YubiKey 4 has fresh look, attestation capabilities

June 14, 2016 2 minute read
YubiKey 4 and YubiKey 4 nano

The smallest YubiKey 4 is getting a facelift, and both form factors have new trust capabilities that validate device type, manufacturer, and generated key material.

The new YubiKey 4 Nano takes on a “molded” form factor, which makes it impossible to insert the Nano in backwards, and provides a waterproof environment.

The YubiKey 4 and YubiKey 4 Nano firmware have been upgraded to add a “touch-policy cache,” which simplifies and strengthens smart card use in a Microsoft Windows login by adding the touch-policy cache option to augment or replace a PIN.

But perhaps most important, both YubiKey form factors have gained a new Personal Identity Verification (PIV) attestation capability that validates where the cryptographic keys were created and the attestation entity used to attest the key.

For example, when coupled with the PIV protocol, attestation shows where the PIV credential is generated and who attested the credential. With Secure Shell (SSH) login using a key pair generated by a YubiKey 4, attestation is used to sign and validate that a key pair was generated on hardware and that the key was manufactured by Yubico.

These validations are important to establish trust and to bind a user account to a credential on the hardware, and to do so with an easy-to-use device. The need for such operations are gaining popularity in the security community and ecosystem.

The need for higher levels of trust for specific operations means some companies and organizations can’t rely on just a software layer, but instead need a cryptographic device such as a hardware key.

On the YubiKey 4, attestation works via a special key slot called “f9” that comes pre-loaded with the attestation certificate signed by a Yubico CA. The slot can be overwritten by individual users, specifically provisioned for a customer rollout, or granularly provisioned per device.

Keys generated in a normal slot on the YubiKey are then “attested” by the key and certificate in the f9 slot. Attestation features are detailed in our Introduction to PIV Attestation. Similar attestation capabilities are found in Yubico’s implementation of the FIDO Universal 2nd Factor (U2F) protocol.

YubiKey 4 and YubiKey 4 Nano with the new YubiKey 4.3.1 firmware is available now from Amazon and the Yubico Store. Use the YubiKey Personalization Tool to identify the firmware version of your YubiKey.

Klas Lindfors is a Senior Software Developer at Yubico.

Share this article:

Recommended content

Why govt. agencies should pay attention to FIDO U2F and WebAuthn/FIDO2 right now

Learn why these modern authentication standards are critical to the government’s security strategy.

YubiKey secures remote workers during COVID-19 as government-approved alternative to PIV and CAC cards

In the matter of just one week, Google reported that it saw more than 18 million daily malware and phishing emails related to COVID-19. That’s an astonishing number, and one that is not likely to slow down any time soon. For organizations across the globe, it is imperative to quickly, securely, and affordably fill existing ...

Modern CAC/PIV alternatives: Securing government teleworkers & mobile devices

How recent events are necessitating the need for alternative authentication for teleworkers.

What’s new in Yubico PIV Tool 2.0?

New open authentication standards, FIDO2 and WebAuthn, have been getting a lot of attention lately with tech giants like Apple joining industry adoption. As a core creator of these standards, we celebrate these milestones, but our mission here at Yubico is to make a safer internet for all. In addition to driving new open web ...