEO over near field communication (NFC).

The launch of iOS 11 last year saw Apple provide support for NFC tag reading, which allowed developers to build apps with one-time passcode (OTP) support. Given that the YubiKey NEO can generate an OTP and send it to the requesting app via NFC, it became possible to authenticate with Yubico one-time password (Yubico OTP) with a YubiKey NEO — a feature requested by many YubiKey users. However, documentation and reference code for developers to add this support to applications was lacking and unnecessarily complicated.

To help mobile application developers simplify rollouts and deliver on this functionality, Yubico created the Mobile SDK for iOS. It’s available now for download and is also part of the Yubico Developer Program mobile track, and provides developers all the necessary tools to rapidly up-level their iOS mobile app security with Yubico OTP.

By introducing YubiKey hardware-based authentication via NFC to iPhone applications, users no longer need to toggle between apps and temporarily memorize a throw away code before it expires. Now users can just tap the YubiKey to authenticate, which is four times faster than typing in an OTP! Not to mention, users and app developers no longer have to run the risk of potential security and reliability issues by relying on SMS or mobile authentication.

LastPass iOS App Supports Yubico OTP via NFC
The LastPass password manager remains one of the most popular YubiKey integrations for Yubico OTP, and the application has supported NFC on Android devices for many years.

Today, LastPass is the very first password manager application on iOS to enhance its security with Yubico OTP authentication through NFC. This means that LastPass users with iPhone 7 or above, running iOS 11 and above, can now authenticate to their LastPass Premium, Families, Teams, or Enterprise accounts on their mobile device with the same YubiKey NEO that they use for their desktop or laptop. Users will touch the YubiKey NEO to the iPhone to wirelessly transfer a Yubico OTP and securely authenticate to the application

“LastPass has long supported YubiKey as a multi-factor authentication option for adding an extra layer of security to LastPass accounts and values the partnership we have with the Yubico team,” said Akos Putz, Principal Product Manager for LastPass at LogMeIn. “With the new mobile SDK for iOS, our customers now benefit from the strength and security of hardware-backed YubiKey 2FA with the support for our iOS app.”

For current LastPass users, the iOS application will receive an automatic update (version 4.2.7) via the App Store and you can set up YubiKey in your account settings. If you’re an iPhone user, you can download the latest version of LastPass here and for further instructions on setup, visit here.

We applaud LastPass for supporting this milestone leap in YubiKey mobile app authentication for iPhones and iOS. With this announcement, the YubiKey now provides simple and secure authentication for all leading mobile platforms including Android, Windows mobile, and iOS. Find out more about our new Mobile SDK for iOS here.

UPDATE (09/25/18): LastPass also supports the YubiKey 5 NFC over NFC for iOS. Read their announcement here.

John Bradley

New NIST Authentication Guidelines for Public Safety and First Responders

Over the past few months, Yubico has been working closely with the U.S. National Institute of Standards (NIST) National Cybersecurity Center of Excellence (NCCoE) to improve mobile authentication methods for public safety professionals and first responders. Today, we’re happy to share that this guidance is now available in the form of a three-volume draft practice guide: NIST Special Publication 1800-13, Mobile Application Single Sign-On: Improving Authentication for Public Safety and First Responders.

This has been an important project for Yubico and the NCCoE as simple, secure access to critical data can often be a matter of life or death in an emergency response scenario. In high-alert situations, first responder and public safety personnel are often dispatched in the field and are heavily reliant on mobile platforms to access data in real-time that’s needed to deliver proper care. This data may include personally identifiable information (PII), law enforcement sensitive information, or protected health information (PHI), and it is imperative that access to this type of information is highly protected. However, complex and cumbersome authentication requirements to access sensitive information that cause even the slightest of delays in the emergency response process, can potentially risk the life of an individual.

To mitigate the security and access challenges for public safety and first responder personnel, the NCCoE collaborated with several technology vendors, including Yubico, to develop mobile authentication requirements and implement a reference design that assembles commercially available technologies that support the following open standards:

Yubico was a core contributor to this process. The reference implementation, which is documented in the practice guide, uses the NFC-enabled YubiKey (YubiKey NEO) in combination with Federation technology OpenID Connect to strongly secure user access to sensitive applications, improve usability and efficiency of user account management, and share identities across organizational boundaries.

It was recognized early on in the project that reliance on passwords alone can expand the scope of a single data compromise from one service to multiple services due to password reuse. The use of FIDO U2F for authentication provides protection beyond the password, and eliminates problems with social engineering, man-in-the-middle attacks, replay attacks, and phishing, which all present real threats to password-based and OTP-based (SMS, mobile push) authentication systems.

The following diagram from the NCCoE practice guide illustrates the recommended authentication flow for a native app on an Android device using standards-based technologies such as OAuth 2.0, OpenID Connect / SAML, and FIDO U2F with the YubiKey as the trusted second factor.

The OAuth 2.0 for native apps specification requires that applications use a system browser for making authorization requests. This allows a Software-as-a-Service (SaaS) provider, such as Motorola Solutions or GIS, to redirect authentication back to the user’s agency or enterprise via a standard authentication protocol such as OpenID Connect or SAML.

Using the system browser also enables the built-in operating system (OS) support for FIDO U2F authentication to be used without requiring special support in the native apps. This allows a generic SaaS application to support thousands of different identity providers, and different types of external FIDO U2F multi-factor authenticators (like the YubiKey) within a single native application. This avoids having to customize native apps for each organization and instead, allows the reuse of generic components that can make these systems available to even the smallest of organizations.

The combination of FIDO, OAuth, and SAML/OpenID Connect has been shown to be a robust and flexible solution for public safety use cases. In fact, one of the collaborators in the practice guide, Motorola Solutions, has incorporated this model into their commercial product PSX Cocpit, which is currently being deployed in a number of verticals.

From an end user perspective, these standards-based technologies are delivering a simple touch-and-go experience while maintaining the highest levels of security. To access sensitive data within a mobile application, first responder personnel will only require an NFC- and FIDO U2F-enabled hardware authentication device such as the YubiKey NEO. By simply touching the device to their phone, they will be securely authenticated to the app within seconds.

This particular project with NCCoE targets a first-responders use case, however the practice guide is equally applicable to many enterprise mobile scenarios. For more information on the project and to download the Mobile Application Single Sign-On practice guide, please visit the National Cybersecurity Center of Excellence (NCCoE) website. The NCCoE is also accepting public comments on the guide until June 18, 2018.

Stina Ehrensvard

Yubico and Microsoft Introduce Passwordless Login

Ten years ago, at the 2008 RSA Conference, Yubico launched the first YubiKey with the goal of making secure login easy and accessible for everyone. The vision was one single security key to work across any number of services, with great user experience, security, and privacy.

On this anniversary, Yubico has taken another major leap forward toward this vision with the announcement that the recently-launched Security Key by Yubico, with FIDO2, will be supported in Windows 10 devices and Microsoft Azure Active Directory (Azure AD). The feature is currently in limited preview for Microsoft Technology Adoption Program (TAP) customers.

FIDO2 is the passwordless evolution of the FIDO Universal 2nd Factor (U2F) standard, created by Yubico and Google. While U2F included a username and password, FIDO2 supports more use cases, including passwordless authentication. Yubico has worked in close collaboration with Microsoft on developing the FIDO2 technical specifications, and the Security Key by Yubico is the first FIDO2 authentication device on the market.

What Does This Mean?

Organizations will soon have the option to enable employees and customers to sign in to an Azure AD joined device with no password, by simply using a Security Key to get single sign-on to all Azure AD based applications and services. This is just the beginning; Google and Mozilla also announced Chrome and Firefox support for the Web Authentication API (WebAuthn) developed by Yubico and members of the World Wide Web Consortium (W3C) and included in the FIDO2 specification.

Why Is This Important?

Nearly every digital experience today requires passwords, an increasingly frustrating fact of life for businesses and users. For any one person there can be hundreds of sites and devices — both personal and business related — that require memorized passwords. This leads to poor password hygiene: shared and reused passwords. And it is a real cost for businesses managing, storing and resetting passwords for employees and end-users.

Working in conjunction with Windows and Microsoft cloud services, the new Security Key by Yubico offers a secure, seamless and passwordless login experience with one of the world’s largest computer operating systems. Use cases include retail, healthcare, transportation, finance, manufacturing, and more.

How Does It Work?

FIDO2 is built on the same security and privacy features of FIDO U2F: strong public key cryptography, no drivers or client software and one key for unlimited account access with no shared secrets. With FIDO U2F, the user entered a username and password, inserted a  security key in the USB-port, and touched the gold area. FIDO2 adds more options to the login process:

  • Single Factor: This only requires possession of the Security Key to log in, allowing for a passwordless tap-and-go experience.
  • Second-Factor: In a two-factor authentication scenario, such as the current Google and Facebook FIDO U2F implementations, the Security Key by Yubico is used as a strong second factor along with a username and password.
  • Multi-Factor: This allows the use of the Security Key by Yubico with an additional factor such as a PIN (instead of a password), to meet the high-assurance requirements of  operations like financial transactions, or submitting a prescription.

Who Can Get Involved?

Everyone is encouraged to get involved, and accelerate progress to a secure and passwordless world. As with any open standard, advancement will be a collective industry effort and a process of global adoption. Yubico helped the majority of services in making support for FIDO U2F by providing open source code and support. Together with W3C and FIDO Alliance we have made the FIDO2 open authentication standard available, and we are helping support its rapid integration into services and applications through our new Yubico Developer Program.

Enterprises → Learn about using FIDO2 with Windows 10 devices and Microsoft Azure Active Directory in your enterprise environment. Explore the benefits of FIDO2.

Developers → Implement early support for FIDO2 by signing up for updates from Yubico’s Developer Program. Members will have first access to resources to implement FIDO2 within their applications and services.

Individuals → Are you tired of passwords? If you had a choice to securely and easily login to any device or online service without them, would you? Ask for it! Visit your favorite service or businesses on Twitter and tell them you want to securely login to your account without a password by using FIDO2 and the Security Key by @Yubico!

Are you interested in learning more about going passwordless? Learn more about the Security Key by Yubico and benefits of FIDO 2.

Ronnie Manning

Yubico at RSA 2018: Passwordless Logins, Developer Programs, and More

Heading to RSA in San Francisco next week? We’ll be there too, celebrating our 10th year at the conference!

Be sure to stop by Booth #S2241 to see all the awesome things we will be showing, and if you haven’t registered for the conference yet, use this code (X8EYUBIC) for a free expo pass on us.  

An industry first, we are showcasing passwordless login with the just released Security Key by Yubico, the first hardware authentication device to support both FIDO U2F and FIDO2. Yubico is a leading contributor to the new FIDO2 open authentication standard which shares many of the same characteristics as FIDO U2F: public key cryptography, no shared secrets, and no drivers or client software. However, with FIDO2, there’s no need for passwords as user credentials are tied directly to the Security Key. The device can also be conveniently paired with PINs, biometrics, or other human gestures as an additional factor.

At Yubico we’re constantly innovating to make simple, secure authentication a standard for the industry. Along with the announcement of our new FIDO2-enabled security key, we are also announcing our new Yubico Developer Program to provide resources for rapidly enabling strong authentication in web and mobile applications across all our supported protocols including FIDO U2F, PIV (smart card), OpenPGP, OTP (one-time password), the new FIDO2 protocol and for the YubiHSM2. Developer resources include workshops, webinars, implementation guides, reference code, APIs and SDKs. RSA attendees (and those who are reading this blog) will be able to sign up for early access to resources to support implementation of FIDO2.

We also invite you to join our CEO & Founder, Stina Ehrensvärd, and SVP of Product, Jerrod Chong, who will be speaking on the importance of strong authentication for today and tomorrow’s cyber landscape.

Stina’s speaking session at CyberScoop’s Cyber Talks

  • 10 Percent Is Too Little: Time to Pay Attention to Two-Factor Authentication
  • Monday, April 16 at 11:20am PT
  • Four Seasons Hotel San Francisco

Jerrod’s speaking session at Security B-Sides SF

  • Simple. Open. Mobile: A Look at the Future of Strong Authentication
  • Monday, April 16 at 11:00am PT
  • City View at Metreon

Yubico is extremely proud of  what we’ve accomplished over the last ten years. The YubiKey is used by millions around the globe and works with hundreds of services right out of the box, and this number is rapidly growing. That’s one key for an unlimited number of personal or business accounts.

At RSA, be on the lookout for Yubico Technology Partner booths to see how the YubiKey seamlessly integrates with their services. Participating Yubico Technology Partners include:

Yubico at Booth #S2241

If you’re attending RSA next week, please stop by our booth and say hi! We will have team members on site to answer any questions, provide product demonstrations, offer recommendations for specific use-cases and chat about the new Security Key by Yubico and Yubico Developer Program.

Also, make sure you follow us on Twitter for updates during the show. We’ll see you there!

Stina Ehrensvard

The Diver and the YubiKey

If you are driving on highway 101 between Palo Alto and San Francisco in the coming couple of weeks, you may come across a billboard with a diver holding up a YubiKey. The same diver also appears on our website homepage. The photo was shot by Alessio, principal engineer at Yubico, from his adventure under 20 meters of water in the Philippines.

The same image inspired Josh, web developer at Yubico, to try logging into his email underwater with a waterproof phone and YubiKey. And yes, it worked! Please check out the short video below that Josh and other members of our team just created.

At Yubico, we highly regard our adventurous and multi-talented engineers. Last year, we doubled our engineering team in Stockholm, Palo Alto and Seattle. This year we are doubling again. If you are a software or hardware engineer who wants to make the internet safer for everyone – on land or underwater – we welcome you to apply for our open job positions!

Alex Yakubov

Yubico Launches Passwordless Login with new Security Key and FIDO2

Today, together with the FIDO Alliance, we made a big announcement that paves the way to a passwordless future. We revealed the new Security Key by Yubico as well as our new Developer Program, both of which support the new FIDO2 open standard for passwordless authentication.

Why is this important? Think of a time when you have created a new account and didn’t have to create a new password.

For all of us, the account creation process for any application or online service has always started with the pairing of a password to your username, but with today’s announcement that is going to change. With FIDO2, it’s now possible to redesign the process to remove the weak link of passwords, and we’re gearing up to support the ecosystem and developer community to make that happen. Whether you’ve followed Yubico for years, or you’re just learning about us, read ahead to find out more about the significance of the FIDO2 project.

 The FIDO2 Project

In 2011, Yubico invented the concept of a single security key to protect user accounts from phishing and unauthorized access, for any number of services with no shared secrets. We worked with Google to further develop this concept to what today is the FIDO U2F standard.

Now, Yubico has worked in collaboration with Microsoft on the evolution of the FIDO U2F authentication standard, to create FIDO2. With FIDO2, the Security Key with its strong authentication can now solve multiple use case scenarios and experiences:

  • — second factor in a two factor authentication solution
  • — strong first factor, with the possession of the device only, allowing for a passwordless experience like tap and go
  • — multi-factor with possession of the device AND PIN, to solve high assurance requirements such as financial transactions, or submitting a prescription.

Capabilities enabled by the FIDO2 project

FIDO2 has already received support from the FIDO Alliance, World Wide Web Consortium (W3C), and all major web browsers to aid in its global standardization and adoption. With this foundation, FIDO2 is positioned to help services, applications, and enterprise organizations seamlessly transition to a more secure, easy to use replacement for the static password.

Read more about FIDO2 here. If you’re interested in developing with this new standard, you’ll need a Security Key by Yubico and we encourage you to sign up for FIDO2 updates as part of our newly announced Yubico Developer Program.

NEW  Security Key by Yubico

The Security Key by Yubico delivers FIDO2 and FIDO U2F in a single device, supporting existing U2F two-factor authentication (2FA) as well as FIDO2 implementations.

The new Security Key by Yubico supports both the Web Authentication (WebAuthn) API, and Client to Authenticator Protocol (CTAP) which are required for FIDO2-based authentication.

FIDO2 and the Security Key are delivering on trusted, touch-and-go authentication for the modern, flexible and mobile workforce that is meeting the needs of our on-demand society. Together, these technologies will be integrated into many verticals including: retail, healthcare, transportation, finance, manufacturing, and more.

We will be demonstrating the new Security Key by Yubico and new FIDO2 functionality at the RSA South Expo hall at Booth #2241. You can purchase one up from our webstore today ($20 USD). Read more about the Security Key by Yubico here.

 NEW  Yubico Developer Program

This year marks the 10 year anniversary of the launch of the first YubiKey, that millions of users in more than 160 countries around the world love for its ease of use, security, and affordability. We made our YubiKeys available with free open source servers that encouraged adoption and growth of a thriving ecosystem of services supporting our technology. We’ve learned a lot from our partnerships, which is why we today announced a formalized Developer Program. This provides developers with the resources to rapidly integrate the YubiKey with mobile and computer login, across all our supported protocols including U2F, Yubico OTP, PIV-compatible Smart Card, OpenPGP, OATH (HOTP/TOTP), and the new FIDO2 Client to Authenticator Protocol (CTAP) specification, and the YubiHSM.

We encourage developers and security architects interested in FIDO2 to sign up for updates as part of the Yubico Developer Program, to get access to resources needed to aid in early implementations of the FIDO2 open authentication standard.

Alex Yakubov

Modernizing authentication for US federal government agencies

For years, both the public and private sector have faced similar challenges when securing the confidentiality, integrity, and availability (CIA triad) of their information systems. Older technologies and policies have historically conflicted with business/organizational objectives when striving for high security. Today, advancements in cryptography and the adoption of newer, improved open standards are eliminating usability issues, and reducing help desk costs through fewer forgotten passwords. We like to call that modernization.

More than a year ago, the National Institute of Standards and Technology (NIST) began the process of updating their SP 800-63 Digital Identity Guidelines. These much needed changes enable federal agencies and contractors to leverage more convenient and secure authentication methods while still maintaining highest security. As a result, the cybersecurity team’s efforts to comply with federal guidelines can now more easily align with the rest of the industry-evolving technologies already embraced in the private sector.

At Yubico, our mission is to make secure online identities ubiquitous by making account security easy to use, secure, and affordable. The YubiKey combines three of NIST’s permitted authentication types—multi-factor crypto device (PIV-compatible/smart card), single-factor crypto device (FIDO U2F), and single-factor OTP device (Yubico OTP and OATH HOTP/TOTP). In addition, the YubiKey is currently on track to become the first multi-protocol hardware authenticator certified at FIPS 140-2 Overall Level 2 and Physical Level 3.

The modernization of policy by the US federal government presents an opportunity for Yubico and Duo Security—both trusted leaders in easy to use, reliable security products—to deliver a unified security platform for government agencies and contractors that meets NIST Authenticator Assurance Levels 2 through 3 (AAL 2 – AAL3).

We recently sat down with Sean Frazier, Duo Advisory Chief Information Security Officer, Federal during discussions on our joint solution. He shared, “The new authentication and authorization guidance from NIST is giving public sector agencies lots of flexibility to meet their most stringent security needs while providing previously elusive ease of use. In a sector that has been pushing to catch up to other industries in terms of cloud and mobile, the new guidelines are a welcome change for every federal CISO who’s looking to modernize their IT environment. Duo and Yubico combine an easy to use and extremely effective way to achieve the highest levels of assurance for trusted access.”

Duo’s platform enables federal agencies to leverage YubiKey hardware to securely access data and applications on the network or in the cloud. “This federal partnership with Duo underscores our joint commitment to data protection, as well as our responsibility as industry leaders to help federal agencies protect the individuals they serve,” said Jerrod Chong, Yubico SVP of Product. “We’ve made it our shared mission to advocate easy to use security, and encourage the adoption of new open standards like FIDO U2F to meet AAL 3.”

Learn more about what you can do with Duo and the YubiKey. Read Duo’s press release on our partnership.

Additional Resources:

Alex Yakubov

What’s guarding your domain from unauthorized access?

Domains are a frequent target for phishing attacks that pose serious privacy risks and potential losses of millions of dollars in brand damage, lost revenue, stolen data, and recovery efforts. The threat of phishing greatly underscores the need to protect the front door to your domain.

We are excited to announce that Gandi is the first domain registrar to integrate support for the YubiKey and FIDO U2F authentication. With this new integration, Gandi customers benefit from greater security to safeguard domains and critical assets, such as SSL certificates, contained within.

The YubiKey delivers strong defense against phishing at the time of login, complementing Gandi’s promise to provide secure access to domain names, easy third-party integration, and powerful tools for everyone. Gandi is excited to offer users a more secure and easy-to-use 2FA protocol with FIDO U2F, and strongly encourages users to get YubiKeys.

“The user-experience was a big factor in our decision to integrate support. The ability to easily manage multiple tokens for multiple users offers a real-world example,” said Andrew Richner, Head of Communication at Gandi US. “The other factor is obviously security. Time-based one-time password (TOTP) has a few weaknesses that the challenge-response of U2F corrects. The resulting difficulty to phish a U2F user makes the YubiKey very attractive as a 2FA option. We love the portability and durability of YubiKeys too.”

Since adopting YubiKey support, Gandi reports that user feedback has been positive. “Our users have come to expect Gandi to be on top of new technology, and to offer a high level of security. We’re finding that it’s these customers in particular who are excited to spread the word about using Gandi and YubiKey together,” he added.

Gandi’s service features easy-to-use domain management tools that enable users to define access rights by organization, team, and individual, as well as delegate domains and hosting to collaborators no matter the organization structure or size. A domain at Gandi comes with a number of free services, including email addresses, http forwarding, an SSL certificate, and domain name system (DNS) management.

Gandi demonstrates a strong commitment to security and trust—all important values shared by Yubico—that is evident in our joint effort to provide a secure authentication solution to domain management. Learn more about what you can do with Gandi and the YubiKey.

The Anatomy of a Phishing Email: 5 Things to Look For Before You Click

Phishing attacks are now considered the main source of data breaches.

91% of cyber attacks start with a phishing email *

Ten years ago, if you asked someone what ‘phishing’ was, they probably would have no idea. Since then, times have changed considerably; phishing attacks are now responsible for a significant number of major data breaches

Phishing may have made its way into the mainstream vernacular, but there is still confusion about the subject—and rightfully so. Here’s a more in-depth look at “what is phishing?”.

Phishing attacks are becoming more sophisticated and targeted, and even the most tech- or security-savvy people can find themselves a victim. So, how do you make sure you don’t fall victim as well? Use this five-point checklist to closely examine the validity of incoming email. When in doubt, don’t click!

The Sender

This is your first clue that an email may not be legitimate. Do you know the sender? If not, treat the mail with suspicion, and don’t open any attachments until you verify with the purported sender that they meant to send them. If you believe you do know the sender, double check the actual email address. Often, a phishing email will be designed to look like it comes from a person you know, but there will be a slight variation in the address or they will spoof the envelope to show you a name you recognize.

The Subject

Pay attention to subject lines! While something like, ‘Claim your ultimate deal now!,’ can be an obvious sign of a phishing email, the far more successful subject lines are the ones that don’t raise that much suspicion. ‘Account action required’, ‘Delivery status update’, or ‘Billing statement confirmation’ can all be ploys to weaken the email recipient’s defenses through seemingly ordinary alerts.

Remember, if something legitimate is that important, your bank, employer, doctor’s office, retailer, or credit card company will find an alternate way to contact you when you’re not responding over email. When in doubt, call to ask if they’ve sent you an email, but do not make that call to a number that was in the email message you are calling about!

Most clicked email phishing subject lines.*

A delivery attempt was made (18%)

A UPS label delivery  (16%)

Change of password required immediately (15%)

Unusual sign-in activity (9%)

The Body

The body of the email can hold a whole new set of clues, including misspelled words and confusing context. For example, are you asked to verify a banking account or login to a financial institution that you don’t have an account with? Did you get an email from someone you may know that has nothing in it other than a short URL? Does the content apply to you or make sense based on recent conversations or events? Similarly, if it is a known contact, is there a reason they would be sending you this email?

Hackers can also use current or popular events to their advantage. For example, holiday shopping, tax season, and natural disaster or tragedy relief efforts are all used to sneak an unsuspecting phishing email into the inbox of thousands of targets. Did you know that the IRS reported a 400 percent increase in phishing scams for the 2016 tax season alone?

How will you know if an email is valid or not? This is where other email clues will come in handy!

The Attachments

The golden rule — do NOT open an attachment if any other aspect of the email seems suspicious. Attachments often carry malware and can infect your entire machine.

7.3% of successful phishing attacks used a link or an attachment**

The URLs

Similar to attachments, do NOT click on a link if anything else about the email seems suspicious. This is usually the attacker’s ultimate goal in a phishing scam — lure users to a malicious site and trick them into entering login credentials or personal information, allowing the attacker full account access.

If you do click on a link, be sure to also verify the actual URL. Are you on or The variations can be slight, but they make all the difference! That said, be aware that a malicious site will not always be visibly reflected in the URL, and therefore you will not be able to tell the difference. If this is the case, most browsers have built-in phishing protection to alert you that something is wrong.  

15% of individuals who fall for an initial phishing attack admit to falling for a phishing attack a second time.**


By using these five email checkpoints, you will be more equipped to decipher a phishing email. However, some phishing attacks are so sophisticated that they can even fool the savviest of users. The good news is that there are technology solutions, such as two-factor authentication, that can help, and we strongly recommend 2FA with the YubiKey

If you’d like to get started using a YubiKey, head over to the Yubico store to shop for the key that suits you best! 

Looking for more information on phishing? What is phishing?” reveals the common features of a phishing scheme, how phishing schemes work to obtain your personal information, and the simple solution to protect yourself. 


— Co-Authored with Ashton Tupper


*   KnowBe4 Q4 2017 Top-Clicked Phishing Email Subjects

** Verizon Data Breach Report, 2017

Ronnie Manning

Yubico CEO recognized as the Most Powerful Swedish Woman Entrepreneur 2018

On Thursday, March 8, Yubico CEO & Founder Stina Ehrensvard was named “The Most Powerful Woman Entrepreneur, 2018” by Veckans Affärer, the leading weekly business magazine in Sweden.

“With a product that is becoming a world leading standard, she is today one of Sweden’s most powerful, as well as most successful entrepreneurs,” shared the jury for the award.

Following the award, Veckans Affärer published a feature on Stina and her story. In the article, Stina thanked her parents for never stopping her from climbing trees as a young girl, and for instead asking how the view was from the top. She also emphasized that the most important foundation in a company is the team and that every award she gets represents Yubico as a whole.

The Most Powerful Woman Award is celebrating its 20th year anniversary, having started in 1998 to honor and highlight successful, influential women business leaders and entrepreneurs. At the time, there were only 2 women board members for Swedish companies listed on the stock exchange.  Today, the number of women has grown tenfold.

The award was handed out at the gala dinner and award ceremony in central Stockholm, attended by leading Swedish business executives.

Stina Ehrensvard

Buckle Up for a Safer Internet

Some cynics say that the problem of internet security will only continue to get worse, and that there is nothing we can do, but manage and minimize damages and losses. As an optimist, I completely disagree. Throughout our existence, people have faced and resolved extremely complex and evolving challenges—a great example of which is automobile safety.

A few years back, I wrote a blog post entitled Internet Identity and the Safety Belt. It focused on the introduction of the three-point seatbelt and its significant contribution to the automobile industry by making cars safer for drivers and passengers. Today, there are 10 times more cars on the road, but a lower total number of fatal car accidents. While driving will never be completely safe,  millions of lives have been saved through the realization of the problem, innovation, education, market demand, open standards, and government regulations. I am confident that we will make the information superhighway safer for everyone through the same efforts.

For the automobile industry, the seatbelt is an innovation that has had the greatest positive impact on passenger safety. Further advancements in car safety designs and driver’s education programs have similarly equipped new drivers with the tools they need to safely navigate any unforeseen turns.

What if there was a driver’s education program to help internet users move safely across the internet? Perhaps this should become a staple in a school curriculum just like Math and History?

Education, innovation, and collaboration are key to helping us all solve this complex challenge together. With that in mind, I am sharing a security quiz that we developed for basic IT security training of new Yubico employees. I invite you to test your security knowledge, and please feel free to share the quiz with family, friends, and coworkers.

Safe driving on the internet!