The YubiKey is a hardware
authentication device manufactured by Yubico to protect access to computers, networks, and online services that supports
one-time password
A one-time password (OTP), also known as a one-time PIN, one-time authorization code (OTAC) or dynamic password, is a password that is valid for only one login session or transaction, on a computer system or other digital device. OTPs avoid seve ...
s (OTP),
public-key cryptography
Public-key cryptography, or asymmetric cryptography, is the field of cryptographic systems that use pairs of related keys. Each key pair consists of a public key and a corresponding private key. Key pairs are generated with cryptographic alg ...
, and authentication, and the
Universal 2nd Factor
Universal 2nd Factor (U2F) is an open standard that strengthens and simplifies two-factor authentication (2FA) using specialized Universal Serial Bus (USB) or near-field communication (NFC) devices based on similar security technology found in sm ...
(U2F) and
FIDO2
The FIDO2 Project is a joint effort between the FIDO Alliance and the World Wide Web Consortium (W3C) whose goal is to create strong authentication for the web. At its core, FIDO2 consists of the W3C Web Authentication (WebAuthn) standard and th ...
protocols developed by the
FIDO Alliance
The FIDO ("Fast IDentity Online") Alliance is an open industry association launched in February 2013 whose stated mission is to develop and promote authentication standards that "help reduce the world’s over-reliance on passwords". FIDO addres ...
. It allows users to securely log into their accounts by emitting one-time passwords or using a FIDO-based public/private key pair generated by the device. YubiKey also allows for storing
static passwords for use at sites that do not support one-time passwords. Google, Amazon, Microsoft, Twitter, and Facebook use YubiKey devices to secure employee accounts as well as end user accounts. Some
password manager
A password manager is a computer program that allows users to store and manage their passwords for local applications and online services. In many cases software used to manage passwords allow also generate strong passwords and fill forms. Pas ...
s support YubiKey. Yubico also manufactures the Security Key, a similar lower cost device with only FIDO2/WebAuthn and FIDO/U2F support.
The YubiKey implements the
HMAC-based One-time Password Algorithm
HMAC-based one-time password (HOTP) is a one-time password (OTP) algorithm based on HMAC. It is a cornerstone of the Initiative for Open Authentication (OATH).
HOTP was published as an informational IETF RFC 4226 in December 2005, documenting th ...
(HOTP) and the
Time-based One-time Password Algorithm
Time-based one-time password (TOTP) is a computer algorithm that generates a one-time password (OTP) that uses the current time as a source of uniqueness. As an extension of the HMAC-based one-time password algorithm (HOTP), it has been adopted a ...
(TOTP), and identifies itself as a keyboard that delivers the one-time password over the
USB HID
In computing, the USB human interface device class (USB HID class) is a part of the USB specification for computer peripherals: it specifies a device class (a type of computer hardware) for human interface devices such as keyboard (computing), key ...
protocol. A YubiKey can also present itself as an
OpenPGP card
In cryptography, the OpenPGP cardOpenPGP Card specification - version 3.4.1, Achim Pietig, 2020. URL: https://gnupg.org/ftp/specs/OpenPGP-smart-card-application-3.4.1.pdf is an ISO/IEC 7816-4, -8 compatible smart card that is integrated with many ...
using 1024, 2048, 3072 and 4096-bit
RSA (for key sizes over 2048 bits, GnuPG version 2.0 or higher is required) and
elliptic curve cryptography (ECC)
Elliptic-curve cryptography (ECC) is an approach to public-key cryptography based on the algebraic structure of elliptic curves over finite fields. ECC allows smaller keys compared to non-EC cryptography (based on plain Galois fields) to provide ...
p256, p384 an
more depending on version allowing users to sign, encrypt and decrypt messages without exposing the private keys to the outside world. Also supported is the
PKCS#11 standard to emulate a
PIV smart card. This feature allows for
code signing
Code signing is the process of digitally signing executables and scripts to confirm the software author and guarantee that the code has not been altered or corrupted since it was signed. The process employs the use of a cryptographic hash to v ...
of
Docker images as well as certificate-based authentication for
Microsoft Active Directory and
SSH
The Secure Shell Protocol (SSH) is a cryptographic network protocol for operating network services securely over an unsecured network. Its most notable applications are remote login and command-line execution.
SSH applications are based on ...
.
Founded in 2007 by CEO
Stina Ehrensvärd, Yubico is a private company with offices in
Palo Alto
Palo Alto (; Spanish for "tall stick") is a charter city in the northwestern corner of Santa Clara County, California, United States, in the San Francisco Bay Area, named after a coastal redwood tree known as El Palo Alto.
The city was es ...
,
Seattle
Seattle ( ) is a seaport city on the West Coast of the United States. It is the seat of King County, Washington. With a 2020 population of 737,015, it is the largest city in both the state of Washington and the Pacific Northwest regio ...
, and
Stockholm. Yubico CTO, Jakob Ehrensvärd, is the lead author of the original strong authentication specification that became known as Universal 2nd Factor (U2F).
YubiKey released the YubiKey 5 series in 2018 which adds support for
FIDO2
The FIDO2 Project is a joint effort between the FIDO Alliance and the World Wide Web Consortium (W3C) whose goal is to create strong authentication for the web. At its core, FIDO2 consists of the W3C Web Authentication (WebAuthn) standard and th ...
.
History
Yubico was founded in 2007 and began offering a Pilot Box for developers in November of that year. The original YubiKey product was shown at the annual RSA Conference in April 2008, and a more robust YubiKey II model was launched in 2009. Yubico's explanation of the name "YubiKey" is that it derives from the phrase "your ubiquitous key", and that "yubi" is the Japanese word for finger.
YubiKey II and later models have two "slots" available, for storing two distinct configurations with separate
AES secrets and other settings. When authenticating the first slot is used by only briefly pressing the button on the device, while the second slot gets used when holding the button for 2 to 5 seconds.
In 2010, Yubico began offering the YubiKey OATH and YubiKey RFID models. The YubiKey OATH added the ability to generate 6- and 8-character one-time passwords using protocols from the
Initiative for Open Authentication
Initiative for Open Authentication (OATH) is an industry-wide collaboration to develop an open reference architecture using open standards to promote the adoption of strong authentication. It has close to thirty coordinating and contributing memb ...
(OATH), in addition to the 32-character passwords used by Yubico's own OTP authentication scheme. The YubiKey RFID model included the OATH capability plus also included a
MIFARE
MIFARE is the NXP Semiconductors-owned trademark of a series of integrated circuit (IC) chips used in contactless smart cards and proximity cards.
The brand name covers proprietary solutions based upon various levels of the ISO/IEC 14443 Type ...
Classic 1k
radio-frequency identification chip, though that was a separate device within the package that could not be configured with the normal Yubico software over a USB connection.
Yubico announced the YubiKey Nano in February 2012, a miniaturized version of the standard YubiKey which was designed so it would fit almost entirely inside a USB port and only expose a small touch pad for the button. Most later models of the YubiKey have also been available in both standard and "nano" sizes.
2012 also saw the introduction of the YubiKey Neo, which improved upon the previous YubiKey RFID product by implementing
near-field communication
Near-field communication (NFC) is a set of communication protocols that enables communication between two electronic devices over a distance of 4 cm (1 in) or less. NFC offers a low-speed connection through a simple setup that can be u ...
(NFC) technology and integrating it with the USB side of the device. The YubiKey Neo (and Neo-n, a "nano" version of the device) are able to transmit one-time passwords to NFC readers as part of a configurable URL contained in a NFC Data Exchange Format (NDEF) message. The Neo is also able to communicate using the
CCID smart-card protocol in addition to USB HID (human interface device) keyboard emulation. The CCID mode is used for
PIV smart card and
OpenPGP
Pretty Good Privacy (PGP) is an encryption program that provides cryptographic privacy and authentication for data communication. PGP is used for signing, encrypting, and decrypting texts, e-mails, files, directories, and whole disk partiti ...
support, while USB HID is used for the one-time password authentication schemes.
In 2014, the YubiKey Neo was updated with FIDO
Universal 2nd Factor
Universal 2nd Factor (U2F) is an open standard that strengthens and simplifies two-factor authentication (2FA) using specialized Universal Serial Bus (USB) or near-field communication (NFC) devices based on similar security technology found in sm ...
(U2F) support. Later that year, Yubico released the FIDO U2F Security Key, which specifically included U2F support but none of the other one-time password, static password, smart card, or NFC features of previous YubiKeys.
At launch, it was correspondingly sold at a lower price point of just $18, compared to $25 for the YubiKey Standard ($40 for the Nano version), and $50 for the YubiKey Neo ($60 for Neo-n). Some of the pre-release devices issued by Google during FIDO/U2F development reported themselves as "Yubico WinUSB Gnubby (gnubby1)".
In April 2015, the company launched the YubiKey Edge in both standard and nano form factors. This slotted in between the Neo and FIDO U2F products feature-wise, as it was designed to handle OTP and U2F authentication, but did not include smart card or NFC support.
The YubiKey 4 family of devices was first launched in November 2015, with USB-A models in both standard and nano sizes. The YubiKey 4 includes most features of the YubiKey Neo, including increasing the allowed OpenPGP key size to 4096 bits (vs. the previous 2048), but dropped the NFC capability of the Neo.
At
CES 2017, Yubico announced an expansion of the YubiKey 4 series to support a new
USB-C
USB-C (properly known as USB Type-C) is a 24-pin USB connector system with a rotationally symmetrical connector. The designation C refers only to the connector's physical configuration or form factor and should not be confused with the conn ...
design. The YubiKey 4C was released on February 13, 2017. On
Android OS
Android is a mobile operating system based on a modified version of the Linux kernel and other open-source software, designed primarily for touchscreen mobile devices such as smartphones and tablets. Android is developed by a consortium of deve ...
over the USB-C connection, only the one-time password feature is supported by the Android OS and YubiKey, with other features not currently supported including
Universal 2nd Factor
Universal 2nd Factor (U2F) is an open standard that strengthens and simplifies two-factor authentication (2FA) using specialized Universal Serial Bus (USB) or near-field communication (NFC) devices based on similar security technology found in sm ...
(U2F). A 4C Nano version became available in September 2017.
In April 2018, the company brought out the Security Key by Yubico, their first device to implement the new
FIDO2
The FIDO2 Project is a joint effort between the FIDO Alliance and the World Wide Web Consortium (W3C) whose goal is to create strong authentication for the web. At its core, FIDO2 consists of the W3C Web Authentication (WebAuthn) standard and th ...
authentication protocols,
WebAuthn
Web Authentication (WebAuthn) is a web standard published by the World Wide Web Consortium (W3C). WebAuthn is a core component of the FIDO2 Project under the guidance of the FIDO Alliance. The goal of the project is to standardize an interface fo ...
(which reached
W3C
The World Wide Web Consortium (W3C) is the main international standards organization for the World Wide Web. Founded in 1994 and led by Tim Berners-Lee, the consortium is made up of member organizations that maintain full-time staff working to ...
Candidate Recommendation status in March) and
Client to Authenticator Protocol (CTAP). At launch, the device is only available in the "standard" form factor with a USB-A connector. Like the previous FIDO U2F Security Key, it is blue in color and uses a key icon on its button. It is distinguished by a number "2" etched into the plastic between the button and the keyring hole. It is also less expensive than the YubiKey Neo and YubiKey 4 models, costing $20 per unit at launch because it lacks the OTP and smart card features of those previous devices, though it retains FIDO U2F capability.
Product features
A list of the primary features and capabilities of the YubiKey products.
, -
! YubiKey VIP !! YubiKey Plus !! YubiKey Nano !! YubiKey NEO-n !! YubiKey 4 Nano !! YubiKey Edge-n !! YubiKey Standard !! YubiHSM 1 !! FIDO U2F Security Key !! Security Key by Yubico !! YubiKey NEO !! YubiKey 4C Nano !! YubiKey 4C !! YubiKey 4 Nano !! YubiKey 4 !! YubiKey C Nano FIPS !! YubiKey C FIPS !! YubiKey Nano FIPS !! YubiKey FIPS !! YubiHSM 2 !! Security Key NFC by Yubico !! YubiKey 5C Nano !! YubiKey 5C !! YubiKey 5 Nano !! YubiKey 5 NFC !! YubiKey 5Ci !! YubiKey 5C NFC
, -
, 2011–2017 , , 2014–2015 , , 2012–2016 , , 2014–2016 , , 2016–2017 , , 2015–2016 , , 2014–2016 , , 2015–2017 , , 2013–2018 , , 2018–2020 , , 2012–2018 , , 2017–2018 , , 2017–2018 , , 2015–2018 , , 2015–2018 , , 2018–present , , 2018–present , , 2018–present , , 2018–present , , 2017–present , , 2019–present , , 2018–present , , 2018–present , , 2018–present , , 2018–present , , 2019–present , , 2020–present
, -
, Yes , , Yes , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,
, -
, , , , , Yes , , Yes , , Yes , , Yes , , Yes , , , , , , , , Yes , , Yes , , Yes , , Yes , , Yes , , , , , , , , , , , , , , Yes , , Yes , , Yes , , Yes , , Yes , , Yes
, -
, , , , , Yes , , Yes , , Yes , , Yes , , Yes , , , , , , , , Yes , , Yes , , Yes , , Yes , , Yes , , , , , , , , , , , , , , Yes , , Yes , , Yes , , Yes , , Yes , , Yes
, -
, , , , , Yes , , Yes , , Yes , , Yes , , Yes , , , , , , , , Yes , , Yes , , Yes , , Yes , , Yes , , , , , , , , , , , , , , Yes , , Yes , , Yes , , Yes , , Yes , , Yes
, -
, , , , , , , Yes , , , , , , , , , , , , , , Yes , , Yes , , Yes , , Yes , , Yes , , , , , , , , , , , , , , Yes , , Yes , , Yes , , Yes , , Yes , , Yes
, -
, , , , , , , Yes , , Yes , , Yes , , , , , , , , , , Yes , , Yes , , Yes , , Yes , , Yes , , , , , , , , , , , , , , Yes , , Yes , , Yes , , Yes , , Yes , , Yes
, -
, , , , , , , Yes , , Yes , , Yes , , , , , , , , , , Yes , , Yes , , Yes , , Yes , , Yes , , , , , , , , , , , , , , Yes , , Yes , , Yes , , Yes , , Yes , , Yes
, -
, , , Yes , , , , Yes , , Yes , , Yes , , , , , , Yes , , Yes , , Yes , , Yes , , Yes , , Yes , , Yes , , , , , , , , , , , , Yes , , Yes , , Yes , , Yes , , Yes , , Yes , , Yes
, -
, , , , , , , , , , , , , , , , , , , Yes , , , , , , , , , , , , , , , , , , , , , , Yes , , Yes , , Yes , , Yes , , Yes , , Yes , , Yes
, -
, , , , , , , , , , , , , , , Yes , , , , , , , , , , , , , , , , , , , , , , , , Yes , , , , , , , , , , , , , ,
, -
, , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , Yes , , Yes , , Yes , , Yes , , , , , , , , , , , , , , , ,
, -
, , , , , , , , , , , , , , , , , , , , , Yes , , , , , , , , , , , , , , , , , , , , Yes , , , , , , , , Yes , , , , Yes
, -
, Yes , , Yes , , Yes , , Yes , , Yes , , Yes , , Yes , , Yes , , Yes , , Yes , , Yes , , , , , , Yes , , Yes , , , , , , Yes , , Yes , , Yes , , Yes , , , , , , Yes , , Yes , , , ,
, -
, , , , , , , , , , , , , , , , , , , , , , , Yes , , Yes , , , , , , Yes , , Yes , , , , , , , , , , Yes , , Yes , , , , , , Yes , , Yes
, -
, , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , Yes , ,
ModHex
When being used for one-time passwords and stored static passwords, the YubiKey emits characters using a modified hexadecimal alphabet which is intended to be as independent of system keyboard settings as possible. This alphabet, referred to as ModHex or
Modified Hexadecimal, consists of the characters "cbdefghijklnrtuv", corresponding to the hexadecimal digits "0123456789abcdef". Due to YubiKeys using raw keyboard scan codes in USB HID mode, there can be problems when using the devices on computers that are set up with different keyboard layouts, such as
Dvorak. It is recommended to either use operating system features to temporarily switch to a standard
US keyboard layout (or similar) when using one-time passwords, although YubiKey Neo and later devices can be configured with alternate scan codes to match layouts that aren't compatible with the
ModHex character set.
U2F authentication in YubiKeys and Security Keys bypasses this problem by using the alternate U2FHID protocol, which sends and receives raw binary messages instead of keyboard scan codes. CCID mode acts as a smart card reader, which does not use HID protocols at all.
Security issues
YubiKey 4 closed-sourcing concerns
Most of the code that runs on a YubiKey is closed source. While Yubico has released some code for industry standard functionality like
PGP and
HOTP
HMAC-based one-time password (HOTP) is a one-time password (OTP) algorithm based on HMAC. It is a cornerstone of the Initiative for Open Authentication (OATH).
HOTP was published as an informational IETF RFC 4226 in December 2005, documenting th ...
it was disclosed that as of the 4th generation of the product this is not the same code that the new units ship with. Because new units are permanently firmware locked at the factory it is not possible to compile the open source code and load it on the device manually, a user must trust that the code on a new key is authentic and secure.
Code for other functionality such as
U2F,
PIV and Modhex is entirely closed source.
On May 16, 2016, Yubico CTO Jakob Ehrensvärd responded to the open-source community's concerns with a blog post saying that "we, as a product company, have taken a clear stand against implementations based on off-the-shelf components and further believe that something like a commercial-grade
AVR or
ARM
In human anatomy, the arm refers to the upper limb in common usage, although academically the term specifically means the upper arm between the glenohumeral joint (shoulder joint) and the elbow joint. The distal part of the upper limb between th ...
controller is unfit to be used in a security product."
''
Techdirt
Techdirt is an American Internet blog that reports on technology's legal challenges and related business and economic policy issues, in context of the digital revolution. It focuses on intellectual property, patent, information privacy and c ...
'' founder
Mike Masnick strongly criticized this decision, saying "Encryption is tricky. There are almost always vulnerabilities and bugs -- a point we've been making a lot lately. But the best way to fix those tends to be getting as many knowledgeable eyes on the code as possible. And that's not possible when it's closed source."
ROCA vulnerability in certain YubiKey 4, 4C, and 4 Nano devices
In October 2017, security researchers found a vulnerability (known as
ROCA) in the implementation of
RSA keypair
Public-key cryptography, or asymmetric cryptography, is the field of cryptographic systems that use pairs of related keys. Each key pair consists of a public key and a corresponding private key. Key pairs are generated with cryptographic al ...
generation in a cryptographic library used by a large number of
Infineon
Infineon Technologies AG is a German semiconductor manufacturer founded in 1999, when the semiconductor operations of the former parent company Siemens AG were spun off. Infineon has about 50,280 employees and is one of the ten largest semicond ...
security chips, as used in a wide range of security keys and security token products (including YubiKey). The vulnerability allows an attacker to reconstruct the private key by using the public key. All YubiKey 4, YubiKey 4C, and YubiKey 4 Nano devices within the revisions 4.2.6 to 4.3.4 were affected by this vulnerability. Yubico remedied this issue in all shipping YubiKey 4 devices by switching to a different key generation function and offered free replacements for any affected keys. The replacement offer ended on March 31, 2019. In some cases the issue can be bypassed by generating new keys outside of the YubiKey and importing them onto the device.
OTP Password Protection on YubiKey NEO
In January 2018, Yubico disclosed a moderate vulnerability where password protection for the OTP functionality on the YubiKey NEO could be bypassed under certain conditions. The issue was corrected as of firmware version 3.5.0 and Yubico offered free replacement keys to any user claiming to be affected.
Reduced initial randomness on certain FIPS series devices
In June 2019, Yubico released a security advisory reporting reduced randomness in
FIPS-certified devices with firmware version 4.4.2 and 4.4.4 (there is no version 4.4.3), shortly after power-up. Security keys with reduced randomness may leave keys more easily discovered and compromised than expected. The issue affected the FIPS series only, and then only certain scenarios, although FIPS
ECDSA
In cryptography, the Elliptic Curve Digital Signature Algorithm (ECDSA) offers a variant of the Digital Signature Algorithm (DSA) which uses elliptic-curve cryptography.
Key and signature-size
As with elliptic-curve cryptography in general, the b ...
usage was "at higher risk". The company offered free replacements for any affected keys.
Social activism
Yubico provided 500 YubiKeys to protesters during the
2019–2020 Hong Kong protests
The Anti-Extradition Law Amendment Bill Movement, also known as the 2019 Hong Kong protests, or the 2019–2020 Hong Kong protests, were a series of demonstrations from 15 March 2019 in response to the introduction by the Hong Kong government ...
. The company states the decision is based on their mission to protect vulnerable Internet users, and works with free speech supporters.
See also
*
OpenPGP card
In cryptography, the OpenPGP cardOpenPGP Card specification - version 3.4.1, Achim Pietig, 2020. URL: https://gnupg.org/ftp/specs/OpenPGP-smart-card-application-3.4.1.pdf is an ISO/IEC 7816-4, -8 compatible smart card that is integrated with many ...
References
External links
* {{Official website
YubiKey 5 comparison tableYubiKey FIPS comparison table
2007 establishments in California
Authentication methods
Companies based in Palo Alto, California
Companies based in Seattle
Companies based in Stockholm
Computer access control
Computer companies established in 2007
Cryptographic hardware
Technology companies based in the San Francisco Bay Area