Because security is never stronger than its weakest link, we have considered the full lifecycle of our products, from component sourcing, through manufacturing, to integration within a customer system, to ensure the highest levels of security.
Made in Sweden & USA
Yubico is a Swedish company that owns subsidiaries in the USA, UK, and Germany. We strongly believe there are security and privacy benefits for our customers by manufacturing and programming our products in Sweden and the USA.
To ensure that we are very close to all aspects of manufacturing, we have set up production where we are geographically based. That means we manufacture and finish our parts close to our two main offices in Sweden and the USA, where we can make continuous improvements while keeping a tight control over what’s made.
We have invented a new and efficient way to manufacture USB keys — in one solid and robust piece of plastic. We use a high degree of automation for electronics assembly to molding, testing, laser marking and packing of our products.
Secrets Protected with Secure Elements
Yubico products are built on state-of-the-art secure elements, providing a high degree of resilience for secret information. The design of the YubiKey minimizes the attack surface, by moving storage of cryptographic keys and secure processing away from the computer and into an external dedicated hardware authentication device, the attack surface is minimized. In today’s highly complex systems, this is becoming increasingly more important.
Customer Control Secrets
YubiKeys are delivered to our logistics centers as “stem cells”, with the means to prevent any modifications during transit and storage. The authentication and encryption features are programmed at the time of shipment to customers. Customer cryptographic secrets are not stored by Yubico, and customers may choose to use their own computers and equipment for programming.
All YubiKeys sold on our web store can be programmed by customers using our free programming tools. Cryptographic keys cannot be read out from the device. More detailed information on the different options for programming YubiKeys can be found on our Programming Options page.
Yubico OTP Security
For high-security applications, we recommend the use of our public key offerings, including FIDO2, FIDO U2F, GPG, and PIV.
For one-time password (OTP) applications, the Yubico OTP supported in the YubiKey offer enhanced security compared to traditional OTP tokens. Because the YubiKey automatically enters the passcode for you, we have chosen the full 128-bit key strength, represented by a 32 ModHex characters one-time passcode, offering several magnitudes higher level of security compared to the common 6 or 8 digits. To further enhance security, the Yubico OTP is offered with an optional time variant code. The YubiKey has no battery but features a built-in clock that uses the power from the USB port or NFC (in supported models). This clock can be used to measure the time between two OTPs, verifying user presence so that pre-recorded OTPs cannot be used.
Securing Secrets on Servers
We use our own cost-efficient and convenient YubiHSM hardware server module to protect access to all Yubico servers and systems, including for OTP secrets for YubiCloud, Yubico’s hosted validation service.
We are a strong believer in transparency and do whatever we can to provide documentation and open source software and libraries. We are also constantly working with third-parties for certifications, security reviews, and scrutiny.