Customer Control Secrets
YubiKeys are delivered to our logistics centers as “stem cells”, with the means to prevent any modifications during transit and storage. The authentication and encryption features are programmed at the time of shipment to customers. Customer cryptographic secrets are not stored by Yubico, and customers may choose to use their own computers and equipment for programming.
All YubiKeys sold on our web store can be programmed by customers using our free programming tools. Cryptographic keys cannot be read out from the device. More detailed information on the different options for programming YubiKeys can be found on our Programming Options page.
Yubico OTP Security
For high-security applications, we recommend the use of our public key offerings, including FIDO2, FIDO U2F, GPG, and PIV.
For one-time password (OTP) applications, the Yubico OTP supported in the YubiKey offer enhanced security compared to traditional OTP tokens. Because the YubiKey automatically enters the passcode for you, we have chosen the full 128-bit key strength, represented by a 32 ModHex characters one-time passcode, offering several magnitudes higher level of security compared to the common 6 or 8 digits. To further enhance security, the Yubico OTP is offered with an optional time variant code. The YubiKey has no battery but features a built-in clock that uses the power from the USB port or NFC (in supported models). This clock can be used to measure the time between two OTPs, verifying user presence so that pre-recorded OTPs cannot be used.
While Yubico previously initiated development of a BLE security key, and contributed to the BLE U2F standards work, we decided not to launch the product as it does not meet our standards for security, usability and durability. BLE does not provide the security assurance levels of NFC and USB as it can be intercepted within 20 meters, and is a more complex protocol with a larger attack surface. Also, it requires batteries and pairing that offer a poor user experience.
Yubico is a believer in NFC, and the YubiKey design has proven at scale to deliver a superior contactless user experience. Also, Yubico will soon announce another secure and user friendly solution for iOS.
FIDO Ecosystem Security
In order to achieve a trusted Ecosystem, the browser and device implementations are critical. The FIDO Alliance certification is focused on the interoperability of FIDO security keys. You can read more on FIDO certification on their website https://fidoalliance.org/certification/.
Attestation is built-in to the FIDO protocols, which enables each service provider to restrict which security keys to allow based on their individual needs and concerns. Each vendor can provide root attestation certificates which can be used to verify the authenticity of any security key they produce. The root certificate that issues all Yubico security key attestation certificates is available at: https://developers.yubico.com/U2F/yubico-u2f-ca-certs.txt.
Securing Secrets on Servers
We use our own cost-efficient and convenient YubiHSM hardware server module to protect access to all Yubico servers and systems, including for OTP secrets for YubiCloud, Yubico’s hosted validation service.
We are a strong believer in transparency and do whatever we can to provide documentation and open source software and libraries. We are also committed to ongoing work with third-parties for certifications, security reviews, and scrutiny.
The Yubico team, investors and advisors, have a long proven track record and are well respected in the security industry and open standards communities. Our goal has always been to be transparent and take responsibility for the quality and integrity of our products.
Since 2014 and the launch of FIDO U2F in Gmail, Yubico has donated and discounted YubiKeys and security keys to journalists, dissidents and non-profit organisations working for civil rights. Learn more about the program here.