How It Works
| A single YubiKey has multiple functions for securing your login to email, online services, apps, computers, and even physical spaces. Use one or more YubiKey features, or use them all. The versatile YubiKey requires no software installation or battery; just plug it into a USB port, and touch the button, or tap-n-go for secure authentication. |
Let’s take a look at the functions a YubiKey provides:
FIDO U2F
An open authentication standard enabling strong two-factor authentication to any number of web-based applications, such as Gmail, Salesforce, Twitter and hundreds more services. Works via the browser, Chrome today, and Firefox under development, and does not require any client software or drivers. Read more about FIDO U2F.
FIDO2
The latest open authentication standard enabling expanded authentication options including two-factor, multi-factor and now passwordless authentication. With YubiKey support for FIDO2, organizations can accelerate to the passwordless future without the need for any client software or drivers. Read more about FIDO2. FIDO2 is supported on the YubiKey 5 Series and the Security Key by Yubico.
Yubico One-Time Password (OTP)
The YubiKey generates an encrypted password for one-time use. Hackers require physical access of your YubiKey to generate the OTP. This feature is available on every YubiKey except the Security Key by Yubico.
OATH – HOTP (Event)
The YubiKey generates a six or eight character, one-time password (OTP) for logging into any service that supports OATH-HOTP, a strong open authentication standard. The action is event-based, meaning a new one-time password is generated for each event. The OATH-HOTP feature is available on every version of YubiKey except the Security Key by Yubico.
OATH – TOTP (Time)
The YubiKey generates a six or eight character, time-based one-time password (OTP) (in conjunction with a helper application) for logging into any service (such as Microsoft Cloud accounts, Google Apps, Dropbox, EverNote) that supports OATH-TOTP, a strong authentication standard. A new password is generated at a set time interval, typically every 30 seconds. The OATH-TOTP feature is available on every version of YubiKey except the Security Key by Yubico.
Challenge and Response (HMAC-SHA1, Yubico OTP)
The Challenge-Response method is best suited for offline validations. Use for Windows, Mac, and Linux computer login. The Challenge Response feature is available on every version of YubiKey except the Security Key by Yubico.
PIV-Compatible Smart Card
Smart cards contain a computer chip that brokers data exchanges. These same features are contained in the YubiKey 5 Series, based on the industry standard Personal Identity and Verification Card (PIV) interface over the CCID protocol, which supports PIV on a USB interface.
OpenPGP
In the physical world, documents and data are often validated with a signature. In the virtual world, OpenPGP is a standards-based public key cryptography for signing, encrypting, and decrypting texts, e-mails, files, etc. The YubiKey 5 Series keys can securely hold the PGP key.
Static Passwords
A basic YubiKey feature, that generates a 38-character static password compatible with any application log-in. It is most often used with legacy systems that cannot be retrofitted to enable other two-factor authentication schemes, such as pre-boot login. The static password feature is available on every version of YubiKey except the Security Key by Yubico.