YubiKey 4 has fresh look, attestation capabilities

YubiKey 4 and YubiKey 4 nano

The smallest YubiKey 4 is getting a facelift, and both form factors have new trust capabilities that validate device type, manufacturer, and generated key material.

The new YubiKey 4 Nano takes on a “molded” form factor, which makes it impossible to insert the Nano in backwards, and provides a waterproof environment.

The YubiKey 4 and YubiKey 4 Nano firmware have been upgraded to add a “touch-policy cache,” which simplifies and strengthens smart card use in a Microsoft Windows login by adding the touch-policy cache option to augment or replace a PIN.

But perhaps most important, both YubiKey form factors have gained a new Personal Identity Verification (PIV) attestation capability that validates where the cryptographic keys were created and the attestation entity used to attest the key.

For example, when coupled with the PIV protocol, attestation shows where the PIV credential is generated and who attested the credential. With Secure Shell (SSH) login using a key pair generated by a YubiKey 4, attestation is used to sign and validate that a key pair was generated on hardware and that the key was manufactured by Yubico.

These validations are important to establish trust and to bind a user account to a credential on the hardware, and to do so with an easy-to-use device. The need for such operations are gaining popularity in the security community and ecosystem.

The need for higher levels of trust for specific operations means some companies and organizations can’t rely on just a software layer, but instead need a cryptographic device such as a hardware key.

On the YubiKey 4, attestation works via a special key slot called “f9” that comes pre-loaded with the attestation certificate signed by a Yubico CA. The slot can be overwritten by individual users, specifically provisioned for a customer rollout, or granularly provisioned per device.

Keys generated in a normal slot on the YubiKey are then “attested” by the key and certificate in the f9 slot. Attestation features are detailed in our Introduction to PIV Attestation. Similar attestation capabilities are found in Yubico’s implementation of the FIDO Universal 2nd Factor (U2F) protocol.

YubiKey 4 and YubiKey 4 Nano with the new YubiKey 4.3.1 firmware is available now from Amazon and the Yubico Store. Use the YubiKey Personalization Tool to identify the firmware version of your YubiKey.

Klas Lindfors is a Senior Software Developer at Yubico.

Talk to our teamTalk to our team

Share this article:


  • CEO Corner: Wrapping up a strong year, and looking ahead to 2025 and beyondIt’s no secret that 2024 was a big year of growth for Yubico, highlighted across many notable achievements by our team and increasing demand from our customers. As discussed in my previous post, following a transformative year driven by key cybersecurity trends like passkeys and AI, the year culminated in the significant step of Yubico […]Read moreCEOEarningsMattias Danielsson
  • The rise of AI-driven phishing attacks: What to know and how to be secureAs businesses continue learning the benefits that artificial intelligence (AI) assisted computing tools provide, we’re continuing to see rapid interest and adoption of the technology – especially within the enterprise. Most conversations up until recently have revolved around ChatGPT, but now another new AI-powered large language model tool – DeepSeek – is creating a lot […]Read more
  • Works with YubiKey Spotlight: Expanded partnerships redefining phishing-resistance in 20252024 was an exciting year for Yubico and our partners. Together, we achieved remarkable milestones, launching innovative solutions and forging stronger partnerships – all aimed at delivering the most impactful cybersecurity solutions and user experience for our customers and partners. At the heart of these efforts lies a shared commitment to phishing-resistance.  From registration to […]Read moreWorks with YubiKeywwyk
  • Cybersecurity in 2025 – part two: Insights and predictions from Yubico’s expertsIn part one of our 2025 cybersecurity predictions, we highlighted insights from our experts on the topic of passkeys, digital identity wallets and the threats of AI-driven phishing – areas that saw a lot of focus in 2024, and ones that we expect to continue being a major focus this year. If you missed our […]Read morecritical infrastructurefederal governmentfinancial servicespredictions