Beginner's Guide to YubiKeys

2025-09-08

YubiKeys are great, I personally own 3 of them. It took me a while but I have become pretty comfortable with integrating them into how I use my devices.

I would like to share what I have learned and hopefully convince you to use them, or, if you are already part of the YubiCult, increase the utility you get out of the YubiKeys you already own.

A Yubiwhat?

A YubiKey is a little USB-sized device that can greatly improve your online security through the use of cryptographically secure "keys" stored on the device.

An image of my YubiKeys, two of them are in a Keyport Pivot 2.0, one is laying in front of them

You may be familiar with two-factor authentication (2fa) through apps like Authy or Google Authenticator. YubiKeys operate in a similar fashion to these apps, but they offer a level of security beyond what an app alone can provide, as well as additional features and niceties.

When you enrol a YubiKey to be used on a website or app, you elevate the security of that account immediately, any person logging in must have physical access to an actual object (the YubiKey), no exceptions.

If the benefits of a YubiKey aren't immediately obvious to you, picture this:

A hacker has gained access to the password of your valuable account at example.com!
They go to example.com/login and enter your username and password.
When they submit your details, they are prompted by the site to "Authenticate with a passkey or security key". This is your YubiKey.

Discord prompting the user for a security key

The hacker has hit a brick wall, there is nothing they can do to get past this prompt assuming the website has set up their 2fa implementation securely and responsibly, short of finding your location and prying the YubiKey from your hands.

To further demonstrate the effectiveness of YubiKeys, Google reduced the number of account takeovers from phishing attacks to zero after requiring the usage of YubiKeys by their 85,000 employees.¹ ² Zero is a nice number.

Which YubiKey should I buy?

Short answer:

For most people I would simply recommend the YubiKey 5C NFC.

It uses the ubiquitous USB-C connection type allowing you to simply plug it in to most of your devices. If your PC, phone, tablet, or other device does not support USB-C, you can use the NFC connectivity option.

As a last resort you can buy a USB-C to USB-A (or other connection type) adaptor for a few dollars. I own some simple UGREEN adaptors I bought on Amazon, and there's a good chance you already own an adaptor somewhere in your home.

The 5C NFC could be viewed as their "flagship" offering suitable for most people. It is the first product displayed on their storefront. The YubiKey 5 NFC is identical but uses USB-A instead and is a few dollars cheaper.

Nuanced answer:

Depending on how invested you are, you can probably find some other options on Yubico's store that may be more suitable for you depending on the features you need. But I can't speak to the quality, ease of use, effectiveness, or other properties of most of their offerings.

Some are much more expensive as they have specific certifications required for certain fields. Others feature biometric features to not only verify the person logging in has physical access to the YubiKey, but that the one using the YubiKey is allowed to use it.

You will pay a premium for those features, but if they are important to you, this guide is likely beneath your needs regardless.

Yubico also offers a page to compare features of YubiKeys and a quiz to determine which YubiKey may be suitable for you.

I own two YubiKey 5C NFCs, and one Security Key NFC. The Security Key NFC is USB-A as opposed to the USB-C of the 5C NFC, it also has a reduced feature set with less or no support for some algorithms, but depending on your use case it might offer the functionality you need at a cheaper price.

Where should I buy a YubiKey?

YubiKeys are a product of Yubico. They should only be purchased from the official Yubico website, or through an authorised reseller.

Purchasing a YubiKey from anywhere else could put you at risk of the device being tampered with, or receiving an entirely counterfeit device.

This is a serious consideration, and choosing to purchase through an untrustworthy avenue could put your accounts at more risk than having not purchased a YubiKey at all.

Yubico does offer a page to verify the authenticity of your YubiKeys if needed.

A screenshot of a YubiKey 5C NFC passing the authenticity test

Yubico takes the risk of supply chain attacks seriously, and as such all YubiKeys are manufactured in Sweden where they are incorporated, and in the United States where they have a subsidiary.³

How should I use a YubiKey?

I won't cover the specifics of how and where to enrol a YubiKey on each service as it differs, and Yubico covers it better than I could here on their own website. But below is a rundown of enrolment methods and why you might want to choose each one.

First class integration

You can view a list of services with first class support here. These services feature dedicated integration for security keys.

On the surface using dedicated integration offerings seems like a good idea, and it isn't necessarily bad, but I would recommend you be wary of them as someone who has used them often.

While many services have security key integration, it doesn't mean they have good security key integration. Some common issues include:

An inability to enrol more than one security key.
Ambiguity as to whether you have enrolled two different YubiKeys, or the same YubiKey twice. (as a sidenote, I imagine it would be good practice if services detected this and warned you)
No ability to name your YubiKeys.
Buggy UIs where displayed state isn't accurate.

Additionally, since services with security key integration handle it on their own, there is often no way to tell where your YubiKey is enrolled without creating a separate tracking method. In my case I have a Google Sheet where I add places that I have enrolled my YubiKeys.

This is friction, friction means you won't want to use your YubiKeys. Not good.

There are advantages to using first class integration, and if you know what you are doing, go for it! But if you don't want to worry about that I would recommend that most people use Yubico Authenticator to manage the enrolment of their YubiKeys.

Yubico Authenticator

Yubico Authenticator functions like the aforementioned phone-based authenticators, but it offers so much more convenience than them. It is available for Windows, Mac, Linux, Android, and iOS.

Any service that supports traditional 2fa apps should be compatible with Yubico Authenticator. It can be marginally more difficult to setup than an app-based 2fa service, but it pays off immediately.

When using Yubico Authenticator, your one-time tokens are not tied to your phone, they are generated from the YubiKey itself. This means that you can access your tokens anywhere you have your YubiKey, on any device. This is a superpower, and probably my favourite feature of Yubico Authenticator.

It also grants the benefit of being able to view and manage every single service your YubiKey is enrolled with in a single place. This is in stark contrast to using first class integration on services where you will need to track where you have enrolled your YubiKeys manually.

You can rename your YubiKeys in the UI and give them a unique colour, this will persist across any device you use Yubico Authenticator on. I named mine Bluey and Bingo, and gave them an apt colour.

Additionally, you can enable or disable certain features and algorithms through Yubico authenticator if they aren't necessary for your usage to further harden your YubiKey. For example, I disabled the "short touch" slot on Bluey and Bingo as I had situations where it would fill text inputs with random characters.

Yubikey Manager (ykman)

If you are a bit more of an advanced user, Yubico also offers YubiKey Manager, a CLI option is available for download too. Many of the features this program provides are already available in Yubico Authenticator.

Securing SSH with YubiKeys

You can use the ssh-keygen command to require the presence of a YubiKey when you SSH into a server.

Below is a command that I have personally used with details specific to me omitted. (based on this page)

ssh-keygen -t ed25519-sk -O resident -O verify-required -O application=ssh:service-name -C "you@example.com YubiKey name"

If you are wondering what each part of that command does:

-t ed25519-sk: specifies that you want to create an SSH key using the Ed25519 encryption algorithm. -sk specifies that you want the security key variant.
-O resident: specifies that the SSH key you are generating should be stored on the YubiKey itself.
-O verify-required: specifies that the YubiKey must be physically touched and the YubiKey's pin entered each time the SSH key is used.
-O application=ssh:service-name: necessary if multiple SSH keys will be stored on this YubiKey, change service-name for each new key.
-C "you@example.com YubiKey name": appends the specified comment to the generated public key. In this case I have specified my e-mail and the name of the YubiKey this SSH key is associated with.

Ensuring security

Treat your YubiKey like the key to your front door. Its location should always be accounted for. This is touched on more here.

If a service allows multiple 2fa options, you should disable those that do not involve your YubiKey. The weakest link in your account is the weakest 2fa option. This stands especially true for SMS authentication. If you can avoid it you should never enable SMS authentication as it is prone to attacks such as SIM swapping.

What are the cons of YubiKeys?

YubiKeys can be expensive

If you are serious about security they are nice to have, but don't feel as though they are necessary. In fact, if you are reading this page it likely means you are already rather security conscious, this fact alone gets you most of the way to being secure.

You should buy and use two YubiKeys

To compound to the previous point of cost, if you are serious about securing your online life with YubiKeys you should own at least two of them.

Think of your YubiKey as you would any other key
The importance of having a spare key is well established. We have them for our most valuable assets in life – our houses, our cars, our PO and safety deposit boxes, etc. Well not surprisingly, we also need spare keys for our digital devices!⁴

You don't want to be in a situation where you are locked out of an account permanently because you lost or broke your YubiKey. If you can't afford two, don't buy one. Stick to conventional 2fa methods.

If your YubiKey is lost or damaged replace it immediately and enrol it on all services again. During this process you should remove the previous YubiKey to clean things up.

Are there alternative security keys?

Yes, there are alternatives including Google's Titan security keys. I can't (and won't) speak to how effective or secure any other security keys on the market are as I have never used them.

But I will say that Yubico is definitely the biggest name in the game, and they likely have the most robust security key ecosystem, both in the physical keys they offer, and the software available for them, that is a big advantage for an already niche product like a security key.

Do not trust security keys from any company that does not demonstrate that they take security seriously.

#guide #technology