In a single device, the YubiKey NEO has both contact (USB) and contactless (NFC, MIFARE) communications. It supports one-time password, smart card functionality, including OpenPGP and PIV, and the emerging FIDO Alliance Universal 2nd Factor (U2F) protocol.
If NFC is not required, or if the smaller Nano form factor is preferred, we recommend customers purchase the YubiKey 4 or YubiKey 4 Nano, our latest generation YubiKey, including faster and strong crypto compared to the YubiKey NEO.
Where You Can Use YubiKey NEO
The YubiKey NEO can be used for securing access to a wide range of applications, including remote access and VPN, password managers, computer login, FIDO U2F login (Gmail, GitHub, Dropbox, etc) content management systems, popular online services, and much more. Find out more about the range of open source and enterprise solutions on our YubiKey for Business and YubiKey for Individuals pages.
Special YubiKey NEO Features
- Works on Microsoft Windows, Mac OS X, Linux operating systems; major browsers; and Android NFC phones and tablets
- Supports multiple authentication protocols, including Yubico OTP, smart card, and FIDO U2F
- Mobile authentication through NFC contactless technology (NDEF type 4), works with Android and other devices (NEO only)
- MIFARE Classic, for legacy physical access control systems
- Hardware secure elements guard your encryption keys
Universal 2nd Factor
FIDO U2F is an emerging open authentication standard, with native support in platforms and browsers. U2F breaks the mold for high security public key authentication, removing the complexity of drivers, specialized client software, and the traditional costly CA model. With FIDO U2F, one single YubiKey NEO supports any number of online services, with no user information or encryption keys shared between the service providers. Learn more about FIDO U2F.
Integrate YubiKey NEO Support
Learn how you can add YubiKey NEO authentication to your site or service at our developer site. The YubiKey NEO can be configured for different modes using the YubiKey Manager. To use it as a PIV-compliant smart card, find out more at YubiKey NEO and PIV.
Start Your YubiKey
If you already have a YubiKey NEO, try it out here.
What are my benefits when using the OTP+U2F+CCID configuration?
When using the YubiKey NEO in OTP+U2F+CCID mode, you can access every feature of your device to secure your online accounts. On the same YubiKey, at the same time, you can use U2F to secure your Gmail account, access services like LastPass, as well as secure their communication using applets loaded on their device, such as the OpenPGP applet.
Can I use my U2F-enabled YubiKey NEO device to enable strong two-factor authentication for my enterprise?
Any online service or application can integrate with the U2F protocol. One of our key partners, Duo Security, is the first to offer enterprise server solutions supporting U2F. You can learn more about Duo Security and U2F.
How many services can the YubiKey NEO be associated with?
There is no practical limit to the U2F secured services the YubiKey NEO can be associated with. During the registration process, the key pairs are generated on the device (secure element) but the key pairs are not stored on the YubiKey NEO. Instead, the key pair (public key and encrypted private key) are stored by each relying party/service that initiated the registration. Therefore, this approach allows for an unlimited number of services to be associated with the YubiKey NEO.
This means the same U2F YubiKey you use for Gmail or Google Apps can be used with your GitHub and Dropbox accounts.
How can I set up my Linux instance for use with U2F?
We advise everyone to install the YubiKey NEO manager software. The latest version of this software can be found here: https://developers.yubico.com/yubikey-neo-manager/Releases/
If you have a YubiKey NEO, ensure you have unlocked U2F mode by following these instructions:
- If you have a Security Key by Yubico (blue color) U2F is enabled by default (only U2F mode is supported on this product!).
and download or create a copy of the file named 70-u2f.rules into the Linux directory /etc/udev/rules.d/.
If this file is already there, ensure that the content looks like exactly the one provided on github.com/Yubico (link above).
Save the file and reboot your system.
Ensure that you are running Google Chrome 38 or later. From Chrome version 39 and later, you can use the YubiKey NEO in U2F+HID mode.
NOTE: This applies only to YubiKey NEO, the Security Key by Yubico supports only U2F, and this mode enabled by default.
When can I purchase a YubiKey NEO with FIDO U2F or can I upgrade my current YubiKey NEO?
YubiKey NEO devices have shipped with firmware version 3.3 since Oct. 1, 2014, which includes U2F support along with other protocols including Yubico OTP and smart card functionality. YubiKey NEOs are not upgradable based on best security practices. There is a “no upgrade” policy for our devices since nothing, including malware, can write to the firmware. For more information see our blog YubiKey and BadUSB.
Does the YubiKey NEO work with my mobile device?
YubiKey NEO has NFC contactless technology capabilities so you can use your YubiKey NEO on any Android device that supports NFC.
If you do not need NFC, we recommend the YubiKey 4 instead of the NEO, as it offers faster and stronger crypto at a lower price.
Does my YubiKey NEO support U2F over NFC?
Yes! All YubiKey NEO devices manufactured as of February 10, 2015 supported the current FIDO U2F specification for NFC. To verify you have a YubiKey NEO that supports NFC, check to see your YubiKey is running firmware version 3.4.0 or later. To check your firmware version, use the YubiKey NEO Manager or YubiKey Personalization Tool.
For more information on the spec, see FIDO Alliance Equips U2F Protocol for Mobile and Wireless Applications.
Can the YubiKey NEO be used as a Smart Lock device for Android Lollipop?
Yes, the YubiKey NEO can be used as an NFC tag registered for Smart Lock on Android Lollipop devices. For more information, see the Android support page.
Note: Android’s SmartLock features uses a static 7 byte ID, which does not conform to Yubico’s security threshold standards. We recommend users consider this feature a convenience and not a strong authentication replacement.
What is the OpenPGP vulnerability, and does it affect me?
This vulnerability applies to you only if you are using OpenPGP, and if you have the OpenPGP applet version 1.0.9 or earlier. You can continue to use your YubiKey NEO without worry. Yubico learned (in April 2015) of a security issue with the OpenPGP Card applet project that is used in the YubiKey NEO. The OpenPGP applet is used for signing and encrypting using a private key that you store on the YubiKey NEO. For more information on the vulnerability, see the security advisory.
How many credentials can I program on my YubiKey?
On the YubiKey NEO, there are two “configuration slots” on each key. You can program each slot with a single credential, such as one for OTP and one for Challenge-Response (such as for Microsoft Windows or Mac OS X account login) or static password. You can also configure the YubiKey as a smart card (PIV). You can store up to 28 OATH credentials (TOTP or HOTP) on the YubiKey NEO and access them using the Yubico Authenticator companion application. In addition, you can have an unlimited number of U2F credentials on the YubiKey NEO.
Can I still purchase the smaller form factor of the YubiKey NEO?
We are withdrawing from our retail web sales the YubiKey NEO-n (as well as the YubiKey Standard, YubiKey Nano, YubiKey Edge, and YubiKey Edge-n). Throughout 2016, we will continue to sell these products to existing customers and partners at existing price/functions, for deployment in enterprises, but they will not be available on the Yubico Store.
For information about the YubiKey NEO-n, or the other products being withdrawn from retail sales, see the Product Sheets on our Documentation page.