1. Yubico
  2. Individuals
  3. Common Questions

FAQ

Avatar
Meredith
Created - Updated

Table of contents 

 

 

What is a YubiKey?

The YubiKey is a form of 2 Factor Authentication (2FA) which works as an extra layer of security to your online accounts. With a YubiKey, you simply register it to your account, then when you log in, you must input your login credentials (username+password) and use your YubiKey (plug into USB-port or scan via NFC). Both login credentials and YubiKey are needed at login. This physical layer of protection prevents many account takeovers that can be done virtually. 

 

2FA is a method to confirm a user’s claimed online identity by using a combination of two different types of factors. Factors used for 2FA include something that you know (e.g. password or PIN), or something that you have (e.g. a security key or phone) or something that you are (e.g. facial recognition). To learn more about Strong Two Factor Authentication, please click here.

 

A single YubiKey has multiple functions for securing your login to email, online services, apps, computers, and even physical spaces. Use any YubiKey feature, or use them all. The versatile YubiKey requires no software installation or battery and therefore it is ready to use directly out of the package. Just login to the service you want to add that extra protection to and register the Key with your account.




Which YubiKey should I buy? 

You should select your YubiKey based on the services (i.e. websites and apps) and devices you want to use the Key with. Please see this in depth guide for a walkthrough of how to select the correct YubiKey for you! 




How do I set up my YubiKey? 

Please see our setup page here for instructions or follow the guide below. 

 

The YubiKey works directly out of the package. There is no need for installation of softwares or drivers for the YubiKey to work as it is up to the service provider to implement support for the YubiKey. The set-up instructions therefore differ from service to service. In the step-by-step instructions below we have covered the basics of registering your YubiKey with a service that supports the protocols OTP and WebAuthn/FIDO2.

 

Please note that the initial set-up is usually easiest done through a computer. We also recommend you to set up your main YubiKey as well as your Spare Key at the same time. Please see here for more information on Spare Keys. 

 

  1. Have your YubiKey ready as well as your Spare Key. 
  2. Login to the service (i.e. websites and apps) you want to add the YubiKey to. Make sure the service has support for security keys. 
  3. Find the account settings of the service and then look for security. From there you should be able to find an option for 2FA/MFA or adding security keys. As stated above, this process can differ between services. 
  4. Follow the instructions given by the service provider. 
  5. Register your main YubiKey and Spare Key.

You can find more tailored guides on how to set your YubiKey up via our Works with YubiKey Catalog. Search for the service you want to add an extra layer of protection to, click it and you’ll be forwarded to that specific service’s own catalog page. Here you can read more about compatibility amongst other things. Please find the green button “Get setup instructions” and you’ll receive a tailored guide on how to set the YubiKey up as 2FA provided by said service.



Where can I buy YubiKeys? 

There are several places from where you can purchase our products:



Is it important to have a Spare Key? 

Yes, we at Yubico always recommend having more than one YubiKey. This way one key can be used as a primary Key, and the other can be used as a Spare Key. The importance of having a spare Key is well established. We have them for our most valuable assets in life – our houses, our cars, our PO and safety deposit boxes, etc. Not surprisingly, we also need spare keys for our digital devices! Having a spare key gives you the assurance that if you lose your primary key, you will not be without access to critical accounts when needing them most. In other words, with a spare Key you have no need to fear being locked out of any accounts, and no need to go through a lengthy recovery and identity verification process to regain access to each account.

 

There are a few ways to register a spare Key. The process is different depending on if the service supports Yubico OTP and FIDO security protocols, or OATH-TOTP protocol.  

 

To see which security protocols the services you use support, you can check our Works with YubiKey Catalog. For any services that use Yubico OTP or FIDO security protocols, you'll just need to register the second key exactly as you registered the first. So you can follow the same setup instructions listed in the Works with YubiKey Catalog. 

 

It's important to note that keys are not linked together in any way. Instead, both keys need to be registered separately to the account, and then either can be used to authenticate with. 

 

If the service uses OATH-TOTP protocol, meaning you use the Yubico Authenticator app to generate codes to login, then the process is a bit different. Please see our set-up guide for this security protocol here

 

Please note that the form factor of the Spare Key does not need to be the same as your first purchased Key. Just make sure that it supports the security protocols you need. Please use our Works with YubiKey Catalog to check the services support for protocols and our Comparison chart




What are the differences between YubiKey 5 series / FIPS /

Security Key NFC / YubiKey BIO?

YubiKey 5 series

The YubiKey 5 series is our series with support for the most security protocols. If you are unsure which Key to get, the YubiKey 5 series could be your best choice. 

 

The 5 series YubiKeys support the following security features and protocols:
WebAuthn, FIDO2, Universal 2nd Factor (U2F), Smart card (PIV-compatible), Yubico OTP, OATH – HOTP (Event), OATH – TOTP (Time), OpenPGP, Secure Static Passwords.


(Please note that it is up to each service to determine which security protocols they want to support.)



FIPS 5 series

FIPS stands for Federal Information Processing Standard. The FIPS key is primarily used for companies working in or with regulated industries, usually federal or government agencies. FIPS is a security certification that meets strict security standards. You can learn more herePlease note that our YubiKey 5 Series FIPS with initial firmware release version 5.4.2 does not support OpenPGP. Support for OpenPGP was added in firmware version 5.4.3. 

 

The FIPS 5 series YubiKeys support the following security features and protocols:
WebAuthn, FIDO2, Universal 2nd Factor (U2F), Smart card (PIV-compatible), Yubico OTP, OATH – HOTP (Event), OATH – TOTP (Time), OpenPGP, Secure Static Passwords

 

(Please note that it is up to each service to determine which security protocols they want to support.)



Security Key NFC

The Security Key NFC only supports the protocols WebAuthn, FIDO2 and Universal 2nd Factor (U2F). It is important to note that not all services have support for Security Key NFC. Please use our Works with YubiKey Catalog to see if the services you use are compatible or not. If the Security Key NFC is not compatible with the services you want to protect you will want to select a YubiKey from the 5 series instead. Please note that it is up to each service to determine which security protocols they want to support.

 

A few other popular functions that is not supported by the Security Key NFC and instead require a YubiKey from the 5 series are:

 

 

YubiKey BIO 

The YubiKey BIO does not have NFC and only supports the protocols WebAuthn, FIDO2 and Universal 2nd Factor (U2F). It is important to note that not all services have support for the YubiKey BIO series, the YubiKey BIO works best on desktop and modern cloud-first environments.. Please use our Works with YubiKey Catalog to see if the services you use are compatible or not. If the YubiKey BIO is not compatible with the services you want to protect you will want to select a YubiKey from the 5 series instead. Please note that it is up to each service to determine which security protocols they want to support. 

 

A few other popular functions that is not supported by the YubiKey BIO and instead require a YubiKey from the 5 series are:

 

 

 

Comparison

For more information about the differences between the Keys/series, please check our Comparison Chart here.




What happens if I lose my YubiKey? 

We at Yubico always recommend you to secure your account with an additional YubiKey, please see the section above named “Is it important to have a Spare Key?”. This additional YubiKey can be used as a spare key in case your primary YubiKey is misplaced or stolen. If you do not have an additional YubiKey added, it is recommended to have another form of 2FA added to your accounts. 

 

If you do end up being locked out of your account, you will need to contact the service for help with account recovery.




How do I know the YubiKey works with my favourite services? 

Please use our Works with YubiKey Catalog to search for a service to see if they have issued support for YubiKeys. Please note however that the Catalog may not list all services that are compatible with our products. If the service could not be found in the Catalog, it could still support YubiKeys. Please contact the unlisted service's own support to check if they have support for the YubiKey or not.




Can I duplicate my YubiKey?

For security reasons, the firmware of our products does not allow stored secrets to be read, meaning it is not possible to “clone” a YubiKey. In general, the process of creating a backup involves manually registering the spare key with all services the first is registered with, but there are a few kinds of credentials that, if backed up at the time of programming, can be programmed into a second key at a later date (using the spare/saved copy of the credential). For more information on this, please see this article on spare keys. 


 

How do I login to my computer with a YubiKey? 

You can use a YubiKey to protect data with secure access to computers. We have a range of computer login choices for organizations and individuals. Please follow this link and from there 

select your preferred computer login tool-for an in depth setup guide. 

 

 

 

 

What is a YubiKey PIN?

Listed below are the basics of YubiKey PINs, if you want to read more about YubiKeys and PINs, please read this article

 

  • A YubiKey can have up to three PINs - one for its FIDO2 function, one for PIV (smart card), and one for OpenPGP.

  • The PIV and OpenPGP PINs are set to 123456 by default, but there is no FIDO2 PIN set from the factory.

  • If you are being prompted for a PIN (including setting one up), and you're not sure which PIN it is, most likely it is your YubiKey's FIDO2 PIN.

  • If you are using a blue Security Key, FIDO2 is the only PIN you will be prompted for, as the blue Security Keys do not support PIV and OpenPGP.

  • Shown below is an example of what a prompt to create a FIDO2 PIN on a YubiKey might look like in the Windows operating system.

f2-create-pin-prompt-w10.PNG

 

 

Can I use a YubiKey with my iPhone? 

You will be able to use iPhones 7 and newer with our Keys that have a lightning connector and NFC. Please be aware that only iPhones 7 and newer support NFC in the way that is required for use with YubiKeys. The NFC on older iPhone models only works with Apple Pay. To work with a YubiKey, the NFC must have read and write capabilities. Therefore iPhones older than the iPhone 7 are only compatible with our YubiKey 5Ci (lightning). Please note that you cannot secure the login of your iPhone with a YubiKey.  

 

 

Can I use a YubiKey with my iPad?  

Do YubiKeys work with iPads (with lightning ports)?

For iPads with a lightning port, the YubiKey 5Ci will work with everything the iPhone does. The YubiKey 5Ci will work with the Yubico authenticator app. 

 

Please keep in mind that you cannot use a lightning adapter as the lightning is MFI (made for iPhone) and therefore it may not work. Adapters should work with OTP and Fido U2F, however we don’t recommend it.



Do YubiKeys work with iPad Pros (with USB-C)?

You should be able to use your YubiKey with any service that supports Yubico OTP on an iPad over USB-C. If you have an iPad Pro, please note that our YubiKeys are not compatible with the Yubico Authenticator because the iPad Pro does not have lightning or NFC capabilities. At this time, due to Apple’s MFi program, only lightning ports are compatible with iPads. Please note that in version 1.7.0 of the Yubico Authenticator USB-C support was added to iPads running iPadOS 16.1

 

In summary: You should be able to use your key with any service that uses Yubico OTP on an iPad over USB-C. For services that use WebAuthn, FIDO U2F, and FIDO2, the capability is there in iPadOS if you use the Safari browser (this leverages iPadOS' native support for WebAuthn), but note that some services may simply not give you the option to use a YubiKey if they detect you are logging in from an iPad (this is outside our control).

 

For services that support our products via authenticator apps, you should still be able to use Yubico Authenticator with a YubiKey to generate the one-time passwords, but you will not be able to do this on your iPad. You will however be able to generate the OTPs on another device, and then hand-copy them onto your iPad. Please note that you cannot secure the login of your iPad with a YubiKey. 




Do you have an Education discount?

Yes, please visit our Yubico Education page here, and fill out the form on the right hand side. You will get a coupon code sent to your email address. Note that the discount code sent will only be usable on our webstore www.yubico.com




Is my YubiKey genuine?

Please verify if your YubiKey is genuine here




Can I upgrade my firmware?

No, it is currently not possible to upgrade YubiKey firmware. To prevent attacks on the YubiKey which might compromise its security, the YubiKey does not permit its firmware to be accessed or altered. You can read more about this on the Knowledge Base article here.




What is the YubiKey’s account limit?

YubiKeys from the 5 Series support 6 different protocols for two-factor authentication, each with its own limit on the number of accounts it can be associated with. Which protocol will be used with a given account varies from service to service (website, app, etc.).

 

You can find setup instructions, as well as which protocol(s) a particular service uses on that service's entry in the Works With YubiKey Catalog, (eg. Google Accounts). The limits for each protocol are summarized below, and are also available here.



OTP - this application can hold two credentials. However, Yubico OTP, one of the most popular kinds of credentials to put in this app, can be registered with an unlimited number of services.

 

FIDO U2F - similar to Yubico OTP, the U2F application can be registered with an unlimited number of services.

 

FIDO2 - the YubiKey 5 can hold up to 25 resident keys in its FIDO2 application.

 

OATH (Yubico Authenticator) - the YubiKey 5's OATH application can hold up to 32 OATH-TOTP credentials (AKA authenticator app codes).

 

*PIV - the YubiKey 5's PIV (smart card) application has 24 slots, each of which can hold one certificate and its corresponding private key (click here for further information).

 

*OpenPGP - the YubiKey 5's OpenPGP application can hold up to three OpenPGP private keys, one for encryption, one for signing, and one for authentication.

 

*(OpenPGP and PIV are less-commonly used than OTP, U2F, FIDO2, and OATH)




How do I use the YubiKey Manager & Yubico Authenticator?

Yubico Authenticator

The Yubico Authenticator app allows you to store your credentials on a YubiKey and not on your mobile phone, so that your secrets cannot be compromised. The Yubico Authenticator App requires a YubiKey 5 Series to generate OTP codes. More information on the Yubico Authenticator app can be found here and for information on how to use your YubiKey with authenticator codes, please see here.

 

You can download the Yubico Authenticator here



YubiKey Manager 

Use the YubiKey Manager to configure FIDO2, OTP and PIV functionality on your YubiKey on Windows, macOS, and Linux operating systems. The tool works with any currently supported YubiKey. You can also use the tool to check the type and firmware of a YubiKey. In addition, you can use the extended settings to specify other features, such as to configure 3-second long touch.

 

You can download YubiKey Manager here




My YubiKey is not working, what should I do?

To help identify several common issues with YubiKeys, you can follow the instructions below. 

 

  1. Plug the YubiKey in and confirm the LED turns on. If not, try flipping it over as some USB ports are "upside down".
  2. Check to see how your YubiKey is being identified.
    1. Windows users check Devices and Printers in the Control Panel.
    2. MacOS users check Apple Menu > About This Mac > System Report, and look under Hardware > USB.
    3. Linux users check dmesg in Terminal
  3. If you are missing one of the USB Interfaces (OTP, U2F/FIDO, or CCID) you can use the Enabling or Disabling USB Interfaces article to enable it.
  4. Test U2F by following the Testing U2F guide.
  5. Test OTP by following the Testing Yubico OTP guide.

Please note that YubiKeys use capacitive touch sensors, so if your skin is dry, it will be harder for a touch to be detected. Lotion may help this, and you can also try applying more pressure to make sure your finger covers more of the sensor.

If these steps don't resolve your issue, consider opening a support ticket here. Please follow the instructions in the step below:



Submitting a support ticket

If your Key is not functioning correctly and you want to submit a support ticket, please include information on the steps listed below: 

 

  1. Test your YubiKey here to see if the YubiKey can authenticate with our demo page. 
  2. Screenshots of the "home" and "interfaces" tabs from the YubiKey Manager.
  3. Your running OS, browser and their versions. 
  4. Try your Key on another device (PC/MAC) and see if it works there (if possible). 
  5. Please include this extra bit of information depending on your device:
    1. Mac: unnamed__1_.png > About This Mac > System Report > Hardware > USB, with your YubiKey inserted.
      (Whether you see YubiKey OTP+FIDO+CCID in this window will indicate whether your Mac's operating system is detecting and properly identifying your YubiKey.)
    2. Linux: An output from the command sudo lsusb -v in Terminal.
    3. Windows: A screenshot of the Settings -> Bluetooth & other devices section in Windows.




My NFC is not working 

Please follow this guide to troubleshoot your YubiKey’s NFC. 




I want to learn more!

Please visit our support page, scroll down until you see:

 

Knowledge_Base.png

Choose what’s best for you and click it to learn more! 



You could also visit our Blog to stay up to date on company and partner news, product tips, and industry trends.




Security protocols explained

A security protocol is a set of standards that establish a way of performing security operations, typically authentication (logging in) in the case of YubiKeys.

 

Modern YubiKeys support 6 separate functions, some with support for multiple protocols, as diagrammed below.

 

Protocols.png

 

Listed below we have included the most popular protocol used within our products and a short explanation. 



WebAuthn

WebAuthn is a new W3C global standard for secure authentication on the Web supported by all leading browsers and platforms. WebAuthn makes it easy to offer users a choice of authenticators to protect their accounts, including external/portable authenticators such as hardware security keys, and built-in platform authenticators, such as biometric sensors

 

Learn more about WebAuthn



FIDO2 

FIDO2 is the passwordless evolution of FIDO U2F. The overall objective for FIDO2 is to provide an extended set of functionality to cover additional use-cases, with the main driver being passwordless login flows. The U2F model is still the basis for FIDO2 and compatibility for existing U2F deployments is provided in the FIDO2 specs. 

 

Learn more about FIDO2



FIDO Universal 2nd Factor (U2F)

U2F was developed by Yubico and Google, and contributed to the FIDO Alliance after it was successfully deployed for Google employees. The protocol is designed to act as a second factor to strengthen existing username/password-based login flows. It’s built on Yubico’s invention of a scalable public-key model in which a new key pair is generated for each service and an unlimited number of services can be supported, all while maintaining full separation between them to preserve privacy.

Learn more about FIDO Universal 2nd Factor (U2F)



OATH-TOTP

OATH is an organization that specifies two open authentication standards: TOTP and HOTP. To authenticate using TOTP, the user enters a 6-8 digit code that changes every 30 seconds. The code is generated using HMAC(sharedSecret, timestamp), where the timestamp changes every 30 seconds. The shared secret is often provisioned as a QR-code or preprogrammed into a hardware security key.

 

Learn more about OATH – TOTP (Time)



Yubico OTP

Yubico OTP is a simple yet strong authentication mechanism that is supported by the YubiKey 5 Series and YubiKey FIPS Series out-of-the-box. Yubico OTP can be used as the second factor in a 2-factor authentication scheme or on its own providing strong single factor authentication.

 

Learn more about Yubico OTP