Because security is never stronger than its weakest link, we have considered the full lifecycle of our products, from the manufacturing to integration within a system.
Made in Sweden & USA
In our production plants in Sweden and USA, we have invented a new, fully automated way to manufacture USB keys — in one solid and robust piece of plastic. An industrial robot molds, tests, and laser marks 10,000 YubiKeys per day, per facility.
Secrets Protected with Secure Elements
YubiKeys are builton state-of-the-art secure elements, molded into plastic with high pressure, making them practically tamper-proof. Each YubiKey is seeded individually, so any breach likely to happen would be for that unique YubiKey only — there would be no systemic breach. If lost or stolen, the user or administrator can easily disable a YubiKey so that it no longer can be used.
Easy to Program Own Secrets
YubiKeys are delivered to our logistics centers as “blank hardware”. The authentication and encryption features are programmed at the time of shipment to customers. All YubiKeys sold on our web store can be re-programmed by customers using our free programming tools using USB ports and hubs. For large volume orders, a portable programming machine allows customers to program 10,000 keys in one hour, with no secrets ever touched or stored by Yubico. For security reasons, Yubico firmware is not upgradable. The YubiKey is a write-only device and the encryption key can never be read out from the device.
YubiKey OTP Security
For high security applications, we recommend our public key offerings, including U2F and PIV. However, there are many applications where Yubico One-Time Password (OTP) is easier to implement and offers enhanced security compared to traditional OTP tokens. Because the YubiKey automatically enters the passcode for you, we have chosen the full 128-bit key strength, represented by a 32 ModHex characters one-time passcode, offering several magnitudes higher level of security compared to the common 6 or 8 digits. To further enhance security, the Yubico OTP is offered with an optional time variant code. The YubiKey has no battery but features a built-in clock that uses the power from the USB port. This clock can be used to measure the time between two OTPs, verifying user presence so that pre-recorded OTPs cannot be used.
Securing Secrets on Servers
We use our own cost-efficient and convenient YubiHSM hardware server module to protect access to all Yubico servers and systems, including for OTP secrets for YubiCloud, Yubico’s hosted validation service.
We have built most of our authentication and encryption functions on open standards and free open source software, with no hidden weaknesses. Our software is freely available on our GitHub repositories and available to be scrutinized by the public.