YubiKey 5 Series Technical Manual

Applicable Products


Introduction

The YubiKey 5 Series security keys offer strong authentication with support for multiple protocols, including FIDO2, which is the new standard that enables the replacement of password-based authentication. The YubiKey strengthens security by replacing passwords with strong hardware-based authentication using public key cryptography.

What’s New?

FIDO2

All devices in the YubiKey 5 Series support FIDO2, enabling secure passwordless authentication on sites and applications that support the protocol.

NFC

The YubiKey 5 NFC brings NFC capabilities to the YubiKey 5 Series. All of the applications, including FIDO2, are available over NFC, expanding the options for quick tap-n-go authentication across desktops, laptops, and mobile devices. This makes the YubiKey 5 NFC an ideal upgrade for the YubiKey NEO, which lacked some features such as ECC PIV certificates, larger PIV certificates, RSA 4096 for OpenPGP keys, and the ability to require a touch for PIV and OpenPGP operations.

Easier Identification

The YubiKey 5 Series devices can report their form factor via the PIV application, as well as whether or not they have an NFC interface. This enables easier, programmatic identification of the physical attributes of the YubiKey. For more information about how to query this information, see the YubiKey 5 Series Configuration Reference Guide.

Physical Attributes


YubiKey 5 NFC
YubiKey 5 Nano
YubiKey 5C
YubiKey 5C Nano
Dimensions
18mm x 45mm x 3.3mm
12mm x 13mm x 3.1mm
12.5mm x 29.5mm x 5mm
12mm x 10.1mm x 7mm
Weight
3g
1g
2g
1g
Physical Interfaces
USB, NFC
USB
USB
USB
Operating Temperatures
0 °C to 40 °C (32 °F to 104 °F)
0 °C to 40 °C (32 °F to 104 °F)
0 °C to 40 °C (32 °F to 104 °F)
0 °C to 40 °C (32 °F to 104 °F)
Storage Temperatures
-20 °C to 85 °C (-4 °F to 185 °F)
-20 °C to 85 °C (-4 °F to 185 °F)
-20 °C to 85 °C (-4 °F to 185 °F)
-20 °C to 85 °C (-4 °F to 185 °F)

Understanding the Physical Interfaces

Physical interfaces are the ways that a computer, phone, or other device can connect with the YubiKey in order to communicate with it.

USB

All of the models in the YubiKey 5 Series provide a USB 2.0 interface, regardless of the form factor of the USB connector. The YubiKey will present itself as a USB composite device in addition to each individual USB interface.

The USB PID and iProduct string will change depending on which of the USB interfaces enabled and are described in the table below. Yubico’s USB vendor ID (VID) is 0x1050.

USB Interfaces
PID
iProduct String
OTP
0x0401
YubiKey OTP
FIDO
0x0402
YubiKey FIDO
CCID
0x0404
YubiKey CCID
OTP, FIDO
0x0403
YubiKey OTP+FIDO
OTP, CCID
0x0405
YubiKey OTP+CCID
FIDO, CCID
0x0406
YubiKey FIDO+CCID
OTP, FIDO, CCID
0x0407
YubiKey OTP+FIDO+CCID

The OTP interface is enabled when the OTP application is enabled over USB. The FIDO interface is enabled when the U2F or FIDO2 applications are enabled over USB. The CCID interface is enabled when the PIV, OATH or OpenPGP applications are enabled over USB.

NFC

In addition to USB, the YubiKey 5 NFC also provides an NFC wireless interface for additional convenience. Unlike the YubiKey NEO, the YubiKey 5 NFC does not support RFID tags, such as MIFARE Classic and MIFARE DESFire.

The NDEF URI has been updated to a new format; an example of the new format is provided below. The <OTP> value will be replaced with the OTP generated by the YubiKey.

https://my.yubico.com/yk/#<OTP>

For operations that require a touch, all touch requests within the first 20 seconds of the operation will succeed. After a period of inactivity, a YubiKey placed on a desktop NFC reader may power down to help prevent unintended access to the device. To regain connectivity with an NFC reader, remove the YubiKey from the reader and reposition it on the reader. Some NFC readers may power cycle and in doing so, prevent the device from powering down.

Understanding the USB Interfaces

USB Interfaces are the different channels that software can use to communicate with the YubiKey when it is connected via USB. Each interface enables a specific set of applications on the YubiKey; if an interface is disabled, none of the applications that use that interface will be available. Note: With previous YubiKeys and older Yubico software, the USB Interfaces were referred to as “modes” and the FIDO interface was called the U2F mode.

OTP

The OTP interface presents itself to the operating system as a USB keyboard. The OTP application is accessible over this interface. Output is sent as a series of keystrokes from a virtual keyboard. This allows for OTP to be used in any environment which can accept standard keyboard input.

FIDO

The FIDO interface provides access to the FIDO2 and U2F applications. This interface presents itself as a generic human interface device (HID).

CCID

The CCID interface provides communication for the PIV / Smart Card, OATH (HOTP and TOTP), and OpenPGP applications. The YubiKey presents itself to the operating system as a USB smart card reader. Each of the applications presents itself as a separate smart card attached to that reader.

Understanding the Applications

The YubiKey 5 Series provides six applications for a wide variety of authentication options: OTP, U2F, FIDO2, Smart Card, OATH, and OpenPGP. The applications are all separate from each other, with separate storage for keys and credentials.

Each application can be enabled and disabled independently per physical interface. For example, on the YubiKey 5 NFC, the FIDO2 application can be enabled over USB, but disabled over NFC. Optionally, a lock code can be set that prevents unauthorized changes to which applications are enabled or disabled. Reviewing and changing the application interfaces may be done using the YubiKey Manager.

OTP

The OTP application provides two programmable slots, each of which can hold one of the types of credentials listed below. A Yubico OTP credential is programmed to slot one during manufacturing so that the YubiKey is ready to use with many popular services that use this feature. The credential in the first slot is accessed by a short touch on the metal contact of the YubiKey; the second slot is accessed by a long touch of 3 seconds (if programmed).

Yubico OTP

Yubico OTP is a simple yet strong authentication mechanism that is supported by all YubiKeys (except Security Keys) out-of-the-box. Yubico OTP can be used as the second factor in a two-factor authentication (2FA) scheme or on its own, providing single-factor authentication.

The OTP generated by the YubiKey is two parts, with the first 12 characters being the public identity which a validation server can link to a user, while the remaining 32 characters are the unique passcode that is changed each time an OTP is generated.

The character representation of the Yubico OTP may look a bit strange at first sight but is designed to cope with various keyboard layouts causing potential ambiguities when decoded. USB keyboards send their keystrokes by the means of “scan codes” rather than the actual character representation. The translation to keystrokes is done by the computer. For the YubiKey, it is crucial that the same code is generated if it is inserted in a German computer with a QWERTZ layout, a French one with an AZERTY layout, or a US one with a QWERTY layout. The “Modhex”, or Modified Hexadecimal coding, was invented by Yubico to use only specific characters to ensure that the YubiKey works out-of-the-box with the maximum number of keyboard layouts.

Static Password

A static password can be programmed to the YubiKey so that it will type the password for you when the metal contact is touched. For managing multiple passwords, see the password managers that the YubiKey can secure with 2FA.

HMAC-SHA1 Challenge-Response

A HMAC-SHA1 Challenge-Response credential enables software to send a challenge to the YubiKey and verify that an expected, predetermined response is returned. This credential can also be set to require a touch on the metal contact before the response is sent to the requesting software. This type of credential must be activated by the software sending the challenge, and cannot be activated by touching the metal contact on the YubiKey. This type of credential is most often used for offline authentication, as it does not require contacting a server for validation.

OATH-HOTP

When a OATH-HOTP credential is programmed, the OTP is generated using the standard RFC 4226 HOTP algorithm and the YubiKey will automatically type the OTP. Optionally, the OTP can be prefixed by a public identity, conforming to the openauthentication.org Token Identifier Specification.

U2F

U2F is an open standard that provides strong, phishing resistant two-factor authentication for web services using public key cryptography. U2F does not require any special drivers or configuration to use, just a compatible web browser. The U2F application on the YubiKey can be associated with an unlimited number of U2F sites.

FIDO2

Like FIDO U2F, the FIDO2 standard offers the same high level of security, as it is based on public key cryptography. In addition to providing phishing resistant two-factor authentication, the FIDO2 application on the YubiKey allows for the storage of resident credentials. As the resident credentials can store the username and other data, this allows for truly passwordless authentication. YubiKey 5 Series devices can hold up to 25 resident keys. If RSA keys are used, there is a maximum of three RSA with the rest being ECC.

The resident credentials can be left unlocked and used for strong single-factor authentication, or they can be protected by a PIN for two-factor authentication. The FIDO2 PIN can be up to 128 characters in length. Once a FIDO2 PIN is set, it can be changed but it cannot be removed without resetting the FIDO2 application.

Note: Resetting the FIDO2 application will also reset the U2F key. No site you have registered the YubiKey with using U2F will work until the YubiKey is re-registered with that site.

Default Values

  • PIN: None set.

AAGUID Values

The FIDO2 specification states that an AAGUID must be provided during attestation. An AAGUID is a 128-bit identifier indicating the type of the authenticator. Authenticators with the same capabilities and firmware, such as the YubiKey 5 series devices without NFC, can share the same AAGUID.

Device
AAGUID
YubiKey 5 NFC
fa2b99dc-9e39-4257-8f92-4a30d23c4118
YubiKey 5 Nano
cb69481e-8ff7-4039-93ec-0a2729a154a8
YubiKey 5C
cb69481e-8ff7-4039-93ec-0a2729a154a8
YubiKey 5C Nano
cb69481e-8ff7-4039-93ec-0a2729a154a8

Smart Card (PIV Compatible)

The YubiKey 5 Series provides a PIV-compatible smart card application. PIV, or FIPS 201, is a US government standard. It enables RSA or ECC sign/encrypt operations using a private key stored on a smart card through common interfaces like PKCS#11. On Windows, the smart card functionality can be extended with the YubiKey Smart Card Minidriver.

YubiKey 5 Series devices support extended APDUs, extended answer to reset (ATR), and answer to select (ATS).

Default Values

  • PIN: 123456
  • PUK: 12345678
  • Management Key (3DES): 010203040506070801020304050607080102030405060708

Supported Algorithms

The YubiKey 5 Series supports the following algorithms on the smart card application.

  • RSA 1024
  • RSA 2048
  • ECC P-256
  • ECC P-384

Policies

PIN Policy
To specify how often the PIN needs to be entered for access to the credential in a given slot, set a PIN policy for that slot. This policy must be set upon key generation or importation and cannot be changed later.

Touch Policy
In addition to requiring the PIN, the YubiKey can require a physical touch on the metal contact. Similar to the PIN policy, the touch policy must be set upon key generation or importation.

Slot Information

The keys and certificates for the smart card application are stored in slots, which are described below. The PIN policies described below are the defaults, before they are overridden with a custom PIN policy. These slots are separate from the programmable slots in the OTP application.

Slot 9a: PIV Authentication
This certificate and its associated private key is used to authenticate the card and the cardholder. This slot is used for things like system login. To perform any private key operations, the end user PIN is required. Once the correct PIN has been provided, multiple private key operations may be performed without additional cardholder consent.

Slot 9c: Digital Signature
This certificate and its associated private key is used for digital signatures for the purpose of document, email, file, and executable signing. To perform any private key operations, the end user PIN is required. The PIN must be submitted immediately before each sign operation to ensure cardholder participation for every digital signature generated.

Slot 9d: Key Management
This certificate and its associated private key is used for encryption for the purpose of confidentiality. This slot is used for encrypting emails or files. The end user PIN is required to perform any private key operations. Once the correct PIN has been provided, multiple private key operations may be performed without additional cardholder consent.

Slot 9e: Card Authentication
This certificate and its associated private key is used to support additional physical access applications, such as providing physical access to buildings via PIV-enabled door locks. The end user PIN is NOT required to perform private key operations for this slot.

Slots 82-95: Retired Key Management
These slots are meant for previously used Key Management keys to be able to decrypt earlier encrypted documents or emails.

Slot f9: Attestation
This slot is only used for attestation of other keys generated on device with instruction f9. This slot is not cleared on reset, but can be overwritten.

Attestation

Attestation enables you to verify that a key on the smart card application was generated on the YubiKey and was not imported. An X.509 certificate for the key to be attested is created if the key has been generated on the device. Included in the certificate are the following extensions that provide information about the YubiKey.

  • 1.3.6.1.4.1.41482.3.3: Firmware version, encoded as three bytes. For example, 050100 indicates firmware version 5.1.0.
  • 1.3.6.1.4.1.41482.3.7: Serial number of the YubiKey, encoded as an integer.
  • 1.3.6.1.4.1.41482.3.8: Two bytes, the first encoding the PIN policy and the second encoding the touch policy.  
    • PIN policy: 01 - never require PIN, 02 - require PIN once per session, 03 - always require PIN.
    • Touch policy: 01 - never require touch, 02 - always require touch, 03 - cache touch for 15 seconds.
  • 1.3.6.1.4.1.41482.3.9: YubiKey’s form factor, encoded as a one-byte octet-string.  
    • USB-A Keychain: 0x01
    • USB-A Nano: 0x02
    • USB-C Keychain: 0x03
    • USB-C Nano: 0x04
    • Undefined: 0x00

Changes

Answer to Reset (ATR) and Answer to Select (ATS)
The ATR has been changed from “Yubikey 4” to “YubiKey” and adds support for ATS.

PIV Attestation Root CA
The YubiKey 5 Series devices have a PIV attestation root certificate authority different from the one previous YubiKeys had. You can download the certificate of the new root certificate authority on the PIV attestation page.

OATH

The OATH application can store up to 32 OATH credentials, either OATH-TOTP (time based) or OATH-HOTP (counter based). In order to manage these credentials and read the OTPs generated by the YubiKey, the Yubico Authenticator software is needed. In order to restrict access to the OTPs, a password can be set for this application.

OpenPGP

The OpenPGP application provides an OpenPGP compatible smart card according to version 2.0 of the specification. This can be used with compatible PGP software such as GnuPG (GPG) and can store one PGP key each for authentication, signing, and encryption. Similar to the PIV / Smart Card touch policy, the OpenPGP application can also be set to require the metal contact be touched to authorize an operation.

Default Values

  • PIN: 123456
  • Admin PIN: 12345678

Supported Algorithms

  • RSA 1024
  • RSA 2048
  • RSA 3072
  • RSA 4096

Note: RSA 3072 and RSA 4096 require GnuPG version 2.0 or higher.

Managing the Enabled Applications

YubiKey Manager can be used to check which applications are enabled on which interface and to enable or disable each application on each physical interface. To check which applications are enabled, open YubiKey Manager and click on Interfaces. To change which applications are enabled, use the checkboxes to select the ones you want enabled and click the Save Interfaces button.

Once the desired applications have been selected, a lock code can be set to prevent changes to the set of enabled applications. This is done using the YubiKey Manager command line interface command ykman config set-lock-code. The lock code is 16 bytes presented as 32 hex characters.

Software

YubiKey Manager

YubiKey Manager is used to configure all aspects of the YubiKey 5 Series devices. It has both a graphical interface and a command line interface. It is open source, cross-platform, and runs on Windows, macOS, and Linux. Some of the more advanced options are only available through the command line.

Graphical Interface

The graphical interface of YubiKey Manager provides an easy-to-use method of performing basic configuration tasks of the YubiKey 5 Series, including:

  • Display information about the YubiKey(s) connected to the computer.
  • Enable or disable applications per physical interface.
  • Set or change the FIDO2 PIN, as well as reset the FIDO application.
  • Manage the credentials in the OTP application.

Command Line Interface

The command line interface of YubiKey Manager is accessed by running the ykman command. Using ykman, you can do everything that the graphical interface can and more. This includes, but is not limited to:

  • Enable or disable applications and prevent unauthorized changes by setting a lock code.
  • Manage the credentials in the PIV / Smart Card application, and reset it.
  • Manage and generate OTPs from the credentials in the OATH application, and reset the application.
  • Reset the OpenPGP application and set the OpenPGP touch policy.

For usage information and examples for ykman, see the YubiKey Manager CLI User Manual.

Yubico Authenticator

Yubico Authenticator is used to manage credentials on the OATH application and display the OTPs generated by the YubiKey. Yubico Authenticator is required in order to generate OTPs for OATH-TOTP credentials as the YubiKey does not contain a battery and thus cannot track time. It is open source, cross-platform, and runs on Windows, macOS, Linux, and Android. The Android version of Yubico Authenticator can communicate with YubiKeys over NFC or USB.

YubiKey Smart Card Minidriver

The YubiKey Smart Card Minidriver extends the PIV / Smart Card application on the YubiKey on Windows, allowing for easier deployment and management. Key benefits include:

  • Enrollment of the YubiKey using standard Windows utilities.
  • Auto-enrollment, enabling user self-provisioning of a YubiKey and automatic renewal.
  • Multiple authentication certificates on one YubiKey.
  • Changing of the PIN from the Ctrl+Alt+Del menu.
  • Unblocking of the PIN using the PUK at the Windows logon screen.

To get started with the YubiKey Smart Card Minidriver, see the deployment guide and user guide.

Note: Version 4.0 or newer of the minidriver is required for use with YubiKey 5 Series devices.

YubiKey PIV Manager

YubiKey PIV Manager is a graphical tool for managing the PIV / Smart Card application on the YubiKey. It can be used to manage the keys and certificates on the YubiKey as well as change the PIN, PUK, and management key.

YubiKey PIV Manager can also provision a YubiKey with certificates to use with the macOS smart card pairing.

Troubleshooting

If you run into any issues with a YubiKey 5 Series device, refer to the Knowledge Base and search for your issue. If your issue is not listed in the Knowledge Base, or if you have any technical questions, you can open a ticket with our Technical Support team.


Did you find it helpful? Yes No

Send feedback
Sorry we couldn't be helpful. Help us improve this article with your feedback.