YubiKey 5

The YubiKey 5 is a multi-protocol device designed to deliver security and versatility. Here is the full list of supported standards and technologies:

1. FIDO2 / WebAuthn

Description: A modern standard for passwordless authentication and phishing protection.
Components:
- WebAuthn (web authentication through browsers).
- CTAP2 (Client-to-Authenticator Protocol).
Usage: Signing in to Google, Microsoft, and GitHub accounts and cloud services (AWS, Azure).

2. FIDO U2F

Description: A standard for two-factor authentication (2FA) with phishing protection.
Examples: Support for services such as Dropbox, Facebook, and Salesforce.

3. Yubico OTP (One-Time Password)

Description: A proprietary protocol for generating one-time passwords.
Usage: Integration with password managers (1Password, LastPass) and VPN services.

4. PIV (Personal Identity Verification)

Description: A smart-card standard for authentication, encryption, and digital signing.
Functions:
- Signing in to Windows/macOS.
- Signing documents (for example, via Adobe Sign).
- Disk encryption (BitLocker).

5. OpenPGP

Description: An implementation of the GPG (GNU Privacy Guard) standard for encryption, signing, and key management.
Usage:
- Encrypting email (Thunderbird with Enigmail).
- Signing Git commits.
- SSH authentication (keys stored on the YubiKey).

6. OATH-HOTP / OATH-TOTP

Description: Support for one-time passwords following the OATH standard:
- HOTP (HMAC-based One-Time Password).
- TOTP (Time-based One-Time Password, like Google Authenticator).
Note: The YubiKey can store secrets for generating codes, but it requires compatible software (for example, Yubico Authenticator).

7. Challenge-Response

Description: A mechanism for protecting local data or passwords through cryptographic challenges.
Example: Locking a password manager (KeePass) with a YubiKey.

8. Smart Card (ISO/IEC 7816)

Description: Smart-card emulation for enterprise solutions.
Usage: VPN access, digital certificates, electronic signing.

9. Secure Static Password

Description: Storing a static password in the YubiKey’s protected memory.
Usage: Automatically typing a complex password when the key is touched.

10. NDEF (NFC Data Exchange Format)

Note: Only for models with NFC (for example, the YubiKey 5C NFC).
Usage: Contactless authentication on smartphones, transferring data over NFC.

11. PKCS#11

Description: A cryptographic standard for working with tokens.
Usage: Integration with applications that support PKCS#11 (for example, Mozilla Firefox for TLS clients).

Why Should You Use a YubiKey?

The YubiKey isn’t just “yet another two-factor authentication tool.” It’s a hardware solution that dramatically raises your level of security and simplifies managing your digital identity. Here are the key reasons to adopt it:

1. Protection Against Phishing and Attacks

Passwords, SMS codes, and even TOTP (codes from apps like Google Authenticator) are vulnerable to interception and social engineering. The YubiKey solves these problems:

FIDO2/WebAuthn: The key verifies the site’s domain, so even if you accidentally enter your password on a phishing page, the attacker won’t be able to use your YubiKey.
Hardware isolation: Private keys are stored in a protected chip that cannot be extracted or copied in software.
Example: If a hacker obtains your Gmail password, without the YubiKey they won’t be able to sign in, even when 2FA via FIDO2 is enabled.

2. Going Passwordless

Passwords are the weak link in security. The YubiKey lets you:

Passwordless sign-in: For services that support FIDO2 (Google, Microsoft, GitHub), it’s enough to insert the key and touch it.
Resistance to leaks: Even if a service’s database is breached, attackers won’t get your YubiKey token.

3. Universality and Cross-Platform Support

The YubiKey works with most operating systems and services:

Supported protocols: FIDO2, U2F, GPG, OTP, PIV, Smart Card, Challenge-Response.
Integration examples:
- For developers: Protecting SSH keys via GPG, signing Git commits.
- For businesses: Authentication in corporate VPNs (for example, OpenVPN), signing in to Windows/Linux.
- For everyday users: Secure sign-in to social networks, banking, and cloud storage.

4. Device Reliability

Physical durability: The YubiKey is resistant to water, impact, and extreme temperatures. You can carry it on your keychain.
No battery: The device requires no charging and works for up to 10 years.
Compactness: The 5C model with a USB-C connector is suitable for laptops and smartphones (via a USB-C–Lightning or USB-C–USB-A adapter).

5. Private Key Protection

For tasks involving encryption and signing (GPG, S/MIME):

Private keys never leave the YubiKey. Even if the computer is infected with malware, attackers won’t be able to steal them.
Example: Signing legal documents or encrypting confidential correspondence in ProtonMail.

6. Saving Time and Resources

For companies: Reduced risk of data leaks and the costs of recovering compromised accounts.
For users: No need to memorize dozens of passwords or sync TOTP apps across devices.

7. Compatibility with Future Technologies

FIDO2 is a standard that is being actively adopted (support for Apple Passkeys, Microsoft Entra ID, and so on). The YubiKey ensures you’ll be ready for the transition to passwordless authentication.
Example: Even today, the YubiKey can be used to sign in to Windows 11, macOS Ventura, and mobile apps.

8. Expert Recommendations

The YubiKey complies with NIST and FIPS standards and is used by government organizations (for example, the U.S. Department of Defense).
Companies such as Google, Facebook, and Cloudflare issue YubiKeys to employees to protect corporate accounts.

Objections and Answers

“It’s expensive”: The cost of a YubiKey 5C (about $55) pays for itself by preventing potential losses from a breach. For comparison: recovering a compromised account or paying a ransom after a ransomware attack costs thousands of dollars.
“It’s inconvenient to carry around”: The YubiKey 5C is the size of a coin and attaches easily to a keychain. For critical services (such as email), it’s recommended to have a backup key stored in a safe.

Who Is the YubiKey For?

Individuals: Those who want to protect personal data (especially owners of crypto wallets).
IT professionals: DevOps engineers, developers, administrators.
Businesses: Organizations that hold trade secrets or customers’ personal data.

A Guide to the Main Features:

FIDO2 is a standard that lets you authenticate without a password, using public/private-key cryptography. The YubiKey 5C supports FIDO2 through WebAuthn (a web standard) and CTAP2 (the protocol for communicating with the device).

FIDO2 Usage Examples

1. Signing In to a Google Account

Go to the Security → Your passkeys section.
Click Add a passkey.
Insert the YubiKey 5C into the USB-C port and touch it.
The system will register the key. Now, to sign in to your account, instead of a password or an SMS code, it’s enough to insert the YubiKey and confirm with a touch.

2. Authentication on GitHub

In your GitHub account settings, go to Password and authentication → Security Keys.
Click Add security key, insert the YubiKey, and touch it.
Now, when signing in to GitHub or confirming critical actions (for example, pushing to a repository), the system will request the YubiKey.

3. Windows Hello for Business

The YubiKey 5C can be used to sign in to Windows 10/11:

In Settings → Accounts → Sign-in options, select Security Key.
Insert the YubiKey, click Add, and follow the instructions.
Now signing in to the system is possible only with the physical key.

4. Resident Keys (Discoverable Credentials)

Resident Keys store credentials directly on the YubiKey, which is useful for devices without cloud access (for example, signing in to Linux via a terminal):

An example setup for SSH:

ssh-keygen -t ed25519-sk -O resident -O application=ssh:my-key-alias

The key will be saved on the YubiKey and can be used on any PC without prior configuration.

GPG: Encryption, Signatures, and SSH Keys

GnuPG (GPG) is a tool for encrypting data and creating digital signatures. The YubiKey 5C lets you store private keys on the device, protecting them from theft.

How to Write GPG Keys to a YubiKey

Step 1: Generating Keys

Install GnuPG and yubikey-manager.

Create subkeys:

gpg --edit-key <key-ID>
addkey  # For signing
addkey  # For encryption
addkey  # For authentication (e.g. SSH)

Create a master key and subkeys (for signing, encryption, and authentication):

gpg --full-generate-key
# Choose an algorithm (e.g. RSA 4096) and an expiration date.

Step 2: Moving Keys to the YubiKey

Insert the YubiKey and run:

gpg --edit-key <key-ID>
gpg> toggle  # Switch to edit mode
gpg> key 1    # Select the subkey for signing
gpg> keytocard
# Choose a slot on the YubiKey (e.g. Signature Key → Slot 1).

Repeat for the encryption and authentication keys.

GPG Usage Examples

Encrypting email in Thunderbird
Install the Enigmail plugin and configure it to use the GPG keys on the YubiKey. Email will automatically be encrypted for recipients who have your public key.

SSH authentication
Export the GPG authentication key to SSH format:

gpg --export-ssh-key <KEY-ID> > ~/.ssh/id_ed25519_sk.pub

Add the public key to the server (in ~/.ssh/authorized_keys), and the connection will require the YubiKey.

Signing Git commits
Configure Git to use the YubiKey:

git config --global user.signingkey <KEY-ID>
git config --global commit.gpgsign true

Now every commit will be signed automatically. You can verify a signature with:

git verify-commit HEAD

Yubico OTP: One-Time Passwords for 2FA

Yubico OTP is a proprietary protocol in which the YubiKey generates one-time codes when touched. The codes are verified by a Yubico server or locally via YubiHSM.

Setting Up OTP

Registering with a service (for example, LastPass):
- In the 2FA section, select Yubico OTP.
- Insert the YubiKey and touch it — the code is entered into the field automatically.
- The service saves the key’s public ID for verification.
Local OTP verification (for your own services):
Use the yubico-pam library to integrate with PAM (Linux), or implement verification through the Yubico API.

OTP Usage Examples

Authentication in 1Password
- Enable Yubico OTP in 1Password’s security settings.
- When signing in, enter your master password and touch the YubiKey — the code is inserted automatically.
Backup 2FA for accounts
If a service doesn’t support FIDO2 (for example, an old corporate portal), use Yubico OTP as a second factor instead of Google Authenticator.

Protecting a server with SSH + OTP
Configure the SSH server to require Yubico OTP + a password:

# In /etc/ssh/sshd_config:
AuthenticationMethods publickey,password keyboard-interactive
# Use the yubico-pam PAM module to verify the OTP.

Now signing in requires an SSH key, a password, and the YubiKey.

Tips and Warnings

Backup key
Always set up a backup YubiKey (for example, a 5C NFC) and keep it in a safe place. For GPG, export a backup copy of the master key (store it offline!).
FIDO2 limitations
- Some services limit the number of keys (for example, GitHub allows up to 10 keys).
- Resident Keys take up more memory — a YubiKey 5 holds up to 25 such keys.
GPG security

After moving the keys to the YubiKey, delete them from the computer:

gpg --delete-secret-keys <key-ID>  # Caution! Make sure the keys on the YubiKey work.

Summary

The YubiKey is an investment in digital security. It eliminates the vulnerabilities of passwords, protects against phishing, and gives you control over your online identity. If you want to minimize the risk of leaks, spend less time recovering accounts, and feel confident your data is safe, the YubiKey becomes a necessity rather than an option.

Go fully passwordless via FIDO2 (Google, GitHub, Windows).
Sign code and encrypt email via GPG.
Protect SSH sessions and corporate systems.
Use OTP where FIDO2 isn’t supported yet.

The examples above are just the tip of the iceberg. The YubiKey is suitable for developers, security professionals, and even ordinary users who are tired of password leaks. The main thing is not to forget about a backup key and to configure profiles correctly for your needs.