Basics

Where can I learn more about the YubiKey 4 and YubiKey 4 Nano?

For more information about the YubiKey 4 and YubiKey 4 Nano, see the product page. The product page provides information on the features of this YubiKey as well as additional Frequently Asked Questions.

Where can I learn more about the YubiKey NEO and YubiKey NEO-n?

For more information about the YubiKey NEO, see the product page. The product page provides information on the features of this YubiKey as well as additional Frequently Asked Questions.

For more information about the YubiKey NEO-n, see the product sheets on our Documentation pageWe are withdrawing from our retail web sales the YubiKey NEO-n. Throughout 2016, we will continue to sell this product to existing customers and partners at existing price/functions, for deployment in enterprises, but it will not be available on the Yubico Store.

Where can I learn more about the FIDO U2F Security Key?

For more information about the FIDO U2F Security Key, see the product page. The product page provides information on the features of this Security Key as well as additional Frequently Asked Questions.

Why does the YubiKey 4 look exactly like the YubiKey Edge?

The 4th generation of the YubiKey, the YubiKey 4, is based on the body of the YubiKey Edge. This latest version allows us to unleash the 4th generation YubiKey’s full power with 4096 bit RSA in the OpenPGP capability, and touch-to-sign, with proof of user presence for both PIV and OpenPGP.

For more information about the YubiKey 4, as well as the YubiKey 4 Nano, see the product page. The product page provides information on the features of this YubiKey as well as additional Frequently Asked Questions.

How can I tell what version of YubiKey I have?

Use the YubiKey Personalization Tool, which works with any key as long as it is not a U2F-only device, to identify your YubiKey. Because the 4th generation YubiKey, the YubiKey 4 looks like the YubiKey Edge, this is one way to tell the two keys apart.

Download the YubiKey Personalization Tool from our Downloads page. The YubiKey 4 will have a firmware version of 4.2.6 or later.

How do I tell what type of key my Special Edition Octocat Key is?

The Special Edition Octocat Key is a FIDO U2F Security Key, created for GitHub users. It is a U2F-only security key, meaning you cannot configure the key for any other use. Because you cannot configure this special key, this key is not recognized by the YubiKey Personalization tool.

Note, however, that you can use this U2F-certified key with other U2F services, such as Gmail, Google apps, and Dropbox.

How do I store my YubiKey?

All YubiKeys are nearly indestructible. The standard-sized YubiKey (such as the YubiKey Standard, YubiKey NEO, YubiKey Edge, and FIDO U2F Security Key) is made of injection-molded plastic encasing the circuitry, while the exposed elements consist of military-grade hardened gold. Waterproof and crushproof, the standard-sized YubiKey attaches to your keychain alongside your house and car keys.

The smaller format YubiKey (YubiKey Nano, YubiKey NEO-n, and YubiKey Edge-n), while they can be placed on a lanyard and put on your keychain, are intended to be inserted in a USB port and not removed on a regular basis.

What is U2F?

U2F is an open authentication standard that enables keychain devices, mobile phones and other devices to securely access any number of web-based services  —  instantly and with no drivers or client software needed. U2F was created by Google and Yubico, with contribution from NXP, and is today hosted by the open-authentication industry consortium, FIDO Alliance. For more information about YubiKey and U2F, see U2F – FIDO Universal 2nd Factor.

What is a One-Time Password (OTP)?

A One-Time Password (OTP) is a password valid only for a single use and, once used, cannot be used again for authentication. A Yubico OTP is unique sequence of characters generated every time the YubiKey button is touched. The Yubico OTP is comprised of a sequence of 32 Modhex characters representing information encrypted with a 128 bit AES-128 key.

The information that makes up a Yubico OTP consists of:

  1. The private identity of the YubiKey
  2. Counter fields tracking how often the YubiKey has been used
  3. A Timer field tracking the time between generating each OTP
  4. A Random number to add additional security to the encryption
  5. A closing CRC16 checksum of all the fields

For more information about which YubiKeys support the Yubico OTP, see YubiKey Hardware.

Can I use my YubiKey with my PC?

Yes, the YubiKey can be used with any computer (including PCs) that have a standard USB 2.0 port and support USB keyboards. The YubiKey identifies itself to the computer as a USB Keyboard, and is therefore OS independent. It works with Microsoft Windows, Linux, Apple Mac OS X, Apple iOS (iPad/iPad 2/iPad 3 only). The YubiKey also works with Sony PS3, Microsoft Xbox360, Nintendo Wii, and so on, without requiring the installation of any device drivers, for OTP only.

Can I use the YubiKey with my Mac?

Yes, the YubiKey can be used with any computer (including Apple Macs) that have a standard USB 2.0 port and support USB keyboards. The YubiKey identifies itself to the computer as a USB Keyboard, and is therefore OS independent. It works with Microsoft Windows, Linux, Apple Mac OS X, Apple iOS (iPad/iPad 2/iPad 3 only), Sony PS3, Microsoft Xbox360, Nintendo Wii, and so on, without requiring the installation of any device drivers.

Can I use my YubiKey to log in to Windows?

Yes, you can! For more information on how to set up Windows login, see Windows Login Solutions.

Is the YubiKey a biometric device?

No. The touch of a finger provides a small electrical charge that activates the YubiKey.

Do I need to install anything on my (or my user’s) computer to use the YubiKey?

YubiKey does not require drivers, client software, or batteries.

What is a YubiKey?

A YubiKey is a small hardware device that offers two-factor authentication with a simple touch of a button. YubiKeys are built strong enough for the largest enterprises, while remaining simple enough for anyone to use. The YubiKey NEO offers both contact (USB) and contactless (NFC, MIFARE) communications. YubiKeys support FIDO U2F, Yubico-OTP, OATH-OTP, OATH-HOTP, OATH-TOTP, OpenPGP, and PIV, and one security key can support an unlimited number of applications without the need for drivers, client software, or batteries. To learn more about the YubiKey, see YubiKey Hardware.

Can I use the YubiKey with an iOS device (iPad, iPhone)?

Yes – the YubiKey can be connected to older iPad or iPhone devices using Apple’s Camera Connection Kit (iPhone 4) or with a Lightning to USB Camera Adapter (iPhone 5). Only core YubiKey functions (Yubico OTP, Static Password, and OATH-HOTP) are supported. (This means that U2F, OATH-TOTP, and challenge-response are not supported, as well as any CCID-related functions.) For more information, see How to start your YubiKey.

NOTE:  iPads after the iPad 3 (iPad 4, iPad Air, and so on) will not work properly with the YubiKey. This is due to changes in the Apple firmware over which we have no control. If iPad compatibility is critical for you, consider options other than the YubiKey.

What lanyards can I use with my YubiKey?

Conductive lanyards should not be used with the YubiKey Nano, YubiKey NEO-n, or YubiKey Edge-n as they might cause unwanted interference with the touch sensor. Other than that, there are no restrictions.

Before using a lanyard with the YubiKey Nano, YubiKey NEO-n, or YubiKey Edge-n, note that these YubiKeys in the smaller form factor are not designed for frequent insertion and removal. Therefore, use of a lanyard is up to each user’s individual discretion.

How can I buy a YubiKey?

You can order YubiKeys online on our webstore and via Amazon.

For information about shipping costs, see shipping and buying information.

How can I purchase YubiKeys that are no longer on your web store?

We are withdrawing from our retail web sales the YubiKey Standard, YubiKey Nano, YubiKey Edge, YubiKey Edge-n, and YubiKey NEO-n. Throughout 2016, we will continue to sell these products to existing customers and partners at existing price/functions, for deployment in enterprises, but they will not be available on the Yubico Store.

Our former YubiKey lineup will still be available for a limited time through Amazon and our resellers. For large volume orders, request to speak with a sales representative.

What is two-factor authentication (2FA)?

Two-factor authentication is a strong authentication method where the user provides two types of identification. Two-factor authentication combines something you know (a PIN or a password) with something you have (a physical device, such as a YubiKey). The physical device must be capable of interacting with a computer and transmitting a unique ID. The YubiKey works with any computer that can support a USB keyboard, and can uniquely identify itself with the one-time password it generates, making it an excellent device for two-factor authentication.

General Support Questions

How can I back up my YubiKey?

It is not possible to create an exact copy of a YubiKey, but in some cases it is possible to make a copy of the credentials stored in the YubiKey.

YubiKeys are, by design, write-only devices. This means that secrets to the credential can only be written into, and not read out of the device. If a credential is to be copied, it must be known beforehand, either written down (or copied) while programming the YubiKey using the YubiKey Personalization Tool, or by accessing the configuration log created during programming. Furthermore, only some credentials can be copied. Static Password and Challenge-Response credentials can be copied, however the Yubico OTP and OATH-HOTP credentials cannot.

To store a Static Password credential for later use, save and then store the string entered in the YubiKey Personalization Tool if you are programming the YubiKey in scan code mode, or the values in the Password Parameters fields if you are programming the YubiKey in advanced mode.

To store a Challenge-Response credential, save and then store the values entered in their respective Parameters fields when programming the YubiKey using the YubiKey Personalization Tool.

You can also set logging in the YubiKey Personalization Tool to use Traditional format. Using this format, you can extract the information for both the Static Password and Challenge-Response credentials. Save the log file as a .csv, program the YubiKey, then save the log file again. You can compare the two files. (Note that there are no column headings in the log file.)

To use another YubiKey for a backup in a system that implements either Yubico OTP or OATH-HOTP credentials, you may be given the option to associate multiple YubiKeys with your account. For example, you can associate multiple keys with one LastPass Premium account. If you do not find options to associate multiple YubiKeys with your account, contact the administrator for that service directly.

What modes can I use with the NDEF interface of the YubiKey NEO?

The following features are available over the NDEF interface of the YubiKey NEO:

– Yubico OTP
– OATH-HOTP
– Static Password (Advanced Mode)

The YubiClip App from the Google Play store can capture the output from the YubiKey NEO over NFC, and allow it to be pasted into any field on the android device.

What is the default NDEF4 tag of the YubiKey NEO?

The YubiKey NEO is shipped with its NDEF4 tag programmed to emit a URI of the form https://my.yubico.com/neo/[OTP].

Is my device compatible with the YubiKey?

This depends on how you are planning to use the YubiKey.

For standard YubiKey functionality (Yubico OTP, OATH-HOTP, Challenge-Response, Static Password) over USB, YubiKeys use the same drivers as USB keyboards. If your device supports USB keyboards, it will work with the YubiKey. If your device does not load the driver, try plugging in a USB keyboard first.

For standard YubiKey functionality over NFC, the YubiKey NEO uses the NDEF4 standard. If your device supports this standard, it will work with the YubiKey.

For smart card functions, the YubiKey NEO uses the ISO 7816-4 standard over USB and the ISO 14443-4 standard over NFC. If your device supports these standards, it will work with the YubiKey.

I keep triggering my YubiKey 4 Nano (or YubiKey NEO-n or YubiKey Edge-n) inadvertently. What should I do?

For Windows users:

  1. Using the YubiKey Personalization Tool, select Settings.
  2. Under the Extended Settings section, deselect the check box for Use fast triggering only if slot 1 is programmed.

You will need to touch the YubiKey for at least a half-second to emit an OTP. For an even longer wait time, consider moving the configuration to the second slot. (See Downloads to obtain the YubiKey Personalization Tool for Windows.)

For Mac OS X users:

  • To turn off your YubiKey automatically after a period of inactivity, use the taskbar application, YubiSwitch.

My YubiKey NEO is not being detected by my NFC-capable device. What should I do?

Use the following steps to troubleshoot your device:

  1. Make sure that you have turned on NFC on your device.
  2. Position your YubiKey NEO as close to the NFC antenna (of your device) as you can and hold it there for two to three seconds. Due to the small size of the YubiKey NEO and its own antenna, the YubiKey NEO needs to be very close to the NFC antenna of the device.
  3. If the YubiKey NEO registers but does not work, log a support ticket with Yubico. To do this, download the Android app called TagInfo by NXP. Scan your YubiKey NEO and attach the data (you can export it via email or other means) when you raise the ticket with Yubico Support.
  4. If this does not work, attempt to test your YubiKey NEO with another NFC-capable device and/or test your NFC-capable device with a NFC tag before you raise a ticket with Yubico Support.

Does the YubiKey work with USB 3 Ports?

The YubiKey is a USB 1.0/2.0 device (similar to any other USB keyboard) and it works with USB 3 due to the backward compatibility support of USB 3. If you are experiencing issues with your USB 3 port, try the following:
– Test that the YubiKey is working correctly on a USB 2.0 port.
– Download and install the latest drivers for your USB 3 interface. A common producer of the USB 3 is NEC. Research the type of hardware you have and ensure you have the correct drivers.
– Plug a USB hub in your USB  port. Insert the YubiKey in one of the USB hub ports. If the YubiKey works, then it could be a mechanical problem with the USB interface.

How can I check the firmware version of a YubiKey?

The YubiKey Personalization Tool lists the firmware version of a YubiKey when it is inserted into the computer. The Firmware Version is displayed on the right side of the YubiKey Personalization Tool window, above the serial number of the YubiKey.

Is it possible to upgrade the YubiKey firmware?

No, It is currently not possible to upgrade YubiKey firmware. To prevent attacks on the YubiKey which might compromise its security, the YubiKey does not permit its firmware to be accessed or altered.

Yubico is dedicated to providing a long-term two-factor authentication solution, we want your YubiKey to remain useful for the full extent of its lifetime. When we do release new firmware, we ensure the new YubiKey will function the same as older versions, so there is no need to purchase new YubiKeys to ensure compatibility.

What happens if I don’t have my YubiKey with me?

The answer depends on what option each application vendor and service provider offers users to address such a situation. It is common practice that the application or service may offer options to temporarily disable the need for the YubiKey Authentication, and  fallback to one-factor authentication for certain duration (such as a day). Other applications may provide temporary OTPs over other communication channels, like SMS or email. Some applications may even support backup mobile tokens. But again, all these options need to be implemented by the application vendor or service provider in a way that suits their security requirements. Check with the application or service provider to see how they handle the situation where your YubiKey is unavailable.

My YubiKey is not working. What should I do?

Tip: If you have a Security Key, you will not see characters output on the screen (a one-time password) when you press the button on the key. To test your Security Key, go to U2F Registration and Login Demo.

Use the following steps to troubleshoot your YubiKey.

In each of these steps, insert the YubiKey into a USB Port, open a text editor (such as Notepad) and press the button on the YubiKey.

  1. Use the YubiKey in a different USB port on the same computer.
  2. Use the YubiKey in a different computer.

Then raise a ticket with Yubico Support and include the following information:

  1. The output you see on the text editor.
  2. The behavior of the green LED, both when you insert the YubiKey and when you touch the button.
  3. The operating systems that were running on your computers.

What can I do with my YubiKey?

The YubiKey can be used in a large variety of ways.

Why does the YubiKey act as a keyboard?

To allow the YubiKey to be compatible across multiple hardware platforms and operating systems, the YubiKey acts as a USB keyboard to the OS. This design provides several advantages including:

  1. Virtually all mainstream operating systems have built-in USB keyboard support.
  2. Since the YubiKey uses generic keyboard drivers, there are no special drivers that need to be installed to use the YubiKey.
  3. In organizations where USB ports are blocked for security concerns, the use of USB keyboards, and thus the YubiKey, is still permitted.
  4. You do not have to manually enter a OTP generated by the authentication device on the authentication screen by the application(s). As a YubiKey user, you just need to click in the input field for the OTP and touch the YubiKey button briefly. In addition to reducing the time spent on authentication, this also assists in avoiding potential human errors while typing in the OTP.

How many credentials can I store with Yubico Authenticator?

On the YubiKey 4 and YubiKey 4 Nano, there are two “configuration slots” on each key. You can program each slot with a single credential, such as one for OTP and one for Challenge-Response (such as for Microsoft Windows or Mac OS X account login) or static password. You can configure the YubiKey as a smart card (PIV) and program the YubiKey for touch-to-sign. You can store up to 32 OATH credentials (TOTP or HOTP) on the YubiKey and access them using the Yubico Authenticator companion application. In addition, you can have an unlimited number of U2F credentials on these YubiKeys.

On the YubiKey NEO and YubiKey NEO-n, there are two “configuration slots” on each key. You can program each slot with a single credential, such as one for OTP and one for Challenge-Response (such as for Microsoft Windows or Mac OS X account login) or static password. You can also configure the YubiKey as a smart card (PIV). You can store up to 28 OATH credentials (TOTP or HOTP) on the YubiKey and access them using the Yubico Authenticator companion application. In addition, you can have an unlimited number of U2F credentials on these YubiKeys.

YubiKey Edge/Edge-n or YubiKey Standard/Nano, there are two “configuration slots” on each key. You can program each slot with a single credential, such as one for OTP and one for Challenge-Response (such as for Microsoft Windows or Mac OS X account login) or static password. On a YubiKey Edge/Edge-n or YubiKey Standard/Nano, use the Yubico Authenticator companion application to create and access two (2) OATH-TOTP credentials (one in each configuration slot), as long as no other credentials are stored in those slots.

How many credentials can I program on my YubiKey?

For all of our YubiKeys (YubiKey 4/YubiKey 4 Nano, YubiKey NEO/NEO-n, YubiKey Edge/Edge-n, and YubiKey Standard/Nano), there are two “configuration slots” on each YubiKey. You can program each slot with a single credential, such as one for OTP and one for OATH-TOTP. All keys also support static password or challenge-response.

For the keys that support FIDO U2F, you can have an unlimited number of U2F credentials on the YubiKeys that support that protocol. These keys are the YubiKey 4/YubiKey 4 Nano, YubiKey NEO/NEO-N and YubiKey Edge/Edge-n plus the FIDO U2F Security Key.

The YubiKey 4/YubiKey 4 Nano and YubiKey NEO/NEO-n also can store up to 28 OATH-TOTP credentials in addition to the pre-configured Yubico One-Time Password that is configured in slot 1.

Finally, the YubiKey 4/YubiKey 4 Nano and YubiKey NEO/NEO-n can also store a smart card (PIV) credential and the YubiKey 4/YubiKey 4 Nano can be configured for touch-to-sign for code signing.

For more information about the functions of the keys and their current availability, see our products page.

How can I use my U2F-certified YubiKey with Dashlane?

In Dashlane Premium or Dashlane for Business, turn on two-factor authentication and follow the steps to enable 2FA. Be sure you have selected the option to enable 2FA Each time I log in to Dashlane. Once 2FA is set up, you can then add a YubiKey. Set up additional backup YubiKeys the same way. (You can add up to 20 backup YubiKeys.)

For more information about how to use YubiKeys with Dashlane, see the Dashlane FAQ.

Why am I not getting prompted to tap my YubiKey when logging in to Dashlane?

When you initially set up your Dashlane account to work with 2FA and YubiKey, you specified the level of security you wanted to use. That means that the YubiKey works with whatever security level you specified. If you specified that you want to authenticate with your YubiKey only when adding a new device, you will not be prompted to touch your YubiKey each time you log in. If you want to change this security setting, so that you are prompted to touch your key each time you log in, you will need to disable 2FA in Dashlane, and then enable it again to change the setting. For more information, see the Dashlane help.

Why do I receive a “key not found” error in Dashlane?

You receive a “key not found” error message when you try to set up 2FA with your YubiKey on your computer, or when you try to add a new key to an existing account on a different computer. This is a known issue that Dashlane is aware of, has a temporary work around for, and is currently working on resolving. For more information, and to obtain the work around, contact Dashlane Support.

Password Managers

Where can I find my activation URL?

If you bought a LastPass Bundle from our store, your LastPass Premium subscription will be mailed to you in the form of an activation URL. This URL should be mailed to you from our store – if you do not find it, check  your spam folder or log a support ticket at yubi.co/support. If you are a LastPass Enterprise customer, your subscription should be automatically added to your LastPass account. If you have questions, create a support ticket at yubi.co/support.

Does the YubiKey work with the LastPass Mobile Device Application?

The LastPass Mobile Device Application supports YubiKey two-factor authentication using the YubiKey NEO on Android devices. The YubiKey does not work with the LastPass Mobile Device Application on the iPad/iPhone due to hardware limitations  on the Apple devices. For more information, see Introducing LastPass Mobile Support for the YubiKey NEO.

Which YubiKeys work with LastPass?

Any YubiKey in any form factor (with the exception of the Security Key, which supports U2F only) can work with LastPass, including the standard YubiKey, YubiKey NEO, and YubiKey Edge, as long as the YubiKey is configured with a Yubico OTP. Yubico and LastPass also offer a discounted bundle with YubiKey + LastPass Premium. For more information, see YubiKey with LastPass.

How can I add a YubiKey to my LastPass account?

For instructions on how to associate your YubiKey with your LastPass account, see YubiKey Authentication in the LastPass user manual.

How do I get a YubiKey to work with LastPass?

To use a YubiKey with LastPass, you need to have a LastPass premium account. For more information about the benefits of using YubiKey to protect your LastPass account, YubiKey with LastPass.

Security

Where are Yubico’s servers located?

Yubico currently has five YubiCloud OTP validation servers. They are located around the world, distributed and synchronized to ensure that there is no single point of failure. For more information, see the YubiCloud Validation Service guide.

What kind of encryption is used for your server security?

Yubico Validation Servers support HTTPS for secure communication with validation clients. Additionally, the validation protocol also (optionally) uses HMAC-SHA1 signatures on request and response to verify message integrity. For more information, see the YubiCloud Validation Service guide.

Can a YubiKey be copied?

No, a YubiKey cannot be copied as the computer recognizes the YubiKey as a keyboard. The YubiKey types a One-Time Password (OTP) when the button is pressed. For a technical description of each of the YubiKeys, see YubiKey Hardware.

What happens if I lose my YubiKey?

If you are using your YubiKey with a service or application, the policy for lost or stolen YubiKeys depends on how that service or application deals with the situation.

The simplest recovery method is if the site supports alternative authentication mechanisms, so that you can regain access to the account and can delete (de-associate) the lost YubiKey from your account. You can then associate another (or a new) YubiKey to your account.

For example, the LastPass Premium subscription allows you to configure up to 5 YubiKeys with a LastPass account, so you can continue to log in using other keys if one is lost. For more information on how to disable a YubiKey with a LastPass account, see the LastPass Help Center.

If you cannot regain access, many sites have an authentication credential recovery mechanism. Use that to regain access to your account. You can de-associate the lost YubiKey, and then re-associate another key.

Applications or services may also provide other mechanisms for users or administrators to assign a new YubiKey in case the user lost an original key. Contact the company  supporting the YubiKey to find out about their policies.

For more information, see our blog post on best practices.

YubiKey Development

How do I get an API-Key for YubiKey development?

To get your API key, click here and enter a valid email address along with the Yubico OTP from any of your YubiKeys, and click Get API Key. The page displayed provides you with your generated Client ID (otherwise known as the AuthID or API ID) and the generated API key (Secret Key). Be sure to make a note of both and use these two values in your client. Before testing, wait five to ten minutes after generating the key so that the API key will be updated on all the YubiCloud servers. A lifetime subscription to our YubiCloud validation service is included with all YubiKeys, and there are no additional fees to use the YubiCloud validation service. For more information about developing website APIs, see Yubico for Developers.

Is there any kind of simulator or software available for the hardware/USB kit?

There is no simulator or USB kit offered by Yubico.

YubiHSM

What is the YubiHSM?

The YubiHSM is Yubico’s take on a practical HSM with great security, great quality, and a low cost of ownership. It does not provide all the physical security of other HSMs – but protects your secrets from internet intrusion, such as someone gaining root access to the server.

For more information on the YubiHSM, plus answers to FAQs, see the YubiHSM product page.

YubiKey for Salesforce

How do you uninstall YubiKey for Salesforce Login Flow?

When uninstalling the YubiKey for Salesforce application, first deactivate the active flow, then uninstall the package from the Installed Packages list. Note that deactivated flows take 12 hours before they are removed from the list of configured flows.

Can I use more than one YubiKey with my user account, or use one YubiKey with multiple user accounts?

Yes, beginning with YubiKey for Salesforce version 2.3, users can associate multiple YubiKeys with their Salesforce user account. You can also associate multiple user accounts with a single YubiKey.

How does the OTP get validated?

The YubiKey for Salesforce Application validates the OTP against our YubiCloud service. You can, however, build your own Yubico OTP validation service using open source components that we provide for free.

Do I need to individually provision users?

No. Once the YubiKey for Salesforce application is installed, your users can self-provision their YubiKeys as part of normal login. After logging in with their  username and password, they are prompted to associate a YubiKey with their Salesforce account and to complete a three-step registration process: insert the YubiKey, touch it when it lights, and click OK.

Do I need to install anything on my (or my user’s) computer to use the YubiKey?

YubiKey does not require drivers, client software, or batteries.

U2F

Can I use the U2F YubiKey I have for Gmail and Google Apps with other apps?

Yes!! The same U2F YubiKey can be used with any number of services and there is no practical limit to the U2F-secured services the U2F Security Key and other U2F-certified YubiKeys can be associated with. (To see a list of the YubiKeys you can use, see our comparison page.)

During the registration process, the key pairs are generated on the device (secure element) but the key pairs are not stored on the YubiKeys. Instead, the key pair (public key and encrypted private key) are stored by each relying party/service that initiated the registration. Therefore, this approach allows for an unlimited number of services to be associated with the U2F-certified YubiKeys.

This means the same U2F-certified YubiKey you use for Gmail or Google Apps can be used with your GitHub, Dropbox, and Dashlane accounts.

Why doesn’t the YubiKey Personalization Tool recognize my Security Key?

The YubiKey Personalization Tool is used to program YubiKeys. The Security Key is a U2F-only device that cannot be programmed.

Does my YubiKey NEO support U2F over NFC?

Yes! All YubiKey NEO devices manufactured as of February 10, 2015 supported the current FIDO U2F specification for NFC. To verify you have a YubiKey NEO that supports NFC, check to see your YubiKey is running firmware version 3.4.0 or later. To check your firmware version, use the YubiKey NEO Manager or YubiKey Personalization Tool. (Note that the YubiKey NEO-n does not support NFC due to the smaller form factor.)

For more information on the spec, see FIDO Alliance Equips U2F Protocol for Mobile and Wireless Applications.

What is U2F?

U2F is an open authentication standard that enables keychain devices, mobile phones and other devices to securely access any number of web-based services  —  instantly and with no drivers or client software needed. U2F was created by Google and Yubico, with contribution from NXP, and is today hosted by the open-authentication industry consortium, FIDO Alliance. For more information about YubiKey and U2F, see U2F – FIDO Universal 2nd Factor.

How can I set up my Linux system for use with U2F?

NOTE: We advise everyone to install the YubiKey NEO Manager software. To obtain the latest version of this applications, see https://developers.yubico.com/yubikey-neo-manager/Releases/

  1. If you have a YubiKey NEO or YubiKey NEO-n ensure you have unlocked the U2F mode by following the instructions at http://yubi.co/unlockU2F. If you have a Security Key by Yubico (blue color), U2F is enabled by default (only U2F mode is supported on this product).
  2. Go to https://github.com/Yubico/libu2f-host/blob/master/70-u2f.rules  and
    download or create a copy of thefile named 70-u2f.rules into the Linux directory:
    /etc/udev/rules.d/
    If this file is already there, ensure that the content looks like exactly the one provided on github.com/Yubico (link above).
  3. Save your file, and then reboot your system.
  4. Ensure that you are running Google Chrome version 38 or later. Starting with Chrome version 39, you will be able to use the YubiKey NEO or YubiKey NEO-n in U2F+HID mode.

NOTE: This applies only to YubiKey NEO and YubiKey NEO-n. The Security Key by Yubico only supports U2F mode enabled by default.

Can I use my Security Key to enable strong two-factor authentication for my enterprise?

Any online service or application can integrate with the U2F protocol. Both Google and Dropbox have integrated their solutions with U2F YubiKeys. See Google Drive for Work and Dropbox for Business.

One of our key partners, Duo Security, was one of the first to offer enterprise server solutions supporting U2F. See Duo Security and U2F.

RC Devs has also created OpenOTP™, an enterprise-grade user authentication solution based on open technologies. See Open OTP Authentication Server.

Which browsers support U2F?

You must be running Google Chrome version 38 or later, which includes support for the U2F protocol.  To check the version number, in the Chrome toolbar, click the Chrome menu, then select About Google Chrome.

Can I use my Security Key with multiple Gmail Accounts?

Yes, the same FIDO U2F Security Key can be used to secure multiple Gmail accounts.

Can I update my current YubiKey NEO for U2F?

YubiKey NEO and YubiKey NEO-n devices have shipped with firmware version 3.3 since Oct. 1, 2014. This version includes U2F support along with other protocols including Yubico OTP and smart card functionality.

YubiKey NEOs are not upgradable based on best security practices. There is a “no upgrade” policy for our devices since nothing, including malware, can write to the firmware.

For more information, see our blog post YubiKey and BadUSB.

How can I activate U2F on my YubiKey NEO or NEO-N?

The YubiKey NEO and NEO-n can be configured for U2F and other modes using the NEO Manager.

Most Commonly Asked Questions

Q: What are the differences in the two sizes of the YubiKey 4 (the keychain vs. the nano)?
A: The keychain size is intended to be carried with you on… your keychain, along with your set keys. Insert it into a USB port when you are requested to authenticate, and you can remove it when you have finished authenticating. The smaller nano size sits flush in the USB port and, although it can be removed whenever you want, you can leave it inserted in the laptop. Of course, if you are concerned about the physical security of having your token accessible, such as when you take your laptop with you when you travel, you can remove the nano-sized YubiKey. Other than size, there is no difference between the keychain and nano version of the YubiKey 4.

Q: Where can I use my YubiKey?
A: You can use a YubiKey to secure access to a wide range of both enterprise and consumer applications. These include computer login and VPN, password managers, encryption, and more. You can also use the same YubiKey for securing your Gmail and Dropbox accounts. It’s easy to setup and try it out!

Q: How does this work with mobile?
A: Use your YubiKey NEO along with your NFC-enabled mobile phone (Android phones only) to log in directly to mobile U2F applications, such as GitHub. You can also “bless” your phone with a computer secured with YubiKey, as currently done by Google, Dropbox, and LastPass.

Q: What happens if I lose my YubiKey?
A: It depends on how you are using your YubiKey. For U2F-enabled applications, you have specified a backup mechanism for logging in (such as SMS) from the beginning, so you can be sure you can always access your email or data. You can then log in and remove that YubiKey and easily add a new one. Of course, we hope that you have a backup YubiKey, just like you have a backup set of keys for your home or car, and you can then use that YubiKey to authenticate with. Remember, since this is two-factor authentication, if someone finds your key, that person still needs to know your user name and password — without both your user name, password, and YubiKey, there is no way anyone can log in to your accounts!

Other questions?

Having problems finding the answer to your question? Check our Support resources

Technical discussion

The Yubico Forum is a technical discussion forum for developers and YubiKey users who wants to learn, question, comment or contribute to Yubico’s technology. Visit the forum