YubiKey
What is YubiKey?
YubiKeyFamily of hardware security keys from Yubico that implement FIDO2, WebAuthn, U2F, PIV smartcard, OpenPGP, and OTP for phishing-resistant authentication.
The YubiKey is a small USB, NFC, or Lightning device that stores cryptographic keys in tamper-resistant hardware and signs authentication challenges on demand. It supports multiple protocols: FIDO2/WebAuthn for passwordless and second-factor login, U2F for legacy 2FA, PIV smartcard for certificate-based authentication, OpenPGP for code signing and email, OATH-HOTP/TOTP, and Yubico OTP. Because the private key never leaves the device and authentication is origin-bound, YubiKeys defeat credential phishing, AitM proxies, and SIM-swap attacks. Google, Cloudflare, and the US federal government have publicly reported that mandatory hardware keys eliminated successful phishing of employees.
● Examples
- 01
Signing in to Google Workspace with a YubiKey 5 using FIDO2 as the only authentication factor.
- 02
Using a YubiKey in PIV mode as a CAC-equivalent smartcard.
● Frequently asked questions
What is YubiKey?
Family of hardware security keys from Yubico that implement FIDO2, WebAuthn, U2F, PIV smartcard, OpenPGP, and OTP for phishing-resistant authentication. It belongs to the Cryptography category of cybersecurity.
What does YubiKey mean?
Family of hardware security keys from Yubico that implement FIDO2, WebAuthn, U2F, PIV smartcard, OpenPGP, and OTP for phishing-resistant authentication.
How does YubiKey work?
The YubiKey is a small USB, NFC, or Lightning device that stores cryptographic keys in tamper-resistant hardware and signs authentication challenges on demand. It supports multiple protocols: FIDO2/WebAuthn for passwordless and second-factor login, U2F for legacy 2FA, PIV smartcard for certificate-based authentication, OpenPGP for code signing and email, OATH-HOTP/TOTP, and Yubico OTP. Because the private key never leaves the device and authentication is origin-bound, YubiKeys defeat credential phishing, AitM proxies, and SIM-swap attacks. Google, Cloudflare, and the US federal government have publicly reported that mandatory hardware keys eliminated successful phishing of employees.
How do you defend against YubiKey?
Defences for YubiKey typically combine technical controls and operational practices, as detailed in the full definition above.
● Related terms
- identity-access№ 414
FIDO2
An open authentication standard from the FIDO Alliance combining WebAuthn (browser API) and CTAP (authenticator protocol) to enable phishing-resistant, passwordless sign-in.
- identity-access№ 1230
WebAuthn
A W3C standard JavaScript API that allows web applications to register and authenticate users with public-key credentials stored on platform or roaming authenticators.
- identity-access№ 1185
U2F (Universal 2nd Factor)
An open authentication standard from the FIDO Alliance that adds a hardware second factor to passwords using a USB, NFC, or Bluetooth security key.
- identity-access№ 793
Passkey
A phishing-resistant FIDO2/WebAuthn credential — a device-bound or syncable asymmetric key pair that replaces passwords with a cryptographic challenge-response.
- cryptography№ 462
Hardware Token
Physical device that stores cryptographic secrets and performs authentication operations, used as a possession factor in multi-factor authentication.
- identity-access№ 708
Multi-Factor Authentication (MFA)
An authentication method that requires two or more independent factors — typically from different categories — before granting access.