The YubiKey NEO is the strong authentication bullseye the industry has been aiming at for years, enabling one single key to secure an unlimited number of applications.
Our newest YubiKey NEO keys with the 3.4 firmware supports U2F plus OTP and CCID at the same time, on the same key, when running Google Chrome version 39 (released 11/18/14) or later. Users have long sought this multi-functionality, and now it is here.
In a single device, the Yubikey NEO has both contact (USB) and contactless (NFC, MIFARE) communications. It uniquely supports One-Time Passcodes, smart card functionality, including OpenPGP and PIV, and the emerging FIDO Alliance Universal 2nd Factor (U2F) protocol. The YubiKey NEO can be configured for U2F and other modes using the NEO Manager.
Where you can use YubiKey NEO or YubiKey NEO-n
The YubiKey NEO and NEO-n can be used for securing access to a wide range of applications, including remote access and VPN, password managers, computer login, Gmail login, GitHub login, Dropbox login, content management systems, popular online services, and much more. Find out more about the range of open source and enterprise solutions on our YubiKey for Business and YubiKey for Individuals pages.
To use the YubiKey NEO as a PIV-compliant smart card, find out more at YubiKey NEO and PIV.
OpenPGP and YubiKey NEO
Yubico has learned of a security issue with the OpenPGP Card applet project that is used in the YubiKey NEO. This vulnerability applies to you only if you are using OpenPGP, and if you have the OpenPGP applet version 1.0.9 or earlier. Read the blog or security advisory for more information.
Special YubiKey NEO Features
- Works on Microsoft Windows, Mac OS X, Linux operating systems; major browsers; and Android NFC phones and tablets
- Supports multiple authentication protocols, including Yubikey OTP, smart card, and FIDO Alliance U2F
- Mobile authentication through NFC contactless technology (NDEF type 4), works with Android and other devices (NEO only)
- MIFARE Classic, for legacy physical access control systems
- Hardware secure elements secure your encryption keys
- Note that the YubiKey NEO-n, in the smaller form factor, does not support NFC.
UNIVERSAL 2ND FACTOR
FIDO U2F breaks the mold for high security public key hardware devices, removing the complexity of drivers, clients software and the traditional costly CA model. With FIDO U2F, one single YubiKey NEO or YubiKey NEO-n can be used with any number of online services, with no user information and encryption keys shared between the service providers. In the near future, large scale online services will support FIDO U2F, enabling users to own and control their single and secure online identity for any number of services. The U2F protocol passed a significant milestone in June 2015, adding new transport protocols that address support for mobile devices.
Integrate YubiKey NEO Support
Learn how you can add YubiKey NEO authentication to your site or service at our developer site.
Start your YubiKey
If you already have a YubiKey NEO or YubiKey NEO-n, try it out here.
What are my benefits when using the OTP+U2F+CCID configuration?
When using the YubiKey NEO or NEO-n in OTP+U2F+CCID mode, users can access every feature of their device to secure their online accounts. On the same YubiKey, at the same time, users can use U2F to secure their Gmail account, access services like LastPass, as well as secure their communication using applets loaded on their device, such as the OpenPGP applet.
Please visit our applications page to see the many applications and use cases that NEO supports.
Can I use my U2F-enabled YubiKey NEO device to enable strong two-factor authentication for my enterprise?
Any online service or application can integrate with the U2F protocol. One of our key partners, Duo Security, is the first to offer enterprise server solutions supporting U2F. You can learn more about Duo Security and U2F.
How many services can the YubiKey NEO/NEO-n be associated with?
There is no practical limit to the U2F secured services the YubiKey NEO/NEO-n can be associated with. During the registration process, the key pairs are generated on the device (secure element) but the key pairs are not stored on the YubiKey NEO/NEO-n. Instead, the key pair (public key and encrypted private key) are stored by each relying party/service that initiated the registration. Therefore, this approach allows for an unlimited number of services to be associated with the YubiKey NEO/NEO-n.
This means the same U2F YubiKey you use for Gmail or Google Apps can be used with your GitHub and Dropbox accounts.
How can I set up my Linux instance for use with U2F?
We advise everyone to install the Yubikey NEO manager software. The latest version of this software can be found here: https://developers.yubico.com/yubikey-neo-manager/Releases/
If you have a Yubikey NEO or Yubikey NEO-n, ensure you have unlocked the U2F mode by following these instructions:
- If you have a Security Key by Yubico (blue color) U2F is enabled by default (only U2F mode is supported on this product!).
and download or create a copy of the file named 70-u2f.rules into the Linux directory /etc/udev/rules.d/.
If this file is already there, ensure that the content looks like exactly the one provided on github.com/Yubico (link above).
Save the file and reboot your system.
Ensure that you are running Google Chrome 38 or later. From Chrome version 39 and later, you can use the Yubikey NEO or NEO-n in U2F+HID mode.
NOTE: This applies only to Yubikey NEO and NEO-n, the Security Key by Yubico only supports U2F mode enabled by default.
When can I purchase a YubiKey NEO with FIDO U2F or can I upgrade my current YubiKey NEO?
YubiKey NEO and YubiKey NEO-n devices have shipped with firmware version 3.3 since Oct. 1, 2014, which includes U2F support along with other protocols including Yubico OTP and smart card functionality. YubiKey NEOs are not upgradable based on best security practices. There is a “no upgrade” policy for our devices since nothing, including malware, can write to the firmware. For more information see our blog YubiKey and BadUSB.
How does the YubiKey NEO work with my mobile device?
YubiKey NEO has NFC contactless technology capabilities so you can use your YubiKey NEO on any Android device that supports NFC. Please note that the YubiKey NEO-n, in the smaller form factor, does not support NFC.
Does my YubiKey NEO support U2F over NFC?
Yes! All YubiKey NEO devices manufactured as of February 10, 2015 supported the current FIDO U2F specification for NFC. To verify you have a YubiKey NEO that supports NFC, check to see your YubiKey is running firmware version 3.4.0 or later. To check your firmware version, use the YubiKey NEO Manager or YubiKey Personalization Tool. (Note that the YubiKey NEO-n does not support NFC due to the smaller form factor.)
For more information on the spec, see FIDO Alliance Equips U2F Protocol for Mobile and Wireless Applications.
Can the YubiKey NEO be used as a Smart Lock device for Android Lollipop?
Yes, the YubiKey NEO can be used as an NFC tag registered for Smart Lock on Android Lollipop devices. For more information, see the Android support page.
Note: Android’s SmartLock features uses a static 7 byte ID, which does not conform to Yubico’s security threshold standards. We recommend users consider this feature a convenience and not a strong authentication replacement.
What is the OpenPGP vulnerability, and does it affect me?
This vulnerability applies to you only if you are using OpenPGP, and if you have the OpenPGP applet version 1.0.9 or earlier. You can continue to use your YubiKey NEO without worry. Yubico learned (in April 2015) of a security issue with the OpenPGP Card applet project that is used in the YubiKey NEO. The OpenPGP applet is used for signing and encrypting using a private key that you store on the YubiKey NEO. For more information on the vulnerability, see the security advisory.
How many credentials can I program on my YubiKey?
On the YubiKey NEO and YubiKey NEO-n, there are two “configuration slots” on each key. You can program each slot with a single credential, such as one for OTP and one for Challenge Response (such as for Microsoft Windows or Mac OS X account login) or static password. You can use the Yubico Authenticator app (or YubiOATH applet) to store an unlimited number of OATH-TOTP credentials. In addition, you can have an unlimited number of U2F credentials on these YubiKeys that support the U2F protocol.