YubiKey 5 Series Technical Manual

Applicable Products


Introduction

The YubiKey 5 Series security keys, supported by the Yubi Platform, offer strong authentication with support for multiple protocols, including FIDO2, which is the new standard that enables the replacement of password-based authentication. The YubiKey strengthens security by replacing passwords with strong hardware-based authentication using public key cryptography.

What’s New?

FIDO2

All devices in the YubiKey 5 Series support FIDO2, enabling secure passwordless authentication on sites and applications that support the protocol.

NFC

The YubiKey 5 NFC brings NFC capabilities to the YubiKey 5 Series. All of the applications, including FIDO2, are available over NFC, expanding the options for quick tap-n-go authentication across desktops, laptops, and mobile devices. This makes the YubiKey 5 NFC an ideal upgrade for the YubiKey NEO, which lacked some features such as ECC PIV certificates, larger PIV certificates, and RSA 4096 for OpenPGP keys.

Note: Authentication on an iOS device over NFC is limited to OTP only at this time.

5Ci

The YubiKey 5Ci is the first hardware authenticator of its kind enabled with dual USB-C and Lightning® connectors on a single security key. With multi-protocol capabilities, supporting OTP, U2F, FIDO2/WebAuthn, and Smart Card requirements, the YubiKey 5Ci provides a unified solution for secure logins on mobile and computing devices. The Lightning connector enables secure login across iPhone 5, 6, 7, 8 and X, XS and XR, as well as most iPad models. 

Having completed Apple’s MFI certification program, the YubiKey 5Ci is Made for iPhone, iPad, and iPod as an electronic accessory specifically designed for the Lightning connector of iPhones,   iPad, and iPods and certified to meet Apple performance standards.

The YubiKey 5Ci is the first YubiKey to roll out new feature enhancements to FIDO2 and OpenPGP. Details on the new functionality can be found at our guides to the Enhancements to FIDO 2 Support and Enhancements to OpenPGP Support.

Note: The YubiKey 5Ci will work as OTP over USB-C on the iPad Pro, but other functionalities have limitations. While we can't currently provide timing, it is our goal for the device to work across all products with Lightning and USB-C ports seamlessly. 

Apple, Lightning, Mac, and macOS are trademarks of Apple Inc., registered in the U.S. and other countries.

Easier Identification

The YubiKey 5 Series devices can report their form factor via the PIV application, as well as whether or not they have an NFC interface. This enables easier, programmatic identification of the physical attributes of the YubiKey. For more information about how to query this information, see the YubiKey 5 Series Configuration Reference Guide.

Physical Attributes


YubiKey 5 NFC
YubiKey 5 Nano
YubiKey 5C
YubiKey 5C Nano
YubiKey 5Ci
Dimensions18mm x 45mm x 3.3mm12mm x 13mm x 3.1mm12.5mm x 29.5mm x 5mm12mm x 10.1mm x 7mm12mm x 40.3mm x 5mm.
Weight3g1g2g1g2.9g
Physical InterfacesUSB, NFCUSBUSBUSBUSB, Lightning®
Operating Temperatures0 °C to 40 °C (32 °F to 104 °F)0 °C to 40 °C (32 °F to 104 °F)0 °C to 40 °C (32 °F to 104 °F)0 °C to 40 °C (32 °F to 104 °F)0 °C to 40 °C (32 °F to 104 °F)
Storage Temperatures-20 °C to 85 °C (-4 °F to 185 °F)-20 °C to 85 °C (-4 °F to 185 °F)-20 °C to 85 °C (-4 °F to 185 °F)-20 °C to 85 °C (-4 °F to 185 °F)-20 °C to 85 °C (-4 °F to 185 °F)

Understanding the Physical Interfaces

Physical interfaces are the ways that a computer, phone, or other device can connect with the YubiKey in order to communicate with it.

USB

All of the models in the YubiKey 5 Series provide a USB 2.0 interface, regardless of the form factor of the USB connector. The YubiKey will present itself as a USB composite device in addition to each individual USB interface.

The USB PID and iProduct string will change depending on which of the USB interfaces enabled and are described in the YubiKey USB ID Values guide.

Apple Lightning® Connector

With the YubiKey 5Ci, support for the Apple Lightning connector was introduced. The YubiKey 5Ci will present itself as an Apple iOS peripheral, and will be able to interact with either: 

  • Any iOS app utilizing the Yubico YubiKey iOS SDK or 
  • Natively via touch-triggered OTP. 

All features of the YubiKey 5 are supported over the Lightning connector, including FIDO2, PIV, OpenPGP, OATH and OTP. The Yubico iOS SDK can be accessed at https://github.com/YubicoLabs/yubikit-ios

When connecting the YubiKey 5Ci via the Lightning connector, the interfaces enabled setting is common to both the USB and Lightning connectors - enabling or disabling an interface will apply to both connections.

The USB and iProduct string when connecting via the Lightning connector is described in the YubiKey USB ID Values guide

NFC

In addition to USB, the YubiKey 5 NFC also provides an NFC wireless interface for additional convenience. The YubiKey 5 includes the RFID standard specific to the ISO/IEC 14443-A and ISO/IEC 14443-4 NFC format; RFID implementations not included in the listed ISO standards are not supported.

The NDEF URI has been updated to a new format; an example of the new format is provided below. The <OTP> value will be replaced with the OTP generated by the YubiKey.

https://my.yubico.com/yk/#<OTP>

For operations that require a touch, all touch requests within the first 20 seconds of the operation will succeed. After a period of inactivity, a YubiKey placed on a desktop NFC reader may power down to help prevent unintended access to the device. To regain connectivity with an NFC reader, remove the YubiKey from the reader and reposition it on the reader. Some NFC readers may power cycle and in doing so, prevent the device from powering down.

Understanding the Apple Lightning® Connector Interfaces

Like the USB interface, the YubiKey 5Ci communication over the Lightning connector will also use a variety of channels for communication between iOS and the YubiKey. Touch-triggered OTPs can be used natively with iOS. However, for apps within iOS to be able to use advanced protocols that send and receive information from the YubiKey 5Ci, the Yubico SDK will need to be used and the app registered with Yubico. This can be done via the Yubico iOS SDK App submission page.

Understanding the USB Interfaces

USB Interfaces are the different channels that software can use to communicate with the YubiKey when it is connected via USB. Each interface enables a specific set of applications on the YubiKey; if an interface is disabled, none of the applications that use that interface will be available. Note: With previous YubiKeys and older Yubico software, the USB Interfaces were referred to as “modes” and the FIDO interface was called the U2F mode.

OTP

The OTP interface presents itself to the operating system as a USB keyboard. The OTP application is accessible over this interface. Output is sent as a series of keystrokes from a virtual keyboard. This allows for OTP to be used in any environment which can accept standard keyboard input. The OTP interface is supported natively across all desktop OS environments (macOS, Windows, Linux) as well as on mobile OS platforms (iOS, Android). Output is sent as a series of keystrokes from a virtual keyboard, allowing the OTP application to work with any environment that supports USB Keyboard input, including iOS.

FIDO

The FIDO interface provides access to the FIDO2 and U2F applications. This interface presents itself as a generic human interface device (HID). The FIDO interface is supported on all desktop platforms running WebAuthn-compatible browsers or applications, as well as on Android.  To access the FIDO interface on iOS, the Yubico iOS SDK is required.

CCID

The CCID interface provides communication for the PIV / Smart Card, OATH (HOTP and TOTP), and OpenPGP applications. The YubiKey presents itself to the operating system as a USB smart card reader. Each of the applications presents itself as a separate smart card attached to that reader. The CCID interface is supported on Windows and MacOS, and on Linux with the PC/SC package. CCID is supported as well as on Android. To access the CCID interface on iOS, the Yubico iOS SDK is required.

Understanding the Applications

The YubiKey 5 Series provides six applications for a wide variety of authentication options: OTP, U2F, FIDO2, Smart Card, OATH, and OpenPGP. The applications are all separate from each other, with separate storage for keys and credentials.

Each application can be enabled and disabled independently per physical interface. For example, on the YubiKey 5 NFC, the FIDO2 application can be enabled over USB, but disabled over NFC. Optionally, a lock code can be set that prevents unauthorized changes to which applications are enabled or disabled. Reviewing and changing the application interfaces may be done using the YubiKey Manager.

OTP

The OTP application provides two programmable slots, each of which can hold one of the types of credentials listed below. A Yubico OTP credential is programmed to slot one during manufacturing so that the YubiKey is ready to use with many popular services that use this feature. The credential in the first slot is accessed by a short touch on the metal contact of the YubiKey; the second slot is accessed by a long touch of 3 seconds (if programmed). Output is sent as a series of keystrokes from a virtual keyboard, allowing the OTP application to work with any environment which supports USB keyboard input, including iOS.

Yubico OTP

Yubico OTP is a simple yet strong authentication mechanism that is supported by all YubiKeys (except Security Keys) out-of-the-box. Yubico OTP can be used as the second factor in a two-factor authentication (2FA) scheme or on its own, providing single-factor authentication.

The OTP generated by the YubiKey is two parts, with the first 12 characters being the public identity which a validation server can link to a user, while the remaining 32 characters are the unique passcode that is changed each time an OTP is generated.

The character representation of the Yubico OTP may look a bit strange at first sight but is designed to cope with various keyboard layouts causing potential ambiguities when decoded. USB keyboards send their keystrokes by the means of “scan codes” rather than the actual character representation. The translation to keystrokes is done by the computer. For the YubiKey, it is crucial that the same code is generated if it is inserted in a German computer with a QWERTZ layout, a French one with an AZERTY layout, or a US one with a QWERTY layout. The “Modhex”, or Modified Hexadecimal coding, was invented by Yubico to use only specific characters to ensure that the YubiKey works out-of-the-box with the maximum number of keyboard layouts.

Static Password

A static password can be programmed to the YubiKey so that it will type the password for you when the metal contact is touched. For managing multiple passwords, see the password managers that the YubiKey can secure with 2FA.

HMAC-SHA1 Challenge-Response

A HMAC-SHA1 Challenge-Response credential enables software to send a challenge to the YubiKey and verify that an expected, predetermined response is returned. This credential can also be set to require a touch on the metal contact before the response is sent to the requesting software. This type of credential must be activated by the software sending the challenge, and cannot be activated by touching the metal contact on the YubiKey. This type of credential is most often used for offline authentication, as it does not require contacting a server for validation. As the Challenge-Response function requires two-way communication with the YubiKey, using this feature on iOS requires the Yubico iOS SDK.

OATH-HOTP

When a OATH-HOTP credential is programmed, the OTP is generated using the standard RFC 4226 HOTP algorithm and the YubiKey will automatically type the OTP. Optionally, the OTP can be prefixed by a public identity, conforming to the openauthentication.org Token Identifier Specification.

FIDO U2F

FIDO U2F is an open standard that provides strong, phishing resistant two-factor authentication for web services using public key cryptography. U2F does not require any special drivers or configuration to use, just a compatible web browser. The U2F application on the YubiKey can be associated with an unlimited number of U2F sites. Using the U2F functions on iOS requires the Yubico iOS SDK.

FIDO2

Like FIDO U2F, the FIDO2 standard offers the same high level of security, as it is based on public key cryptography. In addition to providing phishing resistant two-factor authentication, the FIDO2 application on the YubiKey allows for the storage of resident credentials. As the resident credentials can store the username and other data, this allows for truly passwordless authentication. YubiKey 5 Series devices can hold up to 25 resident keys. If RSA keys are used, there is a maximum of three RSA with the rest being ECC. Using the FIDO2 functions on iOS requires the Yubico iOS SDK, as well as a CTAP2 and WebAuthn framework.

The resident credentials can be left unlocked and used for strong single-factor authentication, or they can be protected by a PIN for two-factor authentication. The FIDO2 PIN can be between 4 and 128 characters in length. Once a FIDO2 PIN is set, it can be changed but it cannot be removed without resetting the FIDO2 application. If the PIN is entered incorrectly 8 times in a row, the FIDO2 application will be locked, and FIDO2 authentication will not be possible. In order to restore this functionality, the FIDO2 application must be reset. 

Note: Resetting the FIDO2 application will also reset the U2F key. No site you have registered the YubiKey with using U2F will work until the YubiKey is re-registered with that site.

Note: The YubiKey 5Ci supports Credential Management to allow for selective deletion of Resident keys. See the guide to the Enhancements to FIDO 2 Support for details.

Default Values

PIN: None set.

AAGUID Values

The FIDO2 specification states that an AAGUID must be provided during attestation. An AAGUID is a 128-bit identifier indicating the type of the authenticator. Authenticators with the same capabilities and firmware, such as the YubiKey 5 series devices without NFC, can share the same AAGUID.

DeviceAAGUID
YubiKey 5 NFCfa2b99dc-9e39-4257-8f92-4a30d23c4118
YubiKey 5 Nanocb69481e-8ff7-4039-93ec-0a2729a154a8
YubiKey 5Ccb69481e-8ff7-4039-93ec-0a2729a154a8
YubiKey 5C Nanocb69481e-8ff7-4039-93ec-0a2729a154a8

YubiKey 5Ci

c5ef55ff-ad9a-4b9f-b580-adebafe026d0

Supported Extensions

The YubiKey 5 Series only supports the AppID extension (appid) as defined by the W3C Web Authentication API specification. This extension allows U2F credentials registered using the legacy FIDO JavaScript APIs to be used with WebAuthn. In practice, that means that if you register a YubiKey 5 Series device on a website that uses U2F and later upgrades to FIDO2, previously registered U2F credentials will continue to work on the website.

Smart Card (PIV Compatible)

The YubiKey 5 Series provides a PIV-compatible smart card application. PIV, or FIPS 201, is a US government standard. It enables RSA or ECC sign/encrypt operations using a private key stored on a smart card through common interfaces like PKCS#11. On Windows, the smart card functionality can be extended with the YubiKey Smart Card Minidriver. The YubiKey Smart Card Minidriver is not available for Android, Linux, macOS or iOS.

YubiKey 5 Series devices support extended APDUs, extended answer to reset (ATR), and answer to select (ATS). Using the PIV APDUs on iOS requires the Yubico iOS SDK.

Default Values

  • PIN: 123456
  • PUK: 12345678
  • Management Key (3DES): 010203040506070801020304050607080102030405060708

Supported Algorithms

The YubiKey 5 Series supports the following algorithms on the smart card application.

  • RSA 1024
  • RSA 2048
  • ECC P-256
  • ECC P-384

Policies

PIN Policy
To specify how often the PIN needs to be entered for access to the credential in a given slot, set a PIN policy for that slot. This policy must be set upon key generation or importation and cannot be changed later.

Touch Policy
In addition to requiring the PIN, the YubiKey can require a physical touch on the metal contact. Similar to the PIN policy, the touch policy must be set upon key generation or importation.

Slot Information

The keys and certificates for the smart card application are stored in slots, which are described below. The PIN policies described below are the defaults, before they are overridden with a custom PIN policy. These slots are separate from the programmable slots in the OTP application.

Slot 9a: PIV Authentication
This certificate and its associated private key is used to authenticate the card and the cardholder. This slot is used for things like system login. To perform any private key operations, the end user PIN is required. Once the correct PIN has been provided, multiple private key operations may be performed without additional cardholder consent.

Slot 9c: Digital Signature
This certificate and its associated private key is used for digital signatures for the purpose of document, email, file, and executable signing. To perform any private key operations, the end user PIN is required. The PIN must be submitted immediately before each sign operation to ensure cardholder participation for every digital signature generated.

Slot 9d: Key Management
This certificate and its associated private key is used for encryption for the purpose of confidentiality. This slot is used for encrypting emails or files. The end user PIN is required to perform any private key operations. Once the correct PIN has been provided, multiple private key operations may be performed without additional cardholder consent.

Slot 9e: Card Authentication
This certificate and its associated private key is used to support additional physical access applications, such as providing physical access to buildings via PIV-enabled door locks. The end user PIN is NOT required to perform private key operations for this slot.

Slots 82-95: Retired Key Management
These slots are meant for previously used Key Management keys to be able to decrypt earlier encrypted documents or emails.

Slot f9: Attestation
This slot is only used for attestation of other keys generated on device with instruction f9. This slot is not cleared on reset, but can be overwritten.

Attestation

Attestation enables you to verify that a key on the smart card application was generated on the YubiKey and was not imported. An X.509 certificate for the key to be attested is created if the key has been generated on the device. Included in the certificate are the following extensions that provide information about the YubiKey.

  • 1.3.6.1.4.1.41482.3.3: Firmware version, encoded as three bytes. For example, 050100 indicates firmware version 5.1.0.
  • 1.3.6.1.4.1.41482.3.7: Serial number of the YubiKey, encoded as an integer.
  • 1.3.6.1.4.1.41482.3.8: Two bytes, the first encoding the PIN policy and the second encoding the touch policy.  
    • PIN policy: 01 - never require PIN, 02 - require PIN once per session, 03 - always require PIN.
    • Touch policy: 01 - never require touch, 02 - always require touch, 03 - cache touch for 15 seconds.
  • 1.3.6.1.4.1.41482.3.9: YubiKey’s form factor, encoded as a one-byte octet-string.  
    • USB-A Keychain: 0x01
    • USB-A Nano: 0x02
    • USB-C Keychain: 0x03
    • USB-C Nano: 0x04
    • USB-C and Lightning: 0x05
    • Undefined: 0x00

Changes

Answer to Reset (ATR) and Answer to Select (ATS)
The ATR has been changed from “Yubikey 4” to “YubiKey” and adds support for ATS.

PIV Attestation Root CA
The YubiKey 5 Series devices have a PIV attestation root certificate authority different from the one previous YubiKeys had. You can download the certificate of the new root certificate authority on the PIV attestation page.

OATH

The OATH application can store up to 32 OATH credentials, either OATH-TOTP (time based) or OATH-HOTP (counter based). These credentials are separate from those stored in the OTP application, and can only be accessed via the CCID channel. In order to manage these credentials and read the OTPs generated by the YubiKey, the Yubico Authenticator software is needed. Currently, the Yubico Authenticator is supported on Windows, Linux, macOS and Android, but not iOS. In order to restrict access to the OTPs, a password can be set for this application. Using the OATH application functions on iOS requires the Yubico iOS SDK.

OpenPGP

The OpenPGP application provides an OpenPGP compatible smart card according to version 2.0 of the specification. This can be used with compatible PGP software such as GnuPG (GPG) and can store one PGP key each for authentication, signing, and encryption. Similar to the PIV / Smart Card touch policy, the OpenPGP application can also be set to require the metal contact be touched to authorize an operation. Using the OpenPGP functions on iOS requires the Yubico iOS SDK.

Note: The YubiKey 5Ci supports the new OpenPGP Smart Card specification version 3.4.  For details on the new features, including key attestation, expanded encryption algorithms and additional cardholder certificates, refer to the guide Enhancements to OpenPGP Support.


Default Values

  • PIN: 123456
  • Admin PIN: 12345678

Supported Algorithms

  • RSA 1024
  • RSA 2048
  • RSA 3072
  • RSA 4096

Note: RSA 3072 and RSA 4096 require GnuPG version 2.0 or higher.

Managing the Enabled Applications

YubiKey Manager can be used to check which applications are enabled on which interface and to enable or disable each application on each physical interface. To check which applications are enabled, open YubiKey Manager and click Interfaces. To change which applications are enabled, use the checkboxes to select the ones you want enabled and click  Save Interfaces.

For the YubiKey 5Ci, any modifications made to the applications over the USB interface will also apply to the applications on the Lightning connector.

Once the desired applications have been selected, a lock code can be set to prevent changes to the set of enabled applications. This is done using the YubiKey Manager command line interface command ykman config set-lock-code. The lock code is 16 bytes presented as 32 hex characters.

Software

YubiKey Manager

YubiKey Manager is used to configure all aspects of the YubiKey 5 Series devices. It has both a graphical interface and a command line interface. It is open source, cross-platform, and runs on Windows, macOS, and Linux. Some of the more advanced options are only available through the command line.

Graphical Interface

The graphical interface of YubiKey Manager provides an easy-to-use method of performing basic configuration tasks of the YubiKey 5 Series, including:

  • Display information about the YubiKey(s) connected to the computer.
  • Enable or disable applications per physical interface.
  • Set or change the FIDO2 PIN, as well as reset the FIDO application.
  • Manage the credentials in the OTP application.

Command Line Interface

The command line interface of YubiKey Manager is accessed by running the ykman command. Using ykman, you can do everything that the graphical interface can and more. This includes, but is not limited to:

  • Enable or disable applications and prevent unauthorized changes by setting a lock code.
  • Manage the credentials in the PIV / Smart Card application, and reset it.
  • Manage and generate OTPs from the credentials in the OATH application, and reset the application.
  • Reset the OpenPGP application and set the OpenPGP touch policy.

For usage information and examples for ykman, see the YubiKey Manager CLI User Manual.

Yubico Authenticator

Yubico Authenticator is used to manage credentials on the OATH application and display the OTPs generated by the YubiKey. Yubico Authenticator is required in order to generate OTPs for OATH-TOTP credentials as the YubiKey does not contain a battery and thus cannot track time. It is open source, cross-platform, and runs on Windows, macOS, Linux, and Android. The Android version of Yubico Authenticator can communicate with YubiKeys over NFC or USB.

YubiKey Smart Card Minidriver

The YubiKey Smart Card Minidriver extends the PIV / Smart Card application on the YubiKey on Windows, allowing for easier deployment and management. Key benefits include:

  • Enrollment of the YubiKey using standard Windows utilities.
  • Auto-enrollment, enabling user self-provisioning of a YubiKey and automatic renewal.
  • Multiple authentication certificates on one YubiKey.
  • Changing of the PIN from the Ctrl+Alt+Del menu.
  • Unblocking of the PIN using the PUK at the Windows logon screen.

To get started with the YubiKey Smart Card Minidriver, see the deployment guide.

Note: Version 4.0 or newer of the minidriver is required for use with YubiKey 5 Series devices.

Troubleshooting

If you run into any issues with a YubiKey 5 Series device, refer to the Knowledge Base and search for your issue. If your issue is not listed in the Knowledge Base, or if you have any technical questions, you can open a ticket with our Technical Support team.


Did you find it helpful? Yes No

Send feedback
Sorry we couldn't be helpful. Help us improve this article with your feedback.