The YubiKey 4 is the strong authentication bullseye the industry has been aiming at for years, enabling one single key to secure an unlimited number of applications.
Yubico’s 4th generation YubiKey is built on high-performance secure elements. It includes the same range of one-time password and public key authentication protocols as in the YubiKey NEO, excluding NFC, but with stronger public/private keys, faster crypto operations and the world’s first touch-to-sign feature.
With the YubiKey 4 platform, we have further improved our manufacturing and ordering process, enabling customers to order exactly what functions they want in 500+ unit volumes, with no secrets stored at Yubico or shared with a third-party organization. The best part? An organization can securely customize 1,000 YubiKeys in less than 10 minutes.
For customers who require NFC, the YubiKey NEO is our full-featured key with both contact (USB) and contactless (NFC, MIFARE) communications.
Latest updates to YubiKey 4
- YubiKey 4 and YubiKey 4 Nano have gained a new Personal Identity Verification (PIV) attestation capability that validates where the cryptographic keys were created and the attestation entity used to attest the key
- YubiKey 4 Nano has a new “molded” form factor, which makes it impossible to insert the Nano in backwards, and provides a waterproof environment
- The YubiKey 4 and YubiKey 4 Nano firmware have received an upgrade that adds a “touch-policy cache,” for Microsoft Windows login
Where you can use YubiKey 4
The YubiKey 4 and YubiKey 4 Nano can be used for securing access to a wide range of applications, including remote access and VPN, password managers, computer login, FIDO U2F login (Gmail, GitHub, Dropbox, etc), content management systems, and much more. Find out more about the range of open source and enterprise solutions on our YubiKey for Business and YubiKey for Individuals pages.
Special YubiKey 4 Features
- Works on Microsoft Windows, Mac OS X, Linux operating systems, and on major browsers
- Supports multiple authentication protocols, including Yubico OTP, smart card (PIV), and FIDO U2F
- Hardware secure elements guard your encryption keys
- RSA 4096 for OpenPGP
- Support for PKCS#11
UNIVERSAL 2ND FACTOR
FIDO U2F is an emerging open authentication standard, with native support in platforms and browsers. U2F breaks the mold for high security public key authentication, removing the complexity of drivers, specialized client software, and the traditional costly CA model. With FIDO U2F, one single YubiKey 4 or YubiKey 4 Nano supports any number of online services, with no user information or encryption keys shared between the service providers. Learn more about FIDO U2F.
Integrate YubiKey 4
Learn how you can add YubiKey 4 authentication to your site or service at our developer site. The YubiKey 4 can be configured for the various functions using our free and open source tools available on our Downloads site. To use the YubiKey as a PIV-compliant smart card, find out more at YubiKey and PIV.
Start your YubiKey
If you already have a YubiKey 4 or YubiKey 4 Nano, try it out here.
What are my benefits when using the OTP+U2F+CCID configuration?
When using the YubiKey 4 or YubiKey 4 Nano in OTP+U2F+CCID mode, you can access every feature of your device to secure your online accounts. On the same YubiKey, at the same time, you can use U2F to secure your Gmail account, access services like LastPass, as well as secure your communication using applets loaded on your device, such as the OpenPGP applet.
Can I use my U2F-enabled YubiKey 4 device to enable strong two-factor authentication for my enterprise?
Any online service or application can integrate with the U2F protocol. One of our key partners, Duo Security, is the first to offer enterprise server solutions supporting U2F. You can learn more about Duo Security and U2F.
How many services can the YubiKey 4/YubiKey 4 Nano be associated with?
There is no practical limit to the U2F secured services the YubiKey 4/YubiKey 4 Nano can be associated with. During the registration process, the key pairs are generated on the device (secure element) but the key pairs are not stored on the YubiKey 4/YubiKey 4 Nano. Instead, the key pair (public key and encrypted private key) are stored by each relying party/service that initiated the registration. Therefore, this approach allows for an unlimited number of services to be associated with the YubiKey 4/YubiKey 4 Nano.
This means the same U2F YubiKey you use for Gmail or Google Apps can be used with your GitHub and Dropbox accounts.
How can I set up my Linux instance for use with U2F?
We advise everyone to install the Yubikey NEO manager software. The latest version of this software can be found here: https://developers.yubico.com/yubikey-neo-manager/Releases/
If you have a Yubikey 4/YubiKey 4 Nano, ensure you have unlocked the U2F mode by following these instructions:
- If you have a Security Key by Yubico (blue color) U2F is enabled by default (only U2F mode is supported on this product!).
and download or create a copy of the file named 70-u2f.rules into the Linux directory /etc/udev/rules.d/.
If this file is already there, ensure that the content looks like exactly the one provided on github.com/Yubico (link above).
Save the file and reboot your system.
Ensure that you are running Google Chrome 38 or later. From Chrome version 39 and later, you can use the YubiKey 4 or YubiKey 4 Nano in U2F+HID mode.
NOTE: This applies only to YubiKey 4 or YubiKey 4 Nano, the Security Key by Yubico supports only U2F, and this mode enabled by default.
When can I purchase a YubiKey 4 with touch-to-sign, or can I upgrade my current YubiKey?
YubiKey 4 and YubiKey 4 Nano devices are available as of November, 2015 (firmware 4.2.6) and include touch-to-sign support along with other protocols including Yubico OTP, FIDO U2F, and smart card functionality. YubiKeys are not upgradable based on best security practices. There is a “no upgrade” policy for our devices since nothing, including malware, can write to the firmware. For more information see our blog YubiKey and BadUSB.
Does the YubiKey 4 work with my mobile device using NFC?
YubiKey 4 does not have NFC capabilities. If you need NFC, we recommend that you use the YubiKey NEO, which works on any Android device that supports NFC.
Note that the YubiKey NEO does not work with iOS devices, such as iPhones. Once Apple opens up support for NFC to third-party developers it may be possible. Subscribe to our bi-monthly newsletter and blog to stay up-to-date on the latest information.
How many credentials can I program on my YubiKey?
On the YubiKey 4 and YubiKey 4 Nano, there are two “configuration slots” on each key. You can program each slot with a single credential, such as one for OTP and one for Challenge-Response (such as for Microsoft Windows or Mac OS X account login) or static password. You can configure the YubiKey as a smart card (PIV) and program the YubiKey for touch-to-sign. You can store up to 32 OATH credentials (TOTP or HOTP) on the YubiKey 4 and access them using the Yubico Authenticator companion application. In addition, you can have an unlimited number of U2F credentials on these YubiKeys that support the U2F protocol.
Can I add OTP to the YubiKey I received at DockerCon?
Yes, you can! The YubiKey 4 Nano you received at DockerCon was a specially programmed YubiKey, programmed for U2F+CCID only. You can add Yubico One-Time Password (OTP) functionality to the YubiKey using the YubiKey NEO Manager, available on our Downloads page. Install the application, insert the YubiKey, click the button to Change Connection Mode, and select the checkbox for OTP (if the option is not already selected).
Why isn’t the YubiKey I received at DockerCon recognized by the YubiKey Personalization Tool?
The YubiKey 4 Nano you received at DockerCon was a specially programmed YubiKey, programmed for U2F+CCID only. In order to use the YubiKey Personalization Tool, the YubiKey needs to be configured in OTP mode also. You can add OTP mode to the YubiKey using the YubiKey NEO Manager, available on our Downloads page. Install the application, insert the YubiKey, click the button to Change Connection Mode, and select the checkbox for OTP (if the option is not already selected).
Tip: The Personalization Tool (available in both in several versions as a graphical interface and command line interface for Windows, Mac OS X and Linux) is also available on our Downloads page.