How does a YubiKey work?
A YubiKey is a small hardware device that connects to a computer or mobile device (some models do so via a USB port, while some models support wireless connectivity via Near Field Communication). Every YubiKey is manufactured with a distinct identity it gets from cryptographic keys embedded in its firmware during production. When you purchase and set up a YubiKey, you link its unique identity to your accounts and services that support YubiKey authentication.
Then, when you attempt to access any of those accounts or services, the system will prompt for the YubiKey. You insert the YubiKey into a USB-A or USB-C port or tap it against an NFC-enabled device. YubiKeys support multiple different security protocols; the exact ones depend on the model of YubiKey you use. One example is one-time passwords, which are supported by most YubiKey models.
When using the OTP protocol, the YubiKey generates a one-time password (OTP), based on its unique identity each time it’s inserted or tapped against a device. The OTP is time-limited and is not stored or transferred. The YubiKey delivers it to the device through a simulated keyboard input or wireless communication, mimicking the keystrokes of the OTP to make sure it reaches the input field without compromising security. The server or application receiving the OTP decrypts it using secret keys stored both in its own databases and in the YubiKey. YubiKey’s method of generating, transferring, encrypting, and authenticating its OTPs uses industry-standard public-key cryptography.
This process ensures that even if a password is compromised, unauthorized access is impossible without physical possession of the YubiKey.
What is a YubiKey used for?
By offering a tangible, nearly foolproof method of authentication, the YubiKey not only simplifies the user experience but also elevates the security posture of individuals and organizations alike. Here are some of the common ways YubiKeys are used:
- Passwordless authentication: A YubiKey allows users to securely log in to their online accounts without the need for a password, relying solely on the physical YubiKey. This not only simplifies the login process but also significantly reduces the risk of password-related breaches.
- Multi-factor authentication: Sometimes you need even more security than just two-factor authentication. For environments requiring even higher security, the YubiKey can be part of a multi-factor authentication (MFA) strategy. This involves combining something you know (a password), something you have (the YubiKey), and sometimes something you are (biometrics), offering an even more robust defense against unauthorized access.
- Secure remote access: With the rise of remote work, more and more companies need a way to offer secure access to corporate networks and sensitive data. The YubiKey facilitates secure remote access by serving as a physical key to VPNs, remote desktops, and other remote access services. Using a YubiKey ensures that only authorized users, possessing the physical device, can gain access, thereby enhancing the security of remote work environments.
- Identity verification: A YubiKey can be used for a variety of identity verification purposes, from signing digital documents to authenticating identities for online services, ensuring that actions taken are securely tied to the actual user. In online transactions and digital interactions where verifying the identity of a user is crucial, a YubiKey adds a much-needed layer of security.
- Software development and code signing: Developers use YubiKeys to sign their code, verifying their identity and ensuring that the code has not been tampered with since it was signed. This helps maintain the integrity of software projects and protects against malicious code injections.
- Compliance and regulatory requirements: Many industries are subject to regulatory requirements that mandate strong authentication measures to protect sensitive data. YubiKeys help organizations comply with regulations such as GDPR, HIPAA, and FIDO standards, by providing a secure authentication mechanism that can be audited and verified.
What makes a YubiKey different from other 2FA methods?
What sets YubiKey apart from other two-factor authentication methods lies in its combination of convenience, security, and physicality. Unlike SMS or email codes that can be intercepted or fall victim to SIM swapping and account takeovers, the YubiKey's physical nature requires actual possession to use, significantly elevating its security profile. Moreover, unlike authentication apps that generate time-sensitive codes, the YubiKey does not rely on a battery or network connectivity, making it more reliable and user-friendly in a wider range of situations.
Another key advantage is its resistance to phishing attacks. Because the YubiKey communicates directly with the service it's securing, it's immune to counterfeit websites or other phishing schemes designed to capture 2FA codes.
YubiKey supports various authentication protocols, including OTP, Universal 2nd Factor (U2F), FIDO U2F, FIDO2, and more, which makes it a versatile solution compatible with many different online services and applications, from email and cloud storage to online banking and beyond.
Types of YubiKeys
YubiKey, developed by Yubico, comes in various models, each designed to cater to different needs and preferences in terms of connectivity, functionality, and form factor. There are other types of 2FA hardware, but YubiKeys are the best known.
Here’s a brief overview of the types of YubiKeys currently available:
The YubiKey 5 Series
This is Yubico’s flagship line, with products for individuals, small businesses, and enterprises. YubiKeys in the 5 Series support multiple authentication protocols, including OTP, FIDO2, WebAuthn, U2F, OpenPGP, smart cards, and more. They’re versatile and compatible with a wide range of devices, platforms, and applications.
YubiKey 5 FIPS Series
This series was designed to meet Federal Information Processing Standards (FIPS) for environments with strict security requirements. They’re suitable for governments and related industries and support multiple authentication protocols, including smart card, OTP, OpenPGP, FIDO U2F, and FIDO2/WebAuthn.
YubiKey Bio Series
YubiKey Bio Series is great for organizations seeking multi-factor authentication, since these devices incorporate biometric authentication via fingerprint recognition. They support FIDO2/WebAuthn and FIDO U2F authentication protocols, and work out-of-the-box with many operating systems and browsers, including Windows, Mac, Chrome OS, Linux, Chrome, and Edge.
YubiKey 5 CSPN Series
The YubiKey 5 CSPN (Certification de Sécurité de Premier Niveau) Series was designed to comply with French security certification standards. These YubiKeys are commonly used by the French government and related organizations that need similar, high-level security assurance. They offer multi-protocol support across FIDO2/WebAuthn, FIDO U2F, Smart Card and OTP and work across Microsoft Windows, macOS, Android, Linux, and leading browsers.
