This article applies to all YubiKey and Security Key devices.
This article provides you with answers to many common questions you may have about using your YubiKey. Many other questions will be specific to the service or website you want to use your YubiKey with, such as how to log in to Google or Facebook with a YubiKey that supports FIDO U2F or how to set up LastPass. For information on how to set up your YubiKey with a specific service, see Getting Started.
How to store your YubiKey
The standard-sized YubiKey (such as the YubiKey 4, YubiKey NEO, and FIDO U2F Security Key, as well as the YubiKey Standard and YubiKey Edge) are made of injection-molded plastic encasing the circuitry. The exposed elements consist of military-grade hardened gold. Water-resistant and crush-resistant, the standard-sized YubiKey attaches to your keychain alongside your house and car keys.
The YubiKey 4C, also designed for keychains, is rugged and has no batteries or moving parts.
The smaller format YubiKey (YubiKey 4 Nano, YubiKey NEO-n,YubiKey Nano, and YubiKey Edge-n), while they can be placed on a lanyard and put on your keychain, are intended to be inserted in a USB port and not removed on a regular basis. The YubiKey 4C Nano has a patent-pending, minimalist form factor for USB-C ports and is designed to stay in the USB port..
In June of 2016, the YubiKey 4 Nano was manufactured as a new “molded” form factor. This molded form factor makes it more difficult to insert the Nano incorrectly. The devices are also crush-resistant and water-resistant.
How to backup your YubiKey?
It is not possible to create an exact copy of a YubiKey, but in some cases it is possible to make a copy of the credentials stored in the YubiKey.
YubiKeys are, by design, write-only devices. This means that secrets to the credential can only be written into, and not read out of the device. If a credential is to be copied, it must be known beforehand, either written down (or copied) while programming the YubiKey using the YubiKey Personalization Tool, or by accessing the configuration log created during programming. Furthermore, only some credentials can be copied. Static Password and Challenge-Response credentials can be copied, however the Yubico OTP and OATH-HOTP credentials cannot.
To store a Static Password credential for later use, save and then store the string entered in the YubiKey Personalization Tool if you are programming the YubiKey in scan code mode, or the values in the Password Parameters fields if you are programming the YubiKey in advanced mode.
To store a Challenge-Response credential, save and then store the values entered in their respective Parameters fields when programming the YubiKey using the YubiKey Personalization Tool.
You can also set logging in the YubiKey Personalization Tool to use Traditional format. Using this format, you can extract the information for both the Static Password and Challenge-Response credentials. Save the log file as a .csv, program the YubiKey, then save the log file again. You can compare the two files. (Note that there are no column headings in the log file.)
To use another YubiKey for a backup in a system that implements either Yubico OTP or OATH-HOTP credentials, you may be given the option to associate multiple YubiKeys with your account. For example, you can associate multiple keys with one LastPass Premium account. If you do not find options to associate multiple YubiKeys with your account, contact the administrator for that service directly.
If you don’t have your YubiKey with you
The answer depends on what option each application vendor and service provider offers you to address such a situation. It is common practice that the application or service may offer options to temporarily disable the need for the YubiKey authentication, and fallback to one-factor authentication for certain duration (such as a day). Other applications may provide temporary OTPs over other communication channels, such as with SMS or email. Some applications may even support backup mobile tokens. All these options need to be implemented by the application vendor or service provider in a way that suits their security requirements. Check with the application or service provider to see how they handle the situation when your YubiKey is unavailable.
If you lose the YubiKey
We recommend that you register at least two YubiKeys for each service where you enable two-factor authentication. If you lose a YubiKey, log in using your backup key or another backup option (i.e. Google Authenticator or backup codes). Access the security settings on your account, remove the lost YubiKey from the list of registered keys. For more information, see our Knowledge Base article.
Which browsers support U2F?
You must be running Google Chrome version 38 or later, or Opera version 40 or later. Both browsers include support for the U2F protocol.
To check version numbers:
- For Google Chrome: In the Chrome toolbar, click the Chrome menu, then select About Google Chrome.
- For Opera: In the Opera toolbar, click Menu, then select About Opera.
Firefox Quantum now natively supports U2F. FIDO U2F is not turned on by default in the Firefox browser. In addition to enabling U2F, some services may not recognize it. Mozilla plans to only support the out-of-the-box experience with FIDO U2F devices using Web Authentication APIs developed by the World Wide Web Consortium (W3C).
In many ways, the FIDO Alliance’s FIDO2 project is the next-generation of FIDO U2F, as it will pave the way for things like multi-factor and passwordless login, while still supporting two-factor authentication (2FA) functionalities of the original FIDO U2F standard. As Web Authentication specifications will likely not be complete until late 2018, users will need to wait for the seamless experience with U2F devices in Firefox until the Web Authentication API integration is done.
How do I enable FIDO U2F in Firefox Quantum?
While the FIDO U2F experience in Firefox is limited at the moment, turning it on is very simple. It takes three steps.
- Type about:config into the Firefox browser
- Search for “u2f”
- Double-click on security.webauth.u2f to enable U2F
It’s important to understand that every FIDO U2F implementation can vary from the official specifications. Some sites supporting FIDO U2F have made accommodations for the incompleteness of Firefox’s implementation, but some have not. In other situations, some services may not work with Firefox Quantum because of a service-specific implementation.
At this time, these are the only browsers supported. Microsoft is working within the FIDO Alliance to eventually bring support to Windows 10 and the Edge browser.
Dashlane is the first standalone application that is not browser-based. While Dashlane does offer browser plug-ins, the application itself does not require Chrome. Install Dashlane Premium on your computer, configure Dashlane to require YubiKey on login, and that’s it! For more information on how to install and use Dashlane, see the Dashlane Support Center.
If you want to log in from an unsupported browser (such as Internet Explorer, Edge, or Safari)?
Mozilla is currently building support for U2F and Microsoft is working within the FIDO Alliance to bring support to Edge and Windows 10. For now, you can use backup codes from Google Authenticator or Yubico Authenticator, for two-factor authentication if your browser doesn’t support U2F. Here is how to use Yubico Authenticator together with a YubiKey to get one-time codes that work with various services.