This article is intended to provide you with answers to Frequently Asked Questions (FAQ). In this article we cover as much of the what, why, and how of purchasing, implementing, and using your YubiKey. We hope that after reading this you will have a greater understanding of how to use the YubiKey.
Table of content
- 1. What is a YubiKey?
- 2. Which YubiKey should I buy?
- 3. How do I set up my YubiKey with a Service?
- 4. Where can I buy YubiKeys?
- 5. Is it important to have a Spare Key?
-
6. What are the differences between YubiKey 5 series / Security Key NFC / FIPS / YubiKey Bio?
- YubiKey 5 series
- Security Key NFC
- FIPS 5 series
- YubiKey Bio - FIDO edition
- Comparison
- 7. What happens if I lose my YubiKey?
- 8. How do I know if the YubiKey is compatible with my services?
- 9. Can I duplicate my YubiKey?
- 10. Can I login to my computer with a YubiKey?
- 11. What is a YubiKey PIN?
- 12. What are Passkeys?
- 13. Can I use a YubiKey with my iPhone?
-
14. Can I use a YubiKey with my iPad?
-
Do YubiKeys work with iPads with USB-C?
-
Do YubiKeys work with iPads (with lightning ports)?
-
- 15. Do you have an Education discount?
- 16. Is my YubiKey genuine?
- 17. Can I upgrade my firmware?
-
18. What is the YubiKey's account limit?
-
YubiKey 5 Series firmware 5.7+
-
YubiKey 5 Series with firmware 5.0-5.6
-
-
19. What is a Security Protocol?
- WebAuthn
- FIDO2
- FIDO Universal 2nd Factor (U2F)
- OATH-TOTP
- Yubico OTP
-
20. How do I use the Yubico Authenticator & YubiKey Manager ?
-
Yubico Authenticator
-
YubiKey Manager
-
- 21. My YubiKey is not working, what should I do?
- 22. My NFC is not working, what should I do?
- 23. How can I learn more?
___________________________________________
1. What is a YubiKey?
The YubiKey is a form of 2-Factor Authentication (2FA) that functions as an extra layer of security for your online accounts by providing a strong phishing defense using multi-protocol capabilities that can secure legacy and modern systems.
Two-factor authentication, also known as 2FA, is a method to confirm a user’s claimed online identity by using a combination of two different types of factors. Factors used for 2FA include something that you know (e.g. password or PIN), or something that you have (e.g. a security key or phone) or something that you are (e.g. facial recognition). To learn more about Two-factor authentication, please click here.
With a YubiKey, you simply register it to your account and then when you log in, you are prompted to input your login credentials (username+password) and use your YubiKey (plugged into a USB-port or scanned via NFC). Both login credentials and the YubiKey are required at login, which ensure that this physical layer of protection prevents many account takeovers that can be done virtually.
A single YubiKey has multiple functions for securely authenticating into your email, online services, apps, computers, and even physical spaces. The versatility of the YubiKey requires no software installation or battery and therefore it is ready to use directly out of the package. Just login to the service you want to secure and register the Key with your account.
___________________________________________
2. Which YubiKey should I buy?
You should select your YubiKey based on the services (i.e. websites and apps) and devices you want to use the Key with. Please see this in depth guide for a walkthrough of how to select the correct YubiKey for you!
___________________________________________
3. How do I set up my YubiKey with a Service?
Please see our page here for instructions on how to setup your YubiKey with a service or follow the guide below.
The YubiKey works with hundreds of enterprise, developer and consumer applications, out-of-the-box and with no client software required. Furthermore, as it is up the service provider on how they implement support for the YubiKey, the set-up instructions may differ from service to service. In the step-by-step instructions below we cover the most common way of registering your YubiKey with a service.
Please note that we encourage the initial setup of your YubiKey to be completed on a computer. We also recommend you to set up your main YubiKey as well as any Spare Key at the same time. Please see here for more information on Spare Keys.
-
Have your YubiKey accessible as well as any Spare Key.
-
Login to the service (i.e. websites or apps) you want to add the YubiKey to. Make sure the service supports the use of the YubiKey.
-
Find the account settings of the service and then look for security. From there you should be able to find an option for 2FA/MFA or adding security keys. As stated above, this process can differ between services.
-
Follow the instructions provided by the service.
-
Register your main YubiKey and Spare Key.
You can find more tailored guides on how to set up your YubiKey via our Works with YubiKey Catalog. Simply search for the service you want to secure, click it, then you will be forwarded to that specific service’s page in the catalog. Here you can also read more about compatible YubiKeys, setup instructions, and technical specifications amongst other things.
___________________________________________
4. Where can I buy YubiKeys?
There are several different places you can purchase YubiKeys. Below are three of our most popular purchasing options:
-
From our own Webstore
-
From one of our Authorized Resellers
___________________________________________
5. Is it important to have a Spare Key?
We always recommend having more than one YubiKey. This way one key can be used as a primary Key, and the other can be used as a spare Key, just as you would for your house or car.
Having a spare key gives you the assurance that if you lose your primary key, you will not be without access to critical accounts when needing them most. In other words, with a spare Key you have no need to fear being locked out of any accounts and no need to go through a lengthy recovery and identity verification process to regain access to each account.
There are a few ways to register a spare Key and we always encourage you to register your spare at the same time as your primary Key. The process is different depending on if the service supports Yubico OTP and FIDO security protocols, or OATH-TOTP protocol.
To see which security protocols the services you want to secure support, please see our Works with YubiKey Catalog. A good point to keep in mind is that any services that use Yubico OTP or FIDO security protocols, your spare Key can be registered exactly the same way as your primary Key by following the same setup instructions.
We would like to note that keys are not linked together in any way and cannot be linked. Instead, both keys need to be registered separately to the account and then either can be used when authenticating.
If the service uses the OATH-TOTP protocol which requires the use of the Yubico Authenticator app to generate codes to login, then the process is a bit different. Please see our set-up guide for this security protocol here.
Lastly, the form factor of the Spare Key does not need to be the same as your Primary Key. Just ensure that it supports the security protocols of the service you want to secure.
___________________________________________
6. What are the differences between the YubiKey 5 series / Security Key NFC / FIPS / YubiKey BIO
YubiKey 5 series
The YubiKey 5 Series is a hardware-based authentication solution that provides superior defense against account takeovers remotely, enables compliance, and is our Key series with the most support for security protocols. If you are unsure which Key to purchase, the YubiKey 5 series could be your best choice.
The 5 series YubiKeys support the following security features and protocols:
WebAuthn, FIDO2, Universal 2nd Factor (U2F), Smart card (PIV-compatible), Yubico OTP, OATH – HOTP (Event), OATH – TOTP (Time), OpenPGP, Secure Static Passwords.
*Please note that it is up to each service to determine which security protocols they support.
Security Key NFC
The Security Key NFC is a FIDO only Key and supports the protocols WebAuthn, FIDO2 and Universal 2nd Factor (U2F). It is important to highlight that not all services have support for FIDO2 or FIDO U2F. Please use our Works with YubiKey Catalog to see if the services you use are compatible. If the Security Key NFC is not compatible with the services you want to secure, you will want to select a YubiKey from the 5 series instead. Please note that it is up to each service to determine which security protocols they support.
Moreover, the Security Key NFC has limited support of the following functions:
*The Security Key NFC can be used with passwordless login and Entra ID.
**The Security Key is FIDO only and is not capable of handling OATH-TOTP (Authenticator codes) within the Yubico Authenticator.
FIPS 5 series
FIPS stands for the Federal Information Processing Standard and is a US Government Computer Security Standard that specifies requirements for cryptographic modules. Essentially FIPS “validates” that cryptographic devices meet the US Government requirements. Moreover, FIPS 140 ONLY applies to the US Government and the US Government MAY require a regulated industry or organization to utilize FIPS validated cryptography, but is not required necessarily. You can learn more about FIPS here.
The FIPS 5 series YubiKeys support the following security features and protocols:
WebAuthn, FIDO2, Universal 2nd Factor (U2F), Smart card (PIV-compatible), Yubico OTP, OATH – HOTP (Event), OATH – TOTP (Time), OpenPGP, Secure Static Passwords
We do not encourage the purchase of a YubiKey FIPS Series key for everyday consumer use but only if a service or organization you are working with specifically requires the use of a FIPS certified YubiKey.
For everyday use with your online accounts, we recommend one of our standard YubiKey 5 Series keys mentioned above.
*Please note that our YubiKey 5 FIPS Series are currently shipped with firmware 5.4.3. We are targeting submission of YubiKey 5.7 for FIPS 140-3 validation in October of 2024. To be notified of its availability, please sign up for our Yubico Newsletter.
YubiKey Bio - FIDO Edition
The YubiKey Bio-FIDO Edition does not have NFC functionality and only supports the protocols WebAuthn, FIDO2 and Universal 2nd Factor (U2F). It is important to highlight that not all services have support for FIDO2 or FIDO U2F and the YubiKey Bio-FIDO Edition works best on desktop and modern cloud-first environments. Please use our Works with YubiKey Catalog to see if the services you use are compatible. If the YubiKey BIO is not compatible with the services you want to secure, you will want to select a YubiKey from the 5 series instead. Please note that it is up to each service to determine which security protocols they support.
Moreover, the YubiKey Bio-FIDO Edition has limited support for the following functions:
*The YubiKey Bio-FIDO Edition can be used with passwordless login and Entra ID.
**You can set and manage fingerprint templets for the YubiKey Bio-FIDO Edition in the Yubico Authenticator.
Comparison
For more information about the differences between our various Key Series, please see our Comparison Chart here.
___________________________________________
7. What happens if I lose my YubiKey?
We at Yubico always recommend securing your accounts with an additional YubiKey. However, if you do not have a spare Key and lose your YubiKey, we encourage you to have another form of 2FA added to your accounts to prevent potentially being locked out. Please note that if you do end up being locked out of an account, you will need to contact the service directly for account recovery help. Please see this article for more information.
___________________________________________
8. How do I know if the YubiKey is compatible with my Services?
You can use our Works with YubiKey Catalog to search for a service to see if they have issued support for the YubiKey. Please note, however, that the Catalog may not list all services that are compatible with our products. The reason why the service is not listed could be that they have chosen not to join our Works with YubiKey - Program. Therefore, for services not found in the catalog, we encourage you to reach out to the service to confirm whether they support the YubiKey.
___________________________________________
9. Can I duplicate my YubiKey?
For security reasons, the firmware of our products does not allow stored secrets to be read, meaning it is not possible to “clone” or “duplicate” a YubiKey. In general, the process of creating a backup involves manually registering the spare Key with all services the first Key is registered with. However, there are a few credential types that, if backed up at the time of programming, can be programmed into a second key at a later date (using the spare/saved copy of the credential). For more information on this, please see this article on spare keys.
___________________________________________
10. Can I login to my computer with a YubiKey?
You can use a YubiKey 5 Series, Security Key Series, or YubiKey Bio-FIDO Edition Key to protect data with secure access to computers. We have a range of computer login choices for organizations and individuals. Please follow this link and select your preferred computer login tool-for an in depth setup guide. You can also view the two links below:
Please note that a YubiKey 5 Series key is required to use our computer login tools.
___________________________________________
11. What is a YubiKey PIN?
Listed below are the basics of YubiKey PINs, if you want to read more about YubiKeys and PINs, please read this article.
-
A YubiKey can have up to three PINs - one for its FIDO2 function, one for PIV (smart card), and one for OpenPGP.
-
The PIV and OpenPGP PINs are set to 123456 by default, but there is no FIDO2 PIN set from the factory.
-
If you are being prompted for a PIN (including setting one up), and you're not sure which PIN it is, most likely it is your YubiKey's FIDO2 PIN.
-
If you are using a Security Key series Key, FIDO2 is the only PIN you will be prompted for, as the Security Key series Keys do not support PIV and OpenPGP.
-
Shown below is an example of what a prompt to create a FIDO2 PIN on a YubiKey might look like in the Windows operating system.
___________________________________________
12. What are Passkeys?
The term passkey is an amalgamation of the terms password and key, a simple but subtle way of highlighting its utility as an authentication mechanism as familiar and ubiquitous as the traditional password, but invoking the imagery of reliability associated with a sturdy lock and a physical key. A passkey is a passwordless digital credential based on the FIDO2 standard, allowing users to authenticate faster, easier and more securely to websites and applications than traditional passwords or weaker forms of MFA. It can be created and stored on mobile devices, computers, hardware security keys and even synchronized to vendor cloud platforms. For more information, please visit this link here.
___________________________________________
13. Can I use a YubiKey with my iPhone?
You can use iPhones 7 and newer with compatible YubiKeys that have a lightning connector and NFC. Please be aware that only iPhones 7 and newer support NFC in the way that is required for use with the YubiKey. The NFC on older iPhone models only works with Apple Pay. To work with a YubiKey, the NFC must have read and write capabilities. Therefore iPhones older than the iPhone 7 are only compatible with our YubiKey 5Ci (lightning).
Please note that you cannot secure the login of your iPhone with a YubiKey.
___________________________________________
14. Can I use a YubiKey with my iPad?
Do YubiKeys work with iPads with USB-C?
You should be able to use your YubiKey with any service that supports Yubico OTP on an iPad over USB-C. If you have an iPad, it is important to mention that our YubiKeys have limited compatibility with the Yubico Authenticator because the iPad does not have NFC capabilities. Please note that in version 1.7.0 of the Yubico Authenticator USB-C support was added to iPads running iPadOS 16.1.
Do YubiKeys work with iPads (with lightning ports)?
For iPads with a lightning port, the YubiKey 5Ci will work with everything the iPhone does, including the Yubico Authenticator application. Moreover, we do not recommend the use of adapters for iPads.
In summary: You should be able to use your key with any service that uses Yubico OTP on an iPad over USB-C. For services that use WebAuthn, FIDO U2F, and FIDO2, the capability is there in iPadOS if you use the Safari browser (this leverages iPadOS native support for WebAuthn). However, some services may simply not give you the option to use a YubiKey if they detect you are logging in from an iPad, which is outside of our control.
For services that support our products via authenticator apps, you should still be able to use Yubico Authenticator with a YubiKey to generate one-time passwords, but you will not be able to do this on your iPad. You will however be able to generate the OTPs on another device, and then hand-copy them onto your iPad.
Please note that you cannot secure the login of your iPad with a YubiKey.
___________________________________________
15. Do you have an Education discount?
Yes! Please visit our Yubico Education page here and fill out the form on the right hand side. You will get a coupon code sent to your email address. Note that the discount code sent will only be usable on our web-store.
___________________________________________
16. Is my YubiKey genuine?
You can verify if your YubiKey is genuine here.
___________________________________________
17. Can I upgrade my firmware?
It is currently not possible to upgrade YubiKey firmware after manufacturing and deployment. To prevent attacks on the YubiKey which might compromise its security, the YubiKey does not permit its firmware to be accessed or altered.
Yubico is dedicated to providing a long-term two-factor authentication solution, we want your YubiKey to remain useful for the full extent of its lifetime. When we do release new firmware, we strive to ensure new YubiKey software will be backwards compatible.
___________________________________________
18. What is the YubiKey's account limit?
YubiKeys from the 5 Series support 6 different protocols for two-factor authentication, each with its own limit on the number of accounts it can be associated with. Which protocol will be used with a given account varies from service to service (website, app, etc,.).
You can find setup instructions, as well as which protocol(s) a particular service uses on that service's entry in the Works With YubiKey Catalog, (eg. Google Accounts).
The limits for each protocol are summarized below.
YubiKey 5 Series firmware 5.7+
-
FIDO2 - the YubiKey 5 can hold up to 100 discoverable credentials (AKA hardware-bound passkeys) in its FIDO2 application.
-
FIDO U2F - similar to Yubico OTP, the FIDO U2F application can be registered with an unlimited number of services.
-
PIV* - the YubiKey 5's PIV (smart card) application has 4 usable slots per the PIV specification, each serving a specific purpose (authentication, digital signature, key management, and card authentication - click here for further information). In a Microsoft Windows environment and used in conjunction with the YubiKey Smart Card Minidriver, the number of usable certificates expands to approximately 12 (dependent upon many factors including algorithm used as well as various Certification Authority settings).
-
OATH-TOTP - the YubiKey 5's OATH application can hold up to 64 OATH-TOTP credentials (AKA authenticator codes).
-
OTP - this application can hold two credentials. However, Yubico OTP, one of the most popular kinds of credentials to put in this app, can be registered with an unlimited number of services.
-
The OTP application comes with:
-
Yubico OTP
-
Challenge-Response
-
Static Password
-
OATH-HOTP
-
-
-
OpenPGP - the YubiKey 5's OpenPGP application can hold up to 3 subkeys (signature, encryption, authentication) linked to a single OpenPGP identity.
*OpenPGP and PIV are less-commonly used than OTP, U2F, FIDO2, and OATH
YubiKey 5 Series with firmware 5.0-5.6
-
FIDO2 - the YubiKey 5 can hold up to 25 discoverable credentials (AKA hardware-bound passkeys) in its FIDO2 application.
-
FIDO U2F - similar to Yubico OTP, the FIDO U2F application can be registered with an unlimited number of services.
-
PIV - the YubiKey 5's PIV (smart card) application has 4 usable slots per the PIV specification, each serving a specific purpose (authentication, digital signature, key management, and card authentication - click here for further information). In a Microsoft Windows environment and used in conjunction with the YubiKey Smart Card Minidriver, the number of usable certificates expands to approximately 12 (dependent upon many factors including algorithm used as well as various Certification Authority settings).
-
OATH-TOTP - the YubiKey 5's OATH application can hold up to 32 OATH-TOTP credentials (AKA authenticator codes).
-
OTP - this application can hold two credentials, can be registered with an unlimited number of services.
-
The OTP application comes with:
-
Yubico OTP
-
Challenge-Response
-
Static Password
-
OATH-HOTP
-
-
-
OpenPGP - the YubiKey 5's OpenPGP application can hold up to 3 subkeys (signature, encryption, authentication) linked to a single OpenPGP identity.
If you would like to know the account limits for a different Key not listed above, such as our Security Keys, please see the device page for the specific model of key in our Knowledge Base - Device Specifications section.
___________________________________________
19. What is a Security Protocol?
A security protocol is a set of standards that establish a way of performing security operations, typically authentication (logging in) in the case of YubiKeys.
Modern YubiKeys support 6 separate functions, some with support for multiple protocols, as diagrammed below.
Listed below we have included the most popular protocol used within our products and a short explanation.
WebAuthn
WebAuthn is a new W3C global standard for secure authentication on the Web supported by all leading browsers and platforms. WebAuthn makes it easy to offer users a choice of authenticators to protect their accounts, including external/portable authenticators such as hardware security keys, and built-in platform authenticators, such as biometric sensors.
FIDO2
FIDO2 is the passwordless evolution of FIDO U2F. The overall objective for FIDO2 is to provide an extended set of functionality to cover additional use-cases, with the main driver being passwordless login flows. The U2F model is still the basis for FIDO2 and compatibility for existing U2F deployments is provided in the FIDO2 specs.
FIDO Universal 2nd Factor (U2F)
U2F was developed by Yubico and Google, and contributed to the FIDO Alliance after it was successfully deployed for Google employees. The protocol is designed to act as a second factor to strengthen existing username/password-based login flows. It’s built on Yubico’s invention of a scalable public-key model in which a new key pair is generated for each service and an unlimited number of services can be supported, all while maintaining full separation between them to preserve privacy.
Learn more about FIDO Universal 2nd Factor (U2F)
OATH-TOTP
OATH is an organization that specifies two open authentication standards: TOTP and HOTP. To authenticate using TOTP, the user enters a 6-8 digit code that changes every 30 seconds. The code is generated using HMAC (sharedSecret, timestamp), where the timestamp changes every 30 seconds. The shared secret is often provisioned as a QR-code or preprogrammed into a hardware security key. TOTP stands for Time One Time Password. Usually used with Authenticators.
Learn more about OATH – TOTP (Time)
Yubico OTP
Yubico OTP is a simple yet strong authentication mechanism that is supported by the YubiKey 5 Series and YubiKey FIPS Series out-of-the-box. Yubico OTP can be used as the second factor in a 2-factor authentication scheme or on its own providing strong single factor authentication.
___________________________________________
20. How do I use the Yubico Authenticator & YubiKey Manager?
Yubico Authenticator
The Yubico Authenticator app allows you to store your credentials on your YubiKey rather than on a device so that your secrets cannot be compromised. The Yubico Authenticator App requires a YubiKey 5 Series to generate OTP codes. More information about the Yubico Authenticator app and how to use your YubiKey with authenticator codes can be found in the links below:
You can download the Yubico Authenticator here.
YubiKey Manager
You can use the YubiKey Manager to configure the FIDO2, OTP and PIV functionality of your YubiKey on Windows, macOS, and Linux operating systems. The YubiKey Manager works with any currently supported YubiKey and you are able to use the tool to check the type and firmware of a YubiKey. In addition, you can use the extended settings to specify other features, such as to configure 3-second long touch.
You can download YubiKey Manager here.
___________________________________________
21. My YubiKey is not working, what should I do?
To help identify several common issues with the YubiKey, you can follow the instructions listed in this guide.
Please note that the YubiKey uses capacitive touch sensors, so if your skin is dry, it will be harder for a touch to be detected. Lotion may help this, and you can also try applying more pressure to make sure your finger covers more of the sensor.
If the steps listed in the article above do not resolve your issue, consider opening a support ticket here.
___________________________________________
22. My NFC isn't working, what should I do?
Please follow this guide to troubleshoot your the NFC of your YubiKey.
___________________________________________
23. How can I learn more?
Please visit our support page and scroll down until you see our Knowledge base section:
You can then choose what is best for you and click it to learn more!
We also encourage you to sign up for our Newsletter and to visit our Blog to stay up to date on company and partner news, product tips, and industry trends.