Basics

What is a YubiKey?

A YubiKey is a small hardware device that offers two-factor authentication with a simple touch of a button. YubiKeys are built strong enough for the largest enterprises, while remaining simple enough for anyone to use. The YubiKey NEO offers both contact (USB) and contactless (NFC, MIFARE) communications. YubiKeys support FIDO U2F, Yubico-OTP, OATH-OTP, OATH-HOTP, OATH-TOTP, OpenPGP, and PIV, and one security key can support an unlimited number of applications without the need for drivers, client software, or batteries. To learn more about the YubiKey, see YubiKey Hardware.

How do I store my YubiKey?

All YubiKeys are nearly indestructible. The standard-sized YubiKey (such as the YubiKey Standard, YubiKey NEO, YubiKey Edge, and FIDO U2F Security Key) is made of injection-molded plastic encasing the circuitry, while the exposed elements consist of military-grade hardened gold. Waterproof and crushproof, the standard-sized YubiKey attaches to your keychain alongside your house and car keys.

The smaller format YubiKey (YubiKey Nano, YubiKey NEO-n, and YubiKey Edge-n), while they can be placed on a lanyard and put on your keychain, are intended to be inserted in a USB port and not removed on a regular basis.

What is two-factor authentication (2FA)?

Two-factor authentication is a strong authentication method where the user provides two types of identification. Two-factor authentication combines something you know (a PIN or a password) with something you have (a physical device, such as a YubiKey). The physical device must be capable of interacting with a computer and transmitting a unique ID. The YubiKey works with any computer that can support a USB keyboard, and can uniquely identify itself with the one-time password it generates, making it an excellent device for two-factor authentication.

What is U2F?

U2F is an open authentication standard that enables keychain devices, mobile phones and other devices to securely access any number of web-based services  —  instantly and with no drivers or client software needed. U2F was created by Google and Yubico, with contribution from NXP, and is today hosted by the open-authentication industry consortium, FIDO Alliance. For more information about YubiKey and U2F, see U2F – FIDO Universal 2nd Factor.

Is the YubiKey a biometric device?

No. The touch of a finger provides a small electrical charge that activates the YubiKey.

What is a One-Time Password (OTP)?

A One-Time Password (OTP) is a password valid only for a single use and, once used, cannot be used again for authentication. A Yubico OTP is unique sequence of characters generated every time the YubiKey button is touched. The Yubico OTP is comprised of a sequence of 32 Modhex characters representing information encrypted with a 128 bit AES-128 key.

The information that makes up a Yubico OTP consists of:

  1. The private identity of the YubiKey
  2. Counter fields tracking how often the YubiKey has been used
  3. A Timer field tracking the time between generating each OTP
  4. A Random number to add additional security to the encryption
  5. A closing CRC16 checksum of all the fields

For more information about which YubiKeys support the Yubico OTP, see YubiKey Hardware.

Can I use my YubiKey with my PC?

Yes, the YubiKey can be used with any computer (including PCs) that have a standard USB 2.0 port and support USB keyboards. The YubiKey identifies itself to the computer as a USB Keyboard, and is therefore OS independent. It works with Microsoft Windows, Linux, Apple Mac OS X, Apple iOS (iPad/iPad 2/iPad 3 only), Sony PS3, Microsoft Xbox360, Nintendo Wii, and so on, without requiring the installation of any device drivers.

Can I use the YubiKey with my Mac?

Yes, the YubiKey can be used with any computer (including Apple Macs) that have a standard USB 2.0 port and support USB keyboards. The YubiKey identifies itself to the computer as a USB Keyboard, and is therefore OS independent. It works with Microsoft Windows, Linux, Apple Mac OS X, Apple iOS (iPad/iPad 2/iPad 3 only), Sony PS3, Microsoft Xbox360, Nintendo Wii, and so on, without requiring the installation of any device drivers.

Can I use my YubiKey to log in to Windows?

Yes, you can! For more information on how to set up Windows login, see Windows Login Solutions.

Can I use the YubiKey with an iOS device (iPad, iPhone)?

Yes – the YubiKey can be connected to older iPad or iPhone devices using Apple’s Camera Connection Kit (iPhone 4) or with a Lightning to USB Camera Adapter (iPhone 5). Core YubiKey functions (Yubico OTP, Static Password, and so on) are supported, however CCID functions are not. For more information, see How to start your YubiKey.

NOTE:  iPads after the iPad 3 (iPad 4, iPad Air, and so on) will not work properly with the YubiKey. This is due to changes in the Apple firmware over which we have no control. If iPad compatibility is critical for you, consider options other than the YubiKey.

How can I buy a YubiKey?

You can order YubiKeys online on our web store and via Amazon.com

Yubico Web Store

For information about shipping costs, see shipping and buying information.

Do I need to install anything on my (or my users’) computer to use the YubiKey?

YubiKey does not require drivers, client software, or batteries.

What lanyards can I use with my YubiKey?

Conductive lanyards should not be used with the YubiKey Nano, YubiKey NEO-n, or YubiKey Edge-n as they might cause unwanted interference with the touch sensor. Other than that, there are no restrictions.

Before using a lanyard with the YubiKey Nano, YubiKey NEO-n, or YubiKey Edge-n, note that these YubiKeys in the smaller form factor are not designed for frequent insertion and removal. Therefore, use of a lanyard is up to each user’s individual discretion.

General Support Questions

Is my device compatible with the YubiKey?

This depends on how you are planning to use the YubiKey.

For standard YubiKey functionality (Yubico OTP, OATH-HOTP, Challenge-Response, Static Password) over USB, YubiKeys use the same drivers as USB keyboards. If your device supports USB keyboards, it will work with the YubiKey. If your device does not load the driver, try plugging in a USB keyboard first.

For standard YubiKey functionality over NFC, the YubiKey NEO uses the NDEF4 standard. If your device supports this standard, it will work with the YubiKey.

For smart card functions, the YubiKey NEO uses the ISO 7816-4 standard over USB and the ISO 14443-4 standard over NFC. If your device supports these standards, it will work with the YubiKey.

How can I back up my YubiKey?

It is not possible to create an exact copy of a YubiKey, but in some cases it is possible to make a copy of the credentials stored in the YubiKey.

YubiKeys are, by design, write-only devices. This means that secrets to the credential can only be written into, and not read out of the device. If a credential is to be copied, it must be known beforehand, either written down (or copied) while programming the YubiKey using the YubiKey Personalization Tool, or by accessing the configuration log created during programming. Furthermore, only some credentials can be copied. Static Password and Challenge-Response credentials can be copied, however the Yubico OTP and OATH-HOTP credentials cannot.

To store a Static Password credential for later use, save and then store the string entered in the YubiKey Personalization Tool if you are programming the YubiKey in scan code mode, or the values in the Password Parameters fields if you are programming the YubiKey in advanced mode.

To store a Challenge-Response credential, save and then store the values entered in their respective Parameters fields when programming the YubiKey using the YubiKey Personalization Tool.

You can also set logging in the YubiKey Personalization Tool to use Traditional format. Using this format, you can extract the information for both the Static Password and Challenge-Response credentials. Save the log file as a .csv, program the YubiKey, then save the log file again. You can compare the two files. (Note that there are no column headings in the log file.)

To use another YubiKey for a backup in a system that implements either Yubico OTP or OATH-HOTP credentials, you may be given the option to associate multiple YubiKeys with your account. For example, you can associate multiple keys with one LastPass Premium account. If you do not find options to associate multiple YubiKeys with your account, contact the administrator for that service directly.

What happens if I don’t have my YubiKey with me?

The answer depends on what option each application vendor and service provider offers users to address such a situation. It is common practice that the application or service may offer options to temporarily disable the need for the YubiKey Authentication, and  fallback to one-factor authentication for certain duration (such as a day). Other applications may provide temporary OTPs over other communication channels, like SMS or email. Some applications may even support backup mobile tokens. But again, all these options need to be implemented by the application vendor or service provider in a way that suits their security requirements. Check with the application or service provider to see how they handle the situation where your YubiKey is unavailable.

My YubiKey is not working. What should I do?

Use the following steps to troubleshoot your YubiKey.

In each of thess steps, insert the YubiKey into a USB Port, open a text editor (such as Notepad) and press the button on the YubiKey.

  1. Use the YubiKey in a different USB port on the same computer.
  2. Use the YubiKey in a different computer.

Then raise a ticket with Yubico Support and include the following information:

  1. The output you see on the text editor.
  2. The behavior of the green LED, both when you insert the YubiKey and when you touch the button.
  3. The operating systems that were running on your computers.

Does the YubiKey work with USB 3 Ports?

The YubiKey is a USB 1.0/2.0 device (similar to any other USB keyboard) and it works with USB 3 thanks its backward compatibility support. If you are experiencing issues with your USB 3 port, try the following:
– Test that the YubiKey is working correctly on a USB 2.0 port.
– Download and install the latest drivers for your USB 3 interface. A common producer of the USB 3 is NEC. Research the type of hardware you have and ensure you have the correct drivers.
– Plug a USB hub in your USB  port. Insert the YubiKey in one of the USB hub ports. If the YubiKey works, then it could be a mechanical problem with the USB interface.

I keep triggering my YubiKey Nano (or YubiKey NEO-n or YubiKey Edge-n) inadvertently. What should I do?

For Windows users:

  1. Using the YubiKey Personalization Tool, select Settings.
  2. Under the Extended Settings section, deselect the check box for Use fast triggering only if slot 1 is programmed.

You will need to touch the YubiKey for at least a half-second to emit an OTP. For an even longer wait time, consider moving the configuration to the second slot.

For Mac OS X users:

  • To turn off your YubiKey automatically after a period of inactivity, use the taskbar application, YubiSwitch.

My YubiKey NEO is not being detected by my NFC-capable device. What should I do?

Use the following steps to troubleshoot your device:

  1. Make sure that you have turned on NFC on your device.
  2. Position your YubiKey NEO as close to the NFC antenna (of your device) as you can and hold it there for two to three seconds. Due to the small size of the YubiKey NEO and its own antenna, the YubiKey NEO needs to be very close to the NFC antenna of the device.
  3. If the YubiKey NEO registers but does not work, log a support ticket with Yubico. To do this, download the Android app called TagInfo by NXP. Scan your YubiKey NEO and attach the data (you can export it via email or other means) when you raise the ticket with Yubico Support.
  4. If this does not work, attempt to test your YubiKey NEO with another NFC-capable device and/or test your NFC-capable device with a NFC tag before you raise a ticket with Yubico Support.

What is the default NDEF4 tag of the YubiKey NEO?

The YubiKey NEO is shipped with its NDEF4 tag programmed to emit a URI of the form https://my.yubico.com/neo/[OTP].

What modes can I use with the NDEF interface of the YubiKey NEO?

The following features are available over the NDEF interface of the YubiKey NEO:

– Yubico OTP
– OATH-HOTP
– Static Password (Advanced Mode)

The YubiClip App from the Google Play store can capture the output from the YubiKey NEO over NFC, and allow it to be pasted into any field on the android device.

Is it possible to upgrade the YubiKey firmware?

No, It is currently not possible to upgrade YubiKey firmware. To prevent attacks on the YubiKey which might compromise its security, the YubiKey does not permit its firmware to be accessed or altered.

Yubico is dedicated to providing a long-term two-factor authentication solution, we want your YubiKey to remain useful for the full extent of its lifetime. When we do release new firmware, we ensure the new YubiKey will function the same as older versions, so there is no need to purchase new YubiKeys to ensure compatibility.

How can I check the firmware version of a YubiKey?

The YubiKey Personalization Tool lists the firmware version of a YubiKey when it is inserted into the computer. The Firmware Version is displayed on the right side of the YubiKey Personalization Tool window, above the serial number of the YubiKey.

Why does the YubiKey act as a keyboard?

To allow the YubiKey to be compatible across multiple hardware platforms and operating systems, the YubiKey acts as a USB keyboard to the OS. This design provides several advantages including:

  1. Virtually all mainstream operating systems have built-in USB keyboard support.
  2. Since the YubiKey uses generic keyboard drivers, there are no special drivers that need to be installed to use the YubiKey.
  3. In organizations where USB ports are blocked for security concerns, the use of USB keyboards, and thus the YubiKey, is still permitted.
  4. You do not have to manually enter a OTP generated by the authentication device on the authentication screen by the application(s). As a YubiKey user, you just need to click in the input field for the OTP and touch the YubiKey button briefly. In addition to reducing the time spent on authentication, this also assists in avoiding potential human errors while typing in the OTP.

What can I do with my YubiKey?

The YubiKey can be used in a large variety of ways.

Password Managers

Which YubiKeys work with LastPass?

Any YubiKey in any form factor (with the exception of the Security Key, which supports U2F only) can work with LastPass, including the standard YubiKey, YubiKey NEO, and YubiKey Edge, as long as the YubiKey is configured with a Yubico OTP. Yubico and LastPass also offer a discounted bundle with YubiKey + LastPass Premium. For more information, see YubiKey with LastPass.

How can I add a YubiKey to my LastPass account?

For instructions on how to associate your YubiKey with your LastPass account, see YubiKey Authentication in the LastPass user manual.

How do I get a YubiKey to work with LastPass?

To use a YubiKey with LastPass, you need to have a LastPass premium account. For more information about the benefits of using YubiKey to protect your LastPass account, YubiKey with LastPass.

Does the YubiKey work with the LastPass Mobile Device Application?

The LastPass Mobile Device Application supports YubiKey two-factor authentication using the YubiKey NEO on Android devices. The YubiKey does not work with the LastPass Mobile Device Application on the iPad/iPhone due to hardware limitations  on the Apple devices. For more information, see Introducing LastPass Mobile Support for the YubiKey NEO.

Where can I find my activation URL?

If you bought a LastPass Bundle from our store, your LastPass Premium subscription will be e-mailed to you from the Yubico Store in the form of an activation URL. If you do not find the activation URL, log in to your account on the store and access your order history.

Security

What happens if I lose my YubiKey?

If you are using your YubiKey with a service or application, the policy for lost or stolen YubiKeys depends on how that service or application deals with the situation.

The simplest recovery method is if the site supports alternative authentication mechanisms, so that you can regain access to the account and can delete (de-associate) the lost YubiKey from your account. You can then associate another (or a new) YubiKey to your account.

For example, the LastPass Premium subscription allows you to configure up to 5 YubiKeys with a LastPass account, so you can continue to log in using other keys if one is lost. For more information on how to disable a YubiKey with a LastPass account, see the LastPass Help Center.

If you cannot regain access, many sites have an authentication credential recovery mechanism. Use that to regain access to your account. You can de-associate the lost YubiKey, and then re-associate another key.

Applications or services may also provide other mechanisms for users or administrators to assign a new YubiKey in case the user lost an original key. Contact the company  supporting the YubiKey to find out about their policies.

For more information, see our blog post on best practices.

Can a YubiKey be copied?

No, a YubiKey cannot be copied as the computer recognizes the YubiKey as a keyboard. The YubiKey types a One-Time Password (OTP) when the button is pressed. For a technical description of each of the YubiKeys, see YubiKey Hardware.

What kind of encryption is used for your server security?

Yubico Validation Servers support HTTPS for secure communication with validation clients. Additionally, the validation protocol also (optionally) uses HMAC-SHA1 signatures on request and response to verify message integrity. For more information, see the YubiCloud Validation Service guide.

Where are Yubico’s servers located?

Yubico currently has five YubiCloud OTP validation servers. They are located around the world, distributed and synchronized to ensure that there is no single point of failure. For more information, see the YubiCloud Validation Service guide.

U2F

What is U2F?

U2F is an open authentication standard that enables keychain devices, mobile phones and other devices to securely access any number of web-based services  —  instantly and with no drivers or client software needed. U2F was created by Google and Yubico, with contribution from NXP, and is today hosted by the open-authentication industry consortium, FIDO Alliance. For more information about YubiKey and U2F, see U2F – FIDO Universal 2nd Factor.

How can I activate U2F on my YubiKey NEO or NEO-N?

The YubiKey NEO and NEO-n can be configured for U2F and other modes using the NEO Manager.

Can I update my current YubiKey NEO for U2F?

YubiKey NEO and YubiKey NEO-n devices have shipped with firmware version 3.3 since Oct. 1, 2014. This version includes U2F support along with other protocols including Yubico OTP and smart card functionality.

YubiKey NEOs are not upgradable based on best security practices. There is a “no upgrade” policy for our devices since nothing, including malware, can write to the firmware.

For more information, see our blog post YubiKey and BadUSB.

Can I use my Security Key to enable strong two-factor authentication for my enterprise?

Any online service or application can integrate with the U2F protocol. One of our key partners, Duo Security, is the first to offer enterprise server solutions supporting U2F. To learn more about this, see Duo Security and U2F.

Can I use my Security Key with multiple Gmail Accounts?

Yes, the same FIDO U2F Security Key can be used to secure multiple Gmail accounts.

Which browsers support U2F?

You must be running Google Chrome version 38 or later, which includes support for the U2F protocol.  To check the version number, in the Chrome toolbar, click the Chrome menu, then select About Google Chrome.

How can I set up my Linux system for use with U2F?

NOTE: We advise everyone to install the YubiKey NEO Manager software. To obtain the latest version of this applications, see https://developers.yubico.com/yubikey-neo-manager/Releases/

  1. If you have a YubiKey NEO or YubiKey NEO-n ensure you have unlocked the U2F mode by following the instructions at http://yubi.co/unlockU2FIf you have a Security Key by Yubico (blue color) U2F is enabled by default (only U2F mode is supported on this product!)
  2. Go to https://github.com/Yubico/libu2f-host/blob/master/70-u2f.rules  and
    download or create a copy of thefile named 70-u2f.rules into the Linux directory: /etc/udev/rules.d/
    If this file is already there, ensure that the content looks like exactly the one provided on github.com/Yubico (link above)
  3. Save your file, and then reboot your system.
  4. Ensure that you are running Google Chrome version 38 or later. Starting with Chrome version 39, you will be able to use the YubiKey NEO or YubiKey NEO-n in U2F+HID mode.

NOTE: This applies only to YubiKey NEO and YubiKey NEO-n. The Security Key by Yubico only supports U2F mode enabled by default.

YubiHSM

What is the YubiHSM?

The YubiHSM is Yubico’s take on a practical HSM with great security, great quality, and a low cost of ownership. It does not provide all the physical security of other HSMs – but protects your secrets from internet intrusion, such as someone gaining root access to the server.

For more information on the YubiHSM, plus answers to FAQs, see the YubiHSM product page.

YubiKey Development

How do I get an API-Key for YubiKey development?

To get your API key, click here and enter a valid email address along with the Yubico OTP from any of your YubiKeys, and click Get API Key. The page displayed provides you with your generated Client ID (otherwise known as the AuthID or API ID) and the generated API key (Secret Key). Be sure to make a note of both and use these two values in your client. Before testing, wait five to ten minutes after generating the key so that the API key will be updated on all the YubiCloud servers. A lifetime subscription to our YubiCloud validation service is included with all YubiKeys, and there are no additional fees to use the YubiCloud validation service. For more information about developing website APIs, see Yubico for Developers.

Is there any kind of simulator or software available for the hardware/USB kit?

There is no simulator or USB kit offered by Yubico.

YubiKey for Salesforce

Do I need to install anything on my (or my users’) computer to use the YubiKey?

YubiKey does not require drivers, client software, or batteries.

How does the OTP get validated?

The YubiKey for Salesforce Application validates the OTP against our YubiCloud service. You can, however, build your own YubiKey OTP validation service using open source components that we provide for free.

Do I need to individually provision users?

No. Once the YubiKey for Salesforce application is installed, your users can self-provision their YubiKeys as part of normal login. After logging in with their  username and password, they are prompted to associate a YubiKey with their Salesforce account and to complete a three-step registration process: insert the YubiKey, touch it when it lights, and click OK.

Can I use more than one YubiKey with my user account, or use one YubiKey with multiple user accounts?

Yes, beginning with YubiKey for Salesforce version 2.3, users can associate multiple YubiKeys with their Salesforce user account. You can also associate multiple user accounts with a single YubiKey.

How do you uninstall YubiKey for Salesforce Login Flow?

When uninstalling the YubiKey for Salesforce application, first deactivate the active flow, then uninstall the package from the Installed Packages list. Note that deactivated flows take 12 hours before they are removed from the list of configured flows.