Creating the Unphishable Security Key

How the FIDO U2F security key and YubiKey stop phishing and man-in-the-middle attacks

Security is never stronger than its weakest link, and that weakest link is often the user. Not surprisingly, phishing attacks that target users are increasing not only in volume, but also in sophistication. Google knows that. Recently, the search giant updated their login security policy to enable users to set up security keys as their preferred and only authentication method, no longer requiring the use of SMS or a mobile authenticator app.

SMS and mobile authenticator apps are no longer effective at protecting against the modern man-in-the-middle phishing attacks that are able to hijack the session.

To prevent state-of-the-art and old school phishing attacks, Yubico and Google combined a number of advanced security features, listed below, when co-creating the FIDO Universal 2nd Factor (U2F) protocol, to deliver the unphishable key.

Origin bound keys
One of the most common phishing attacks is to trick users to visit and log in to a fake website, where the user gives away sensitive login data and performs a fraudulent transaction. With the increasing sophistication of hackers, it is becoming difficult for most users to see the difference between a fake and a real site. Some fake sites may even include the green light indicating a secure connection and an SSL certificate.

The latest sophisticated phishing attacks, so called man-in-the middle, are even more aggressive: hijacking the communication between the user and service, and automatically redirecting the user to the fake web site.

With the YubiKey and FIDO U2F Security Key, user login is bound to the origin, meaning that only the real site can authenticate with the key. The authentication will fail on the fake site even if the user was fooled into thinking it was real.

Verification of user presence
By requiring a simple human touch to trigger the key to authenticate, the YubiKey and FIDO U2F Security Key verify that the person logging in is a real live human behind the computer, and not a remote hacker, bot, or trojan.

No shared secrets
U2F relies on the concept of minting a cryptographic key pair for each service. This means that the authentication secrets for each service are not shared. By using public-key cryptography, the server only has to store the public key for the user. Furthermore, this enhances user privacy as different sites cannot learn for which sites the user has registered.

Token binding
Token binding is an additional protection supported by FIDO U2F that secures the connection between the browser and the service to prevent man in the middle attacks.

Token binding allows servers to create cryptographically bound tokens (such as cookies, OAuth tokens) to the TLS layer, to prevent attacks where an attacker exports a bearer token from the user’s machine to present to a web service and impersonate the user.Token binding is used by FIDO U2F keys to bind the fido authentication token to the user agents TLS connection with the service.

Native platform/OS support
The YubiKey and FIDO U2F Security Key were intentionally designed so that no additional client software is required. With all the authentication software built into the key, this design brings zero friction for the user. Additionally, this eliminates the vulnerability and risk of compromise that comes from any extra client software that needs to be downloaded to a phone or computer.

Secure backup
Any authentication technology and device can be lost. The affordable hardware-based design of the security key makes it easy for users to setup multiple keys for their accounts. This approach enables secure backups for users at considerably lower support cost compared to using mobile phone authentication technology.

Ease of use
Last, but not least, the unphishable YubiKey and FIDO U2F Security Key were designed to be easy to use and deploy.

All these security features work seamlessly. For the user, it is just a simple touch to authenticate. To further simplify, services and users can choose their own policies on how often they need to authenticate with a security key. With the way Facebook has implemented FIDO U2F, users only need to register and authenticate once per trusted laptop or phone.

Any online service can easily make support for FIDO U2F using Yubico’s free and open source server code, and integration can be done within a few days. Alternatively, U2F can be implemented via Google and Facebook social login. Through this federation model, millions of websites and billions of users globally have access to online identity protection through unphishable security keys.

Learn more about FIDO U2F and social login.

Talk to our teamTalk to our team

Share this article:


  • Securing the skies with YubiKeys: Insights on cyber resilience in the aviation industry and beyondIn an increasingly interconnected world, the landscape of cybersecurity is constantly evolving. Bad actors are becoming more sophisticated, leveraging tactics like phishing and ransomware to exploit human error and weak credentials. This makes robust cybersecurity a universal issue, impacting everyone from individuals to the largest global enterprises – especially those in high-stakes sectors like commercial […]Read morecyber resilienceEUmanufacturingQ&A
  • Future-proofing authentication: A look at the future of post-quantum cryptographyThe path from passwords to passkeys and beyond In a previous blog I talked about the end of passwords and the rise of passkeys, which promise stronger security and less frustration for both individuals and businesses. The global momentum behind passkeys represents one of the most exciting shifts in authentication history, but realizing their full […]Read more
  • Goodbye master passwords: Dashlane and Yubico enhance credential vault encryption and login with YubiKeysAt Authenticate 2025 this week, the world’s leading experts on modern authentication and securing digital identities gathered, to discuss the future of secure authentication and achieving usable security across the account lifecycle. The message was clear: the future of phishing-resistant authentication is using passkeys for encryption, and the gold standard is device-bound passkeys – YubiKeys. […]Read morecredential vault encryptioncredential vault loginDashlanepartnerpasskey encryptionPRF
  • Piloting Europe’s future ID: Passkeys securing digital walletsOver the last several years, passkeys have become ubiquitous. They are available on every mobile platform, in every leading browser, as part of all major enterprise IAM solutions, and in most major cloud services. Until wwWallet came along, the only place where passkeys hadn’t yet made an impact is in the rapidly developing world of […]Read moredigital identity walletspasskeysSIROSwwWallet