A YubiKey is a hardware security device that provides two-factor authentication (2FA) by generating a one-time password or using public-key cryptography, enhancing the security of online accounts and sensitive data. It is used to protect against phishing and unauthorized access.
YubiKey and 2FA
But many forms of 2FA are cumbersome and error-prone. Receiving a code via email or SMS fails if the recipient loses access to their email account or changes their phone number. Using an authenticator app means retrieving a code and manually entering it in—a process prone to human error. A YubiKey is a better way.
YubiKeys are physical devices that support various forms of two-factor authentication, simplifying and streamlining security. Below, we’ll explore the different types of two-factor authentication, explain how a YubiKey works and why it’s better than other methods, and walk you through how to set one up so you can experience 2FA that’s more convenient and more secure.
What is two-factor authentication?
Two-factor authentication (2FA) is a way of securing digital accounts that adds another layer of security on top of a traditional password.
Passwords don’t work well on their own, because simple ones are easy for hackers to guess, and long and complicated ones are too hard for anyone to remember. Even if you use a good password manager and make all your passwords long and complex, passwords are moot once they’ve been leaked—and in the digital age, leaks are pretty much inevitable.
2FA operates on the principle of dual verification: Users have to provide two distinct forms of identification before access is granted. The first one is your password, and the second one varies depending on what type of 2FA you use. 2FA significantly enhances security by combining something you know (your password) with something you have (like a mobile device or a physical token), making unauthorized access considerably more challenging. While 2FA is more secure than a traditional password, it’s not as secure as multi-factor authentication (MFA)—2FA requires users to present two types of authentication, while MFA requires users to present at least two.
Types of two-factor authentication
There are many different factors of 2FA. Some are more secure than others.
SMS or email codes
One of the most common forms of 2FA involves sending a unique, time-sensitive code to the user's SMS or email after they enter their password. While this method is widely used due to its convenience, it can be vulnerable to interception through techniques like SIM swapping or email breaches, so it isn’t the most secure.
Authentication apps
Authentication applications, such as Google Authenticator or Authy, generate ephemeral codes that expire after a short duration, typically 30 seconds. This method requires the user to possess the specific device on which the app is installed, which substantially reduces the risk of interception since the codes are generated offline and are accessible only to the device holder.
Hardware authentication devices
The most secure form of 2FA includes hardware authentication devices, like YubiKey. These physical tokens are used in conjunction with a password, requiring the user to connect the device to a computer or use near-field communication (NFC) technology for access. This method is highly secure because it requires the user to physically possess the token, effectively mitigating risks associated with intercepting digital codes or messages.
How does a YubiKey work?
A YubiKey is a small hardware device that connects to a computer or mobile device (some models do so via a USB port, while some models support wireless connectivity via Near Field Communication). Every YubiKey is manufactured with a distinct identity it gets from cryptographic keys embedded in its firmware during production. When you purchase and set up a YubiKey, you link its unique identity to your accounts and services that support YubiKey authentication.
Then, when you attempt to access any of those accounts or services, the system will prompt for the YubiKey. You insert the YubiKey into a USB-A or USB-C port or tap it against an NFC-enabled device. YubiKeys support multiple different security protocols; the exact ones depend on the model of YubiKey you use. One example is one-time passwords, which are supported by most YubiKey models.
When using the OTP protocol, the YubiKey generates a one-time password (OTP), based on its unique identity each time it’s inserted or tapped against a device. The OTP is time-limited and is not stored or transferred. The YubiKey delivers it to the device through a simulated keyboard input or wireless communication, mimicking the keystrokes of the OTP to make sure it reaches the input field without compromising security. The server or application receiving the OTP decrypts it using secret keys stored both in its own databases and in the YubiKey. YubiKey’s method of generating, transferring, encrypting, and authenticating its OTPs uses industry-standard public-key cryptography.
This process ensures that even if a password is compromised, unauthorized access is impossible without physical possession of the YubiKey.
What is a YubiKey used for?
By offering a tangible, nearly foolproof method of authentication, the YubiKey not only simplifies the user experience but also elevates the security posture of individuals and organizations alike. Here are some of the common ways YubiKeys are used:
- Passwordless authentication: A YubiKey allows users to securely log in to their online accounts without the need for a password, relying solely on the physical YubiKey. This not only simplifies the login process but also significantly reduces the risk of password-related breaches.
- Multi-factor authentication: Sometimes you need even more security than just two-factor authentication. For environments requiring even higher security, the YubiKey can be part of a multi-factor authentication (MFA) strategy. This involves combining something you know (a password), something you have (the YubiKey), and sometimes something you are (biometrics), offering an even more robust defense against unauthorized access.
- Secure remote access: With the rise of remote work, more and more companies need a way to offer secure access to corporate networks and sensitive data. The YubiKey facilitates secure remote access by serving as a physical key to VPNs, remote desktops, and other remote access services. Using a YubiKey ensures that only authorized users, possessing the physical device, can gain access, thereby enhancing the security of remote work environments.
- Identity verification: A YubiKey can be used for a variety of identity verification purposes, from signing digital documents to authenticating identities for online services, ensuring that actions taken are securely tied to the actual user. In online transactions and digital interactions where verifying the identity of a user is crucial, a YubiKey adds a much-needed layer of security.
- Software development and code signing: Developers use YubiKeys to sign their code, verifying their identity and ensuring that the code has not been tampered with since it was signed. This helps maintain the integrity of software projects and protects against malicious code injections.
- Compliance and regulatory requirements: Many industries are subject to regulatory requirements that mandate strong authentication measures to protect sensitive data. YubiKeys help organizations comply with regulations such as GDPR, HIPAA, and FIDO standards, by providing a secure authentication mechanism that can be audited and verified.
What makes a YubiKey different from other 2FA methods?
What sets YubiKey apart from other two-factor authentication methods lies in its combination of convenience, security, and physicality. Unlike SMS or email codes that can be intercepted or fall victim to SIM swapping and account takeovers, the YubiKey's physical nature requires actual possession to use, significantly elevating its security profile. Moreover, unlike authentication apps that generate time-sensitive codes, the YubiKey does not rely on a battery or network connectivity, making it more reliable and user-friendly in a wider range of situations.
Another key advantage is its resistance to phishing attacks. Because the YubiKey communicates directly with the service it's securing, it's immune to counterfeit websites or other phishing schemes designed to capture 2FA codes.
YubiKey supports various authentication protocols, including OTP, Universal 2nd Factor (U2F), FIDO U2F, FIDO2, and more, which makes it a versatile solution compatible with many different online services and applications, from email and cloud storage to online banking and beyond.
Types of YubiKeys
YubiKey, developed by Yubico, comes in various models, each designed to cater to different needs and preferences in terms of connectivity, functionality, and form factor. There are other types of 2FA hardware, but YubiKeys are the best known.
Here’s a brief overview of the types of YubiKeys currently available:
The YubiKey 5 Series
This is Yubico’s flagship line, with products for individuals, small businesses, and enterprises. YubiKeys in the 5 Series support multiple authentication protocols, including OTP, FIDO2, WebAuthn, U2F, OpenPGP, smart cards, and more. They’re versatile and compatible with a wide range of devices, platforms, and applications.
YubiKey 5 FIPS Series
This series was designed to meet Federal Information Processing Standards (FIPS) for environments with strict security requirements. They’re suitable for governments and related industries and support multiple authentication protocols, including smart card, OTP, OpenPGP, FIDO U2F, and FIDO2/WebAuthn.
YubiKey Bio Series
YubiKey Bio Series is great for organizations seeking multi-factor authentication, since these devices incorporate biometric authentication via fingerprint recognition. They support FIDO2/WebAuthn and FIDO U2F authentication protocols, and work out-of-the-box with many operating systems and browsers, including Windows, Mac, Chrome OS, Linux, Chrome, and Edge.
YubiKey 5 CSPN Series
The YubiKey 5 CSPN (Certification de Sécurité de Premier Niveau) Series was designed to comply with French security certification standards. These YubiKeys are commonly used by the French government and related organizations that need similar, high-level security assurance. They offer multi-protocol support across FIDO2/WebAuthn, FIDO U2F, Smart Card and OTP and work across Microsoft Windows, macOS, Android, Linux, and leading browsers.
How to set up a YubiKey
Setting up your YubiKey is similar to setting up a 2FA app. Follow these steps to get started:
- Plug in your YubiKey
- Go to yubico.com/setup and choose the device you have
- Under “Compatible accounts and services,” choose the apps and accounts you want to use your YubiKey to secure and access
- Click the “Play” icon next to each selected app or account and follow the video setup instructions, or click the diagonal arrow icon to open the text instructions in a new window
The steps you will need to follow will vary depending on the app or account, your device, and which YubiKey model you have. You’ll need to enroll your security key, and you may need to give your device or browser permission to access your YubiKey.
Head to yubico.com to see the full instructions for your YubiKey model.
Frequently asked questions about YubiKey
What if I lose my YubiKey?
If you lose your YubiKey, it's important to take immediate action to maintain your account security. First, access your accounts using backup methods of authentication you've set up (such as backup codes or a secondary authentication device) and remove the lost YubiKey from your account settings. Next, register a new YubiKey with your accounts as soon as possible. It's also recommended you have a spare YubiKey configured for emergencies to make sure you have uninterrupted access to your accounts.
Can I use one YubiKey with multiple devices?
Yes, a single YubiKey can be used with multiple devices and accounts. The YubiKey doesn't store specific account information, but rather works as a key to generate one-time passwords or sign requests based on the protocol used (e.g., FIDO2, U2F). As long as the device or platform supports the YubiKey's protocols, you can use it across various services and devices.
What happens if I accidentally trigger my YubiKey?
Some older YubiKey models are designed to trigger every time they’re touched, which can cause a secure code to generate in whatever text box is open—Slack, an email draft, or even social media—and then send. The codes are generated by YubiKey’s OTP protocol.
Accidentally sending a 2FA code to your coworkers on Slack probably isn’t the worst thing—they shouldn’t be trying to hack into your accounts. But accidentally posting it on social media? That’s not great. Luckily, there are ways to change your YubiKey’s settings to avoid accidental triggers.
How do I stop accidentally triggering my YubiKey?
If you have a YubiKey model that triggers every time you touch it, you can stop that by turning off its OTP protocol—but that might prevent you from being able to use it to log into certain sites and accounts.
So a better option is to configure OTP so it doesn’t trigger unless you hold down your YubiKey for three seconds. Here’s how to do that:
- Download and install YubiKey manager on your computer
- Under “Applications,” select “OTP”
- By default, Slot 1 should have “Short Touch” in it, while Slot 2 has “Long Touch.” Click “Swap” to switch them. Now your YubiKey won’t trigger OTP unless you hold it for three seconds.
Disclaimer: Rippling and its affiliates do not provide tax, accounting, or legal advice. This material has been prepared for informational purposes only, and is not intended to provide or be relied on for tax, accounting, or legal advice. You should consult your own tax, accounting, and legal advisors before engaging in any related activities or transactions.