The YubiKey 5 Series security keys, supported by the Yubi Platform, offer strong authentication with support for multiple protocols, including FIDO2, which is the new standard that enables the replacement of password-based authentication. The YubiKey strengthens security by replacing passwords with strong hardware-based authentication using public key cryptography.
All devices in the YubiKey 5 Series support FIDO2, enabling secure passwordless authentication on sites and applications that support the protocol.
The YubiKey 5 NFC brings NFC capabilities to the YubiKey 5 Series. All of the applications, including FIDO2, are available over NFC, expanding the options for quick tap-n-go authentication across desktops, laptops, and mobile devices. This makes the YubiKey 5 NFC an ideal upgrade for the YubiKey NEO, which lacked some features such as ECC PIV certificates, larger PIV certificates, RSA 4096 for OpenPGP keys, and the ability to require a touch for PIV and OpenPGP operations.
The YubiKey 5 Series devices can report their form factor via the PIV application, as well as whether or not they have an NFC interface. This enables easier, programmatic identification of the physical attributes of the YubiKey. For more information about how to query this information, see the YubiKey 5 Series Configuration Reference Guide.
|YubiKey 5 NFC||YubiKey 5 Nano||YubiKey 5C||YubiKey 5C Nano|
|Dimensions||18mm x 45mm x 3.3mm||12mm x 13mm x 3.1mm||12.5mm x 29.5mm x 5mm||12mm x 10.1mm x 7mm|
|Physical Interfaces||USB, NFC||USB||USB||USB|
|Operating Temperatures||0 °C to 40 °C (32 °F to 104 °F)||0 °C to 40 °C (32 °F to 104 °F)||0 °C to 40 °C (32 °F to 104 °F)||0 °C to 40 °C (32 °F to 104 °F)|
|Storage Temperatures||-20 °C to 85 °C (-4 °F to 185 °F)||-20 °C to 85 °C (-4 °F to 185 °F)||-20 °C to 85 °C (-4 °F to 185 °F)||-20 °C to 85 °C (-4 °F to 185 °F)|
Understanding the Physical Interfaces
Physical interfaces are the ways that a computer, phone, or other device can connect with the YubiKey in order to communicate with it.
All of the models in the YubiKey 5 Series provide a USB 2.0 interface, regardless of the form factor of the USB connector. The YubiKey will present itself as a USB composite device in addition to each individual USB interface.
The USB PID and iProduct string will change depending on which of the USB interfaces enabled and are described in the table below. Yubico’s USB vendor ID (VID) is 0x1050.
|USB Interfaces||PID||iProduct String|
|OTP, FIDO||0x0403||YubiKey OTP+FIDO|
|OTP, CCID||0x0405||YubiKey OTP+CCID|
|FIDO, CCID||0x0406||YubiKey FIDO+CCID|
|OTP, FIDO, CCID||0x0407||YubiKey OTP+FIDO+CCID|
The OTP interface is enabled when the OTP application is enabled over USB. The FIDO interface is enabled when the U2F or FIDO2 applications are enabled over USB. The CCID interface is enabled when the PIV, OATH or OpenPGP applications are enabled over USB.
In addition to USB, the YubiKey 5 NFC also provides an NFC wireless interface for additional convenience. The YubiKey 5 includes the RFID standard specific to the ISO/IEC 14443-A and ISO/IEC 14443-4 NFC format; RFID implementations not included in the listed ISO standards are not supported.
The NDEF URI has been updated to a new format; an example of the new format is provided below. The <OTP> value will be replaced with the OTP generated by the YubiKey.
For operations that require a touch, all touch requests within the first 20 seconds of the operation will succeed. After a period of inactivity, a YubiKey placed on a desktop NFC reader may power down to help prevent unintended access to the device. To regain connectivity with an NFC reader, remove the YubiKey from the reader and reposition it on the reader. Some NFC readers may power cycle and in doing so, prevent the device from powering down.
Understanding the USB Interfaces
USB Interfaces are the different channels that software can use to communicate with the YubiKey when it is connected via USB. Each interface enables a specific set of applications on the YubiKey; if an interface is disabled, none of the applications that use that interface will be available. Note: With previous YubiKeys and older Yubico software, the USB Interfaces were referred to as “modes” and the FIDO interface was called the U2F mode.
The OTP interface presents itself to the operating system as a USB keyboard. The OTP application is accessible over this interface. Output is sent as a series of keystrokes from a virtual keyboard. This allows for OTP to be used in any environment which can accept standard keyboard input.
The CCID interface provides communication for the PIV / Smart Card, OATH (HOTP and TOTP), and OpenPGP applications. The YubiKey presents itself to the operating system as a USB smart card reader. Each of the applications presents itself as a separate smart card attached to that reader.
Understanding the Applications
The YubiKey 5 Series provides six applications for a wide variety of authentication options: OTP, U2F, FIDO2, Smart Card, OATH, and OpenPGP. The applications are all separate from each other, with separate storage for keys and credentials.
Each application can be enabled and disabled independently per physical interface. For example, on the YubiKey 5 NFC, the FIDO2 application can be enabled over USB, but disabled over NFC. Optionally, a lock code can be set that prevents unauthorized changes to which applications are enabled or disabled. Reviewing and changing the application interfaces may be done using the YubiKey Manager.
The OTP application provides two programmable slots, each of which can hold one of the types of credentials listed below. A Yubico OTP credential is programmed to slot one during manufacturing so that the YubiKey is ready to use with many popular services that use this feature. The credential in the first slot is accessed by a short touch on the metal contact of the YubiKey; the second slot is accessed by a long touch of 3 seconds (if programmed).
Yubico OTP is a simple yet strong authentication mechanism that is supported by all YubiKeys (except Security Keys) out-of-the-box. Yubico OTP can be used as the second factor in a two-factor authentication (2FA) scheme or on its own, providing single-factor authentication.
The OTP generated by the YubiKey is two parts, with the first 12 characters being the public identity which a validation server can link to a user, while the remaining 32 characters are the unique passcode that is changed each time an OTP is generated.
The character representation of the Yubico OTP may look a bit strange at first sight but is designed to cope with various keyboard layouts causing potential ambiguities when decoded. USB keyboards send their keystrokes by the means of “scan codes” rather than the actual character representation. The translation to keystrokes is done by the computer. For the YubiKey, it is crucial that the same code is generated if it is inserted in a German computer with a QWERTZ layout, a French one with an AZERTY layout, or a US one with a QWERTY layout. The “Modhex”, or Modified Hexadecimal coding, was invented by Yubico to use only specific characters to ensure that the YubiKey works out-of-the-box with the maximum number of keyboard layouts.
A static password can be programmed to the YubiKey so that it will type the password for you when the metal contact is touched. For managing multiple passwords, see the password managers that the YubiKey can secure with 2FA.
A HMAC-SHA1 Challenge-Response credential enables software to send a challenge to the YubiKey and verify that an expected, predetermined response is returned. This credential can also be set to require a touch on the metal contact before the response is sent to the requesting software. This type of credential must be activated by the software sending the challenge, and cannot be activated by touching the metal contact on the YubiKey. This type of credential is most often used for offline authentication, as it does not require contacting a server for validation.
When a OATH-HOTP credential is programmed, the OTP is generated using the standard RFC 4226 HOTP algorithm and the YubiKey will automatically type the OTP. Optionally, the OTP can be prefixed by a public identity, conforming to the openauthentication.org Token Identifier Specification.
U2F is an open standard that provides strong, phishing resistant two-factor authentication for web services using public key cryptography. U2F does not require any special drivers or configuration to use, just a compatible web browser. The U2F application on the YubiKey can be associated with an unlimited number of U2F sites.
Like FIDO U2F, the FIDO2 standard offers the same high level of security, as it is based on public key cryptography. In addition to providing phishing resistant two-factor authentication, the FIDO2 application on the YubiKey allows for the storage of resident credentials. As the resident credentials can store the username and other data, this allows for truly passwordless authentication. YubiKey 5 Series devices can hold up to 25 resident keys. If RSA keys are used, there is a maximum of three RSA with the rest being ECC.
The resident credentials can be left unlocked and used for strong single-factor authentication, or they can be protected by a PIN for two-factor authentication. The FIDO2 PIN can be between 4 and 128 characters in length. Once a FIDO2 PIN is set, it can be changed but it cannot be removed without resetting the FIDO2 application. If the PIN is entered incorrectly 8 times in a row, the FIDO2 application will become locked, and FIDO2 authentication will not be possible. In order to restore this functionality, the FIDO2 application must be reset.
Note: Resetting the FIDO2 application will also reset the U2F key. No site you have registered the YubiKey with using U2F will work until the YubiKey is re-registered with that site.
PIN: None set.
The FIDO2 specification states that an AAGUID must be provided during attestation. An AAGUID is a 128-bit identifier indicating the type of the authenticator. Authenticators with the same capabilities and firmware, such as the YubiKey 5 series devices without NFC, can share the same AAGUID.
|YubiKey 5 NFC||fa2b99dc-9e39-4257-8f92-4a30d23c4118|
|YubiKey 5 Nano||cb69481e-8ff7-4039-93ec-0a2729a154a8|
|YubiKey 5C Nano||cb69481e-8ff7-4039-93ec-0a2729a154a8|
Smart Card (PIV Compatible)
The YubiKey 5 Series provides a PIV-compatible smart card application. PIV, or FIPS 201, is a US government standard. It enables RSA or ECC sign/encrypt operations using a private key stored on a smart card through common interfaces like PKCS#11. On Windows, the smart card functionality can be extended with the YubiKey Smart Card Minidriver.
YubiKey 5 Series devices support extended APDUs, extended answer to reset (ATR), and answer to select (ATS).
- PIN: 123456
- PUK: 12345678
- Management Key (3DES): 010203040506070801020304050607080102030405060708
The YubiKey 5 Series supports the following algorithms on the smart card application.
- RSA 1024
- RSA 2048
- ECC P-256
- ECC P-384
To specify how often the PIN needs to be entered for access to the credential in a given slot, set a PIN policy for that slot. This policy must be set upon key generation or importation and cannot be changed later.
In addition to requiring the PIN, the YubiKey can require a physical touch on the metal contact. Similar to the PIN policy, the touch policy must be set upon key generation or importation.
The keys and certificates for the smart card application are stored in slots, which are described below. The PIN policies described below are the defaults, before they are overridden with a custom PIN policy. These slots are separate from the programmable slots in the OTP application.
Slot 9a: PIV Authentication
This certificate and its associated private key is used to authenticate the card and the cardholder. This slot is used for things like system login. To perform any private key operations, the end user PIN is required. Once the correct PIN has been provided, multiple private key operations may be performed without additional cardholder consent.
Slot 9c: Digital Signature
This certificate and its associated private key is used for digital signatures for the purpose of document, email, file, and executable signing. To perform any private key operations, the end user PIN is required. The PIN must be submitted immediately before each sign operation to ensure cardholder participation for every digital signature generated.
Slot 9d: Key Management
This certificate and its associated private key is used for encryption for the purpose of confidentiality. This slot is used for encrypting emails or files. The end user PIN is required to perform any private key operations. Once the correct PIN has been provided, multiple private key operations may be performed without additional cardholder consent.
Slot 9e: Card Authentication
This certificate and its associated private key is used to support additional physical access applications, such as providing physical access to buildings via PIV-enabled door locks. The end user PIN is NOT required to perform private key operations for this slot.
Slots 82-95: Retired Key Management
These slots are meant for previously used Key Management keys to be able to decrypt earlier encrypted documents or emails.
Slot f9: Attestation
This slot is only used for attestation of other keys generated on device with instruction f9. This slot is not cleared on reset, but can be overwritten.
Attestation enables you to verify that a key on the smart card application was generated on the YubiKey and was not imported. An X.509 certificate for the key to be attested is created if the key has been generated on the device. Included in the certificate are the following extensions that provide information about the YubiKey.
- 184.108.40.206.4.1.41482.3.3: Firmware version, encoded as three bytes. For example, 050100 indicates firmware version 5.1.0.
- 220.127.116.11.4.1.41482.3.7: Serial number of the YubiKey, encoded as an integer.
- 18.104.22.168.4.1.41482.3.8: Two bytes, the first encoding the PIN policy and the second encoding the touch policy.
- PIN policy: 01 - never require PIN, 02 - require PIN once per session, 03 - always require PIN.
- Touch policy: 01 - never require touch, 02 - always require touch, 03 - cache touch for 15 seconds.
- 22.214.171.124.4.1.41482.3.9: YubiKey’s form factor, encoded as a one-byte octet-string.
- USB-A Keychain: 0x01
- USB-A Nano: 0x02
- USB-C Keychain: 0x03
- USB-C Nano: 0x04
- Undefined: 0x00
Answer to Reset (ATR) and Answer to Select (ATS)
The ATR has been changed from “Yubikey 4” to “YubiKey” and adds support for ATS.
PIV Attestation Root CA
The YubiKey 5 Series devices have a PIV attestation root certificate authority different from the one previous YubiKeys had. You can download the certificate of the new root certificate authority on the PIV attestation page.
The OATH application can store up to 32 OATH credentials, either OATH-TOTP (time based) or OATH-HOTP (counter based). In order to manage these credentials and read the OTPs generated by the YubiKey, the Yubico Authenticator software is needed. In order to restrict access to the OTPs, a password can be set for this application.
The OpenPGP application provides an OpenPGP compatible smart card according to version 2.0 of the specification. This can be used with compatible PGP software such as GnuPG (GPG) and can store one PGP key each for authentication, signing, and encryption. Similar to the PIV / Smart Card touch policy, the OpenPGP application can also be set to require the metal contact be touched to authorize an operation.
- PIN: 123456
- Admin PIN: 12345678
- RSA 1024
- RSA 2048
- RSA 3072
- RSA 4096
Note: RSA 3072 and RSA 4096 require GnuPG version 2.0 or higher.
Managing the Enabled Applications
YubiKey Manager can be used to check which applications are enabled on which interface and to enable or disable each application on each physical interface. To check which applications are enabled, open YubiKey Manager and click on Interfaces. To change which applications are enabled, use the checkboxes to select the ones you want enabled and click the Save Interfaces button.
Once the desired applications have been selected, a lock code can be set to prevent changes to the set of enabled applications. This is done using the YubiKey Manager command line interface command ykman config set-lock-code. The lock code is 16 bytes presented as 32 hex characters.
YubiKey Manager is used to configure all aspects of the YubiKey 5 Series devices. It has both a graphical interface and a command line interface. It is open source, cross-platform, and runs on Windows, macOS, and Linux. Some of the more advanced options are only available through the command line.
The graphical interface of YubiKey Manager provides an easy-to-use method of performing basic configuration tasks of the YubiKey 5 Series, including:
- Display information about the YubiKey(s) connected to the computer.
- Enable or disable applications per physical interface.
- Set or change the FIDO2 PIN, as well as reset the FIDO application.
- Manage the credentials in the OTP application.
Command Line Interface
The command line interface of YubiKey Manager is accessed by running the ykman command. Using ykman, you can do everything that the graphical interface can and more. This includes, but is not limited to:
- Enable or disable applications and prevent unauthorized changes by setting a lock code.
- Manage the credentials in the PIV / Smart Card application, and reset it.
- Manage and generate OTPs from the credentials in the OATH application, and reset the application.
- Reset the OpenPGP application and set the OpenPGP touch policy.
For usage information and examples for ykman, see the YubiKey Manager CLI User Manual.
Yubico Authenticator is used to manage credentials on the OATH application and display the OTPs generated by the YubiKey. Yubico Authenticator is required in order to generate OTPs for OATH-TOTP credentials as the YubiKey does not contain a battery and thus cannot track time. It is open source, cross-platform, and runs on Windows, macOS, Linux, and Android. The Android version of Yubico Authenticator can communicate with YubiKeys over NFC or USB.
YubiKey Smart Card Minidriver
The YubiKey Smart Card Minidriver extends the PIV / Smart Card application on the YubiKey on Windows, allowing for easier deployment and management. Key benefits include:
- Enrollment of the YubiKey using standard Windows utilities.
- Auto-enrollment, enabling user self-provisioning of a YubiKey and automatic renewal.
- Multiple authentication certificates on one YubiKey.
- Changing of the PIN from the Ctrl+Alt+Del menu.
- Unblocking of the PIN using the PUK at the Windows logon screen.
To get started with the YubiKey Smart Card Minidriver, see the deployment guide.
Note: Version 4.0 or newer of the minidriver is required for use with YubiKey 5 Series devices.
If you run into any issues with a YubiKey 5 Series device, refer to the Knowledge Base and search for your issue. If your issue is not listed in the Knowledge Base, or if you have any technical questions, you can open a ticket with our Technical Support team.