1. The Basics

What is a YubiKey?

A YubiKey is a small hardware device that offers two-factor authentication with a simple touch of a button. YubiKeys are built strong enough for the largest enterprises, while remaining simple enough for anyone to use. YubiKeys support FIDO U2F, Yubico-OTP, OATH-OTP, OATH-HOTP, OATH-TOTP, OpenPGP, and PIV, and one security key can support an unlimited number of applications without the need for drivers, client software, or batteries. The YubiKey NEO offers both contact (USB) and contactless (NFC, MIFARE) communications.


Do I need to install anything on my computer to use the YubiKey?

YubiKey does not require drivers, client software, or batteries.

What is two-factor authentication (2FA)?

Two-factor authentication is a strong authentication method where the user provides two types of identification. Two-factor authentication combines something you know (a PIN or a password) with something you have (a physical device like a YubiKey). The Physical device must be capable of interacting with a computer and transmit a unique ID. The YubiKey will work with any computer that can support a USB keyboard, and can uniquely identify itself with the one-time password it generates, making it an excellent device for two-factor authentication.

What is a One-Time Password (OTP)?

A One-Time Password (OTP) is a password valid only for a single use and, once used, cannot be used again for authentication. A Yubico OTP is unique sequence of characters generated every time the YubiKey button is touched. The Yubico OTP is comprised of a sequence of 32 Modhex characters representing information encrypted with a 128 bit AES-128 key.

The information that makes up a Yubico OTP consists of:

  1. The Private identity of the YubiKey
  2. Counter fields tracking how often the YubiKey has been used
  3. A Timer field tracking the time between generating each OTP
  4. A Random number to add additional security to the encryption
  5. A closing CRC16 checksum of all the fields

Read more about the Yubico OTP

2. The YubiKey

How can I backup my Yubikey?

It is not possible to create an exact copy of a YubiKey, but in some cases it is possible to make a copy of the credentials stored in the YubiKey.

YubiKeys are by design write-only, which means that secrets to the credential can only be written into and not read out of the device. If a credential is to be copied, it must thus been known before hand, either taken down while programming the YubiKey or by accessing the configuration log created during programming. Furthermore, only some credentials can be copied. Static Password and Challenge-Response credentials can be copied, Yubico OTP and OATH-HOTP credentials cannot.

To store a Static Password credential for later use, simply store the string entered if you intend to program it in scan code mode and the values in the “Password Parameters” window if you intend to program it in advanced mode. To store a Challenge-Response credential, store the values entered in their respective “Parameters” windows.

To use another YubiKey for a backup in a system that implements either Yubico OTP or OATH-HOTP credentials, you may be given the option to associate multiple YubiKeys with your account. If you do not find those options, please contact the administrator for that service directly.

What lanyards can I use with my YubiKey?

Conductive lanyards should not be used with the YubiKey Nano as they might cause unwanted interference with the touch sensor. Other than that, there are no other restrictions.

Before using a lanyard with the YubiKey Nano, please note that YubiKey Nanos are not designed for frequent insertion and removal. Use of a lanyard is thus up to each user’s individual discretion.

Can I use the YubiKey with an iOS device (iPad, iPhone)?

Yes – the YubiKey can be connected to an iPad or iPhone using Apple’s Camera Connection Kit (iPhone 4) or Lightning to USB Camera Adapter (iPhone 5). Core YubiKey functions (Yubico OTP, Static Password, etc) are supported, CCID functions are not. For more information, please see: http://www.yubico.com/start/ipad/

UPDATE: We have found that the iPads after iPad 3 (iPad 4, Air, etc) will not work properly with the YubiKey. This is due to changes in Apple firmware that we have no control of. As such if iPad support is critical for you, please consider options other than the YubiKey.

Is the YubiKey a biometric device?

No. The touch of a finger provides a small electrical charge that activates the YubiKey.

How can I activate U2F on my YubiKey NEO or NEO-N?

The YubiKey NEO and NEO-N can be configured for U2F and other modes using the NEO Manager.

Does the YubiKey work with USB3 Ports?

The Yubikey is a USB1/2 device (similar to any other USB keyboard) and it works with USB3 thanks to the backward compatibility support. If you are experiencing issue with your USB3 port, please try the following:
- Test that the Yubikey is working correctly on a USB2 port.
- Download and install the latest drivers for your USB3 interface. A common producer of the USB3 is NEC, please research what type of hardware you have and what are the right driver to use.
- Plug a USB hub in your USB3 port. Plug in the Yubykey in one of the USB hub exit. If the Yubikey works, then it could be a mechanical problem with the USB interface.

I keep triggering my Nano inadvertently. What should I do?

1. Turn off FastTrigger (Settings -> Extended Settings) – you will then need to touch the YubiKey Nano for at least half a second to emit an OTP.
2. For an even longer wait time, consider moving the configuration to the second slot.
3. For OS X users, the taskbar application YubiSwitch will turn off your YubiKey Nano automatically after a period of inactivity.

My YubiKey NEO is not being detected by my NFC-capable device. What should I do?

Please follow the following steps to troubleshoot your device.

1. Make sure that your device’s NFC is toggled on.

2. Position your YubiKey NEO as close to the NFC antenna (of your device) as you can and hold it there for two to three seconds. Due to the small size of the YubiKey NEO and its antenna, the YubiKey NEO needs to be a lot closer to the device’s NFC antenna.

3. If the YubiKey NEO registers but does not work, please download the android app TagInfo by NXP, scan your YubiKey NEO and attach the data (you can export it via email or other means) when you raise a ticket with support@yubico.com.

4. If this does not work, please attempt to test your YubiKey NEO with another NFC-capable device and/or test your NFC-capable device with a NFC tag before raising a ticket here.

Is my device compatible with the YubiKey?

This depends on how you are planning to use the YubiKey.

For standard YubiKey functionality (Yubico OTP, OATH-HOTP, Challenge-Response, Static Password) over USB, YubiKeys use the same drivers as USB keyboards. If your device supports USB keyboards, it will work with the YubiKey. If your device does not load the driver, please try plugging in a USB keyboard first.

For standard YubiKey functionality over NFC, the YubiKey NEO uses the NDEF4 standard. If your device supports this standard, it will work with the YubiKey.

For SmartCard functions, the YubiKey NEO uses the ISO 7816-4 standard over USB and the ISO 14443-4 standard over NFC. If your device supports these standards, it will work with the YubiKey.

What is the default NDEF4 tag of the YubiKey NEO?

The YubiKey NEO is shipped with its NDEF4 tag programmed to emit a URI of the form https://my.yubico.com/neo/[OTP].

What modes can I use with the YubiKey NEO’s NDEF interface?

The following features are available over the YubiKey NEO’s NDEF interface.

- Yubico OTP
– Static Password (Advanced Mode)

What is a YubiKey?

A YubiKey is a One-Time Password (OTP) generator device. It generates a unique sequence of characters as an OTP every time its button is pressed. As the term suggests, a One-Time Password is valid only for a single use and cannot be used again for authentication. YubiKeys are typically used in implementing strong two-factor authentication solutions which provide much stronger security when compared to using only a username and password. The YubiKey supports multiple types of configurations and may be used to generate One-Time Passwords as well as static passwords.

Read more about the YubiKey

The YubiKey acts as a simple one-button generic USB keyboard which may be used from any computer platform or browser without needing to install any client software or special drivers.

The YubiKey has two configuration slots. When a YubiKey is configured to use both slots the user may select between each configured output by pressing the button on the YubiKey for different lengths of time:

  1. Short press (0.3 – 1.5 seconds) and release – OTP from configuration slot #1 is yielded
  2. Long press (2.5 – 5 seconds) and release – OTP from configuration slot #2 is yielded

More information can be found in Section 4 of the YubiKey Manual.

Is it possible to upgrade the YubiKey firmware?

No, It is currently not possible to upgrade YubiKey Firmware. To prevent attacks on the YubiKey which might compromise its security, the YubiKey does not permit its firmware to be accessed or altered.

Yubico is dedicated to providing a long-term two-factor authentication solution, we want your YubiKey to remain useful for the full extent of it’s lifetime. When we do release new firmware, we ensure the new YubiKey will function the same as with older versions, so there is no need to purchase new YubiKeys to ensure compatibility.

Why does the YubiKey act as a keyboard?

To allow the YubiKey to be compatible across multiple hardware platforms and Operating Systems, the YubiKey acts as a USB keyboard to the OS. This design provides several advantages including:

  1. Virtually all mainstream Operating Systems have built-in USB keyboard support.
  2. Since the YubiKey uses generic keyboard drivers, there are no special drivers that need to be installed to use the YubiKey.
  3. In organizations where USB ports are blocked for security concerns the use of USB keyboards, and thus the YubiKey, is still permitted.
  4. The user does not have to manually enter a OTP generated by the authentication device on the authentication screen by the application(s). The YubiKey user simply needs to click in the input field for the OTP and touch the YubiKey button briefly. In addition to reducing the time spent on authentication, this also assists in avoiding potential human errors while typing in the OTP.

How can I check the firmware version of a YubiKey?

The Cross Platform Personalization tool will list the firmware version of a YubiKey plugged into the computer it is running on. The Firmware Version is displayed on the right side of the Personalization tool screen, above the serial number of the YubiKey.

What can I do with my YubiKey?

The YubiKey can be used in a large variety of ways. A non exhaustive list summary can be found on the Applications page.

Read more about YubiKey Applications

Can I use the Yubikey with my Mac?

Yes, the YubiKey can be used with any computer (including Mac) that has a standard USB 2.0 port and supports USB keyboards. The YubiKey identifies itself to the computer as a USB Keyboard, and is therefore OS independent. It works with Windows, Linux, OS X, iOS (iPad/iPad 2/iPad 3 only), PS3, Xbox360, Wii etc. without requiring the installation any device drivers.

Can I use my YubiKey with my PC?

Yes, the YubiKey can be used with any computer (including PCs) that has a standard USB 2.0 port and supports USB keyboards. The YubiKey identifies itself to the computer as a USB Keyboard, and is therefore OS independent. It works with Windows, Linux, OS X, iOS (iPad/iPad 2/iPad 3 only), PS3, Xbox360, Wii etc. without requiring the installation any device drivers.

My YubiKey is not working. What should I do?

Please attempt the following steps to troubleshoot your device.

In each of this steps, insert the YubiKey into the USB Port, open a text editor (such as Notepad) and press the button on the YubiKey.

1. Use the YubiKey in a different USB Port on the same computer.
2. Use the YubiKey in a different computer.

Please then write to us with the following.

1. The output you see on the text editor.
2. The behaviour of the green LED both when you insert the YubiKey and when you touch the button.
3. The operating systems that were running on your computers.

What happens if I don’t have my YubiKey with me?

The answer depends on what option each application vendor and service provider offer users to address such a situation. It is common practice that the application/service may offer options to temporarily disable the need for the YubiKey Authentication and  fallback to one-factor authentication for certain duration (such as a day). Other applications may provide temporary OTPs over other communication channels, like SMS or email. Some applications may even support backup mobile tokens. But again, all these options need to be implemented by the application vendor/service provider in a way that suits their security requirements. Please check with any application or service to see how they handle situation where a user’s YubiKey is unavailable.

3. U2F

Can I update my current YubiKey NEO for U2F?

YubiKey NEO and NEO-n devices have shipped with firmware version 3.3 since Oct. 1, which includes U2F support along with other protocols including Yubico OTP and smart card functionality.

YubiKey NEOs are not upgradable based on best security practices. There is a no upgrade policy for our devices since nothing, including malware, can write to the firmware.

For more information see our blog YubiKey and BadUSB

Can I use my Security Key with multiple Gmail Accounts?

Yes, the same FIDO U2F Security Key can be used to secure multiple Gmail accounts.

What version of the Chrome browser supports the key?

You must be running Version 38 or above of the Chrome browser, which includes support for the U2F protocol. Click on “Chrome” in the toolbar of your browser to check the version number.

Can I use my Security Key to enable strong 2-factor authentication for my enterprise?

Any online service or application can integrate with the U2F protocol. One of our key partners, Duo Security, is the first to offer enterprise server solutions supporting U2F, you can learn more about Duo Security and U2F.

How can I setup my Linux instance for use with U2F?

We advise everyone to install the Yubikey NEO manager software. Latest version of this software can be found here: https://developers.yubico.com/yubikey-neo-manager/Releases/

Step 1:

If you have a Yubikey NEO or Yubikey NEO-n ensure you have unlocked the U2F mode by following these instructions:

  1. If you have a Security Key by Yubico (blue color) U2F is enabled by default (only U2F mode is supported on this product!)

Step 2:
visit https://github.com/Yubico/libu2f-host/blob/master/70-u2f.rules
download or create a copy of this file named: 70-u2f.rules into the Linux directory: /etc/udev/rules.d/

If this file is already there, please ensure that the content looks like exactly the one provided on github.com/Yubico (link above)

Save your file. Reboot the machine.

Step 3:
Ensure that you are running Chrome 38 or above. From version 39 of Chrome you will be able to use the Yubikey NEO or NEO-n in U2F+HID mode.

NOTICE: This applies only to Yubikey NEO and NEO-n, the Security Key by Yubico only supports U2F mode enabled by default.

4. Get a YubiKey

How can I buy a YubiKey?

You can order YubiKeys online on our web store and via Amazon.com

Yubico Web Store

How much is the shipping cost when ordering YubiKeys online?

The shipping costs depend on where you want your YubiKeys shipped and how many YubiKeys in your order. For most countries, there is a US$5 postage option for up to 3 YubiKeys.

US & Canada:
1-5 YubiKeys: US$5
> 5 YubiKeys: USPS tracked from US$15, FedEx, from US$40

Europe, Asia, Africa and Australia*:
1 – 3 YubiKeys: US$5
> 3 YubiKeys: DHL Express shipment, from US$20

Americas (except US & Canada):
1 YubiKey: US$5
2-10 YubiKeys: US$10
> 10 YubiKeys: USPS tracked from US$40, FedEx shipment, from US$85

Russian Federation:
1-100 Keys: US$54 via our delivery partner Mega Engineering

Please contact sales before ordering. We may only ship to companies and they must supply a C/R code. DHL Express is the only service we offer.

Please note that VAT is charged on shipping and handling in European Union countries.

Please make sure your shipping address is correct. If a shipment fails to arrive due to an incorrectly entered shipping address**, the appropriate shipping fee will be re-charged before the order is re-shipped.

* We have disabled the $5-option without tracking for a few countries where we experienced a high rate of non-delivery. This is to ensure that you will receive your YubiKeys when you order them.
** As the shipment might take up to 4 weeks to arrive, please do not use an address that will not be valid at least for that time. We will not be responsible for unsuccessful deliveries in such cases.

Why does the store show that my VAT number is invalid?

We use the VIES service (linked below) to validate VAT numbers. If your number does not validate, we cannot accept it. Please check if your number validates on the service and check with your local VAT authority if it does not.


5. Password Managers

How can I add a YubiKey to my LastPass account?

Please follow the instructions linked below to associate your YubiKey to your LastPass account.

YubiKey Authentication with LastPass

Where can I find my activation URL?

If you bought a LastPass Bundle from our store, your LastPass Premium subscription will be mailed to you in the form of an activation URL. This URL should be mailed to you from our store – if you do not find it, please log in to your account on the store and access your order history.

Which YubiKeys work with LastPass?

Any YubiKey (with the exception of the Security Key, which supports U2F only) can work with LastPass, including the standard YubiKey, YubiKey Nano and YubiKey NEO, as long as the YubiKey is configured with a Yubico OTP. Yubico and LastPass also offer a discounted bundle with YubiKey + LastPass Premium.

Read more about the discounted bundles

Does the YubiKey work with the LastPass Mobile Device Application?

The LastPass Mobile Device Application supports the YubiKey two-factor authentication at this time using the YubiKey NEO, except on the iPad/iPhone due to hardware limitations.

Read more on LastPass Mobile Support for the YubiKey NEO

How do I get a YubiKey to work with LastPass?

To enable the use of a YubiKey with LastPass you need to have a YubiKey and a LastPass premium account.

Read more about it

6. Development

How do I get an API-Key for YubiKey development?

To get your API key, please click here and enter a valid email address in conjunction with a Yubico OTP from any of your YubiKeys. The resulting page will show the generated Client ID (aka AuthID or API ID) and the generated API key (Secret Key). Make a note of both and use these two values in your client. Please wait 5 to 10 minutes after generating the key before testing so that the API key will be updated on all the YubiCloud servers. YubiKeys come with a lifetime subscription to our YubiCloud validation service – there are no additional fees for using the YubiCloud validation service.

Read more about Web API Clients

7. Security

What happens if I lose my YubiKey?

If you are using your YubiKey with a service and/or application, the policy for lost or stolen YubiKeys depends on how the service/application deals with the situation.

The simplest is if the site supports alternative authentication mechanisms, so that you can regain access to the account and can de-associate the lost YubiKey from your account, and associate your new YubiKey to the account.

For example, the LastPass Premium subscription allows users to configure up to 5 YubiKeys with a LastPass account, so they can continue to log in using other keys if one is lost. Read more about it here.

If you cannot regain access, typical sites have an authentication credential recovery mechanism. You would use that to regain access to your account, and to dissociate the YubiKey and then re-associate it again.

Applications/services may also provide other mechanisms for users/administrators to assign a new YubiKey in the case the user lost his/her original key. Please inquire directly to applications or services supporting the YubiKey on their policies.

Please see also our blog post on this topic.

Can a YubiKey be copied?

No, a YubiKey can not be copied as the computer recognizes the YubiKey as a keyboard. The YubiKey types a One-Time Password (OTP) when the button is pressed. Click here for a technical description of the YubiKey.

What kind of encryption is used for your server security?

Yubico Validation Server supports HTTPS for secure communication with validation clients. Additionally, the validation protocol also (optionally) uses HMAC-SHA1 signatures on request and response to verify message integrity.

Read more about it

Where are Yubico’s servers located?

Yubico currently have five YubiCloud OTP validation servers. They are located around the world, distributed and synchronized to ensure that there is no single point of failure. Read more about the YubiCloud service and servers.

8. YubiHSM

What is the YubiHSM?

The YubiHSM is Yubico’s take on a practical HSM with great security, great quality, and a low cost of ownership. It does not provide all the physical security of other HSM’s – but protects your secrets from internet intrusion, such as someone gaining root access to the server.

Is the YubiHSM for symmetric encryption only?

YES – the YubiHSM at the current level does not support asymmetric cryptography. We may introduce support for asymmetric operations in a later version.

Is the YubiHSM security certified (FIPS 140 or similar)?

NO – we may consider this in the future for a premium version (due to cost). We will decide later on when the final functionality is fully defined and has been tested out thoroughly.

Is the YubiHSM protected against physical intrusion?

We don’t make any guarantees, but there is no easy way to read out the contents of the YubiHSM even with physical access. On top of that, the key store can be stored encrypted with AES-256 (passphrase needed on startup).

Are keys deleted on intrusion events?

The YubiHSM does not currently have any means of detecting intrusion events, but it may be configured to protect stored keys by encrypting them with an AES-256 encryption.

Is the internal CPU a designated security CPU or just an ordinary COTS one?

It is currently an ordinary COTS CPU, selected for cost reasons.

Isn’t the above required to really protect the keys?

The main design objective with the YubiHSM is to protect keys from remote attacks. With that said, it is still non-trivial to retrieve keys from a YubiHSM even if it is stolen or physcially compromised.

Why is USB CDC used rather than a custom driver?

This is because the Windows, Linux and Mac platforms all support USB CDC. USB CDC communication is very simple and straight-forward using normal file I/O functions.

The USB interface is only full-speed. Why not high-speed?

With the current design, the communication speed is not a practical performance limiting factor.

The internal Yubikey key storage is just 1024 entries. I want more!

We needed to set the limit somewhere and onboard storage represents a cost driver. We may introduce a version with more internal storage later on.

Can the device firmware be upgraded via USB, a.k.a. DFU?

No, we explicitly decided to not include an upgrade feature due to security concerns. The only interface and protocol available is USB CDC under firmware control.

9. YubiKey for Salesforce

What is a YubiKey?

A YubiKey is a small hardware device that offers two-factor authentication with a simple touch of a button. YubiKeys are built strong enough for the largest enterprises, while remaining simple enough for anyone to use. YubiKeys support FIDO U2F, Yubico-OTP, OATH-OTP, OATH-HOTP, OATH-TOTP, OpenPGP, and PIV, and one security key can support an unlimited number of applications without the need for drivers, client software, or batteries. The YubiKey NEO offers both contact (USB) and contactless (NFC, MIFARE) communications.


Do I need to install anything on my computer to use the YubiKey?

YubiKey does not require drivers, client software, or batteries.

Is the YubiKey a biometric device?

No. The touch of a finger provides a small electrical charge that activates the YubiKey.

Do I need to individually provision end-users?

No. Once the YubiKey for Salesforce app is installed, users can self-provision their YubiKeys as part of normal login. After typing in their  username and password, they will be asked to associate a YubiKey with their account and complete a three-step registration process – insert the Yubikey, touch it when it lights, and click OK.

How does the OTP get validated?

The YubiKey for Salesforce Application validates the OTP against our YubiCloud service, however, organizations can build their own YubiKey OTP validation service using open source components we provide for free.

Can I use more than one YubiKey with my user account or use one YubiKey with multiple user accounts?

Currently, only one YubiKey can be assigned per user. We plan to provide this capability in the Salesforce Spring ’15 release.

How do you uninstall YubiKey for Salesforce Login Flow?

When uninstalling the YubiKey application first deactivate the active flow, then uninstall the package from the “Installed Packages” list. Be advised that deactivated flows take 12 hours before being removed from the list of configured flows.