The growing popularity and adoption of YubiKey has resulted in a number of partner enterprise solutions and open source projects offering server-side YubiKey modules for two-factor authentication. However, as Yubico and its customers have noticed a large variance in the deployment, management, authentication and recovery capabilities offered by these modules we propose a set of general guidelines for the module design that will help to assure a good user experience.


  • YubiKey Hardware
  • YubiCloud or own validation server

How to add YubiKey authentication to server-side applications

Follow the guidelines in the design guidelines document.

YubiKey module design guideline document (pdf)

This document provides the general guidelines for the development of a YubiKey authentication module so that it will work smoothly for the majority of use cases we have been exposed to. It covers the capabilities we recommend to be supported and the considerations to be made when designing and developing a comprehensive and configurable YubiKey authentication module for server-side applications. The document also provides recommendations for how the module should be implemented, administered and maintained. The document does not cover any specific platform or programming language details.

YubiKey authentication modules

YubiKey authentication modules are developed to add YubiKey two-factor authentication to server-side applications. The YubiKey Authentication Module can validate the OTP against either own Validation Server or against the Yubico Online Validation Service. You will have to decide which model works best for your application. The main benefit with your own server is that you are in full control over all AES keys programmed into the YubiKeys. The main benefit of using the Yubico online Validation Service is that the YubiKeys are already ready to use with the Online Validation Service out of the box (no additional handling needed). It also enables users that already have a YubiKey to sign up for your service.