Get Started with YubiKey

Why Buy a Security Key?
To simplify logins, I let my browser save passwords and enable two-factor authentication (2FA) for important accounts, such as SMS verification. However, SMS can be unreliable, sometimes taking over 30 seconds. A hardware security key is a better alternative.
I chose the YubiKey 5C NFC, which supports USB-C and NFC for easy use on both computers and phones. The Security Key NFC is also a good option but lacks OpenPGP support.
YubiKey 5C NFC Overview
The YubiKey 5C NFC by Yubico is a hardware security key with multiple features. I mainly use FIDO U2F, FIDO2, and OpenPGP, while Smart Card and OTP are more common in enterprise settings.
Recommended Software
- YubiKey Manager CLI – Manages YubiKey configurations.
- YubiKey Authenticator – Manages FIDO2 accounts and generates TOTP codes, similar to Microsoft/Google Authenticator.
YubiKey Usage Modes
- Application request authentication via touch (e.g., FIDO U2F).
- Yubico software retrieves stored data (e.g., Yubico Authenticator).
- Two slots act as a keyboard for entering static passwords.
Touch Functions
- Tap once: Authorizes requests when the light is on.
- Tap and hold (1 sec): Activates Slot 1 and enters stored data.
- Tap and hold (3 sec): Activates Slot 2 and enters stored data.
Understanding the LED indicator
- Short flashing: Indicates an application is requesting YubiKey access.
- Solid light: Indicates that YubiKey is acting as a simulated keyboard inputting stored content.
Common Use Cases
FIDO U2F
FIDO U2F is used for two-factor authentication. After linking YubiKey to a website, logging in requires a PIN and a touch. Since physical interaction is needed, it effectively prevents remote attacks. The site stores the public key, while the private key stays secure in YubiKey.
FIDO2
FIDO2 (WebAuthn) is an upgraded version of U2F, storing account details like URLs, usernames, and passwords. The YubiKey 5 series holds up to 25 credentials (100 on firmware 5.7+). Unused credentials can be deleted via Yubico Authenticator.
OpenPGP
The YubiKey 5C NFC stores three OpenPGP subkeys:
- (S)ign – Used for signing files (i.e., creating digital signatures).
- (E)ncrypt – Public keys are used for encryption, while private keys decrypt the data.
- (A)uthentication – Used for authentication purposes, such as logging into remote servers.
Credential Storage Limits
- FIDO U2F: Unlimited.
- FIDO2: 25 credentials (100 on firmware 5.7+).
- OATH (Authenticator): 32 OATH-TOTP credentials.
- OpenPGP: 3 private keys.