Get Started with YubiKey

Why Buy a Security Key? #

To simplify logins, I let my browser save passwords and enable two-factor authentication (2FA) for important accounts, such as SMS verification. However, SMS can be unreliable, sometimes taking over 30 seconds. A hardware security key is a better alternative.

I chose the YubiKey 5C NFC, which supports USB-C and NFC for easy use on both computers and phones. The Security Key NFC is also a good option but lacks OpenPGP support.

YubiKey 5C NFC Overview #

The YubiKey 5C NFC by Yubico is a hardware security key with multiple features. I mainly use FIDO U2F, FIDO2, and OpenPGP, while Smart Card and OTP are more common in enterprise settings.

Recommended Software #

• YubiKey Manager CLI – Manages YubiKey configurations.
• YubiKey Authenticator – Manages FIDO2 accounts and generates TOTP codes, similar to Microsoft/Google Authenticator.

YubiKey Usage Modes #

1. Application request authentication via touch (e.g., FIDO U2F).
2. Yubico software retrieves stored data (e.g., Yubico Authenticator).
3. Two slots act as a keyboard for entering static passwords.

Touch Functions #

• Tap once: Authorizes requests when the light is on.
• Tap and hold (1 sec): Activates Slot 1 and enters stored data.
• Tap and hold (3 sec): Activates Slot 2 and enters stored data.

Understanding the LED indicator #

• Short flashing: Indicates an application is requesting YubiKey access.
• Solid light: Indicates that YubiKey is acting as a simulated keyboard inputting stored content.

Common Use Cases #

FIDO U2F #

FIDO U2F is used for two-factor authentication. After linking YubiKey to a website, logging in requires a PIN and a touch. Since physical interaction is needed, it effectively prevents remote attacks. The site stores the public key, while the private key stays secure in YubiKey.

FIDO2 #

FIDO2 (WebAuthn) is an upgraded version of U2F, storing account details like URLs, usernames, and passwords. The YubiKey 5 series holds up to 25 credentials (100 on firmware 5.7+). Unused credentials can be deleted via Yubico Authenticator.

OpenPGP #

The YubiKey 5C NFC stores three OpenPGP subkeys:

• (S)ign – Used for signing files (i.e., creating digital signatures).
• (E)ncrypt – Public keys are used for encryption, while private keys decrypt the data.
• (A)uthentication – Used for authentication purposes, such as logging into remote servers.

Credential Storage Limits #

• FIDO U2F: Unlimited.
• FIDO2: 25 credentials (100 on firmware 5.7+).
• OATH (Authenticator): 32 OATH-TOTP credentials.
• OpenPGP: 3 private keys.

References #

• YubiKey 5C NFC