No, you aren't using "Yubikey" for 2FA, please be more specific


  • Mon 12 October 2020
  • misc

Every so often, terms of art annoy me enough that I go off on a rant or blog about it. This is one of those times.

Yubikey is a brand name of hardware token made by Yubico. I like them a lot.

Yubico was founded in 2007 and first shipped product in 2008. Their model identification page goes back to 2014 and shows no fewer than 25 variants.

It'll come as no surprise that in the face of emerging technologies and best practices, the "second factor" offered by Yubico's product has evolved over time.

Ignoring for a moment the HSM model (HSM is a bit of a different function from 2FA), the current flagship models support the following authentication frameworks:

  • Secure Static Passwords
  • Yubico OTP
  • OATH – HOTP (Event)
  • OATH – TOTP (Time)
  • Smart Card (PIV-Compatible)
  • OpenPGP
  • FIDO U2F
  • FIDO2

Of these, the first one (Secure Static Passwords) is "not really a second factor", though it may still have some corner case uses, particularly if accessibility for folks with physical challenges is the overwhelming concern.

The second through fourth (the *OTP variants) are all subject to MitM or race condition attacks if revealed via an insecure channel. As a group they're fairly dated - HOTP was RFC 4226 from 2005. TOTP was an evolution from 2011 - RFC 6238. Any of them is way better than SMS or email based second factor (which I have poked fun at as "1.2 factor authentication"), but none of them is what I would specify if I were rolling out something new today.

The fifth one "Smart Card (PIV-Compatible)", ironically, is even older than HOTP as it traces its roots to Homeland Security Presidential Directive 12 (HSPD-12) which was signed in August 2004. Yet it specifies strong crypto and since it uses a bidirectional handshake it is much less susceptible to attack than one-way OTP approaches. I haven't taken a deep dive into what exactly Yubico means by "PIV-compatible" (the standard has evolved over the years - FIPS 201-2 is dated August 2013 and NIST SP 800-73-4 is last updated February 2016), but this one would definitely be on my radar if I was doing a greenfield implementation and wanted the broadest set of possible vendors for authentication tokens.

The sixth one is "OpenPGP". If I were doing a lot of work with PGP and wanted token based signing I'd be all about this one. I have friends who use the OpenPGP function on Yubikeys for storing ssh keys. That said, I don't know of any SAML identity providers that support this as a second factor, though someone will no doubt send me pointers so I can update this section.

The seventh and eighth, FIDO/U2F and FIDO2, are highly interesting. It's an open standard (there are a couple of manufacturers other than Yubico, though nowhere near as many as the smart cards), the industry seems to be headed this way, and login.gov the multi-agency SAML identity provider for US government interaction has supported it for a couple of years. Morever, Yubico offers a couple of inexpensive FIDO2-only Yubikeys at about half the cost of the flagship models. If I were responsible for a greenfield implementation these would be front and center for me.

So as you can see, saying "we use Yubikey" is sort of like saying "I drive a Toyota" - it doesn't really tell you much about your capabilities and where you might run into trouble (a load of bulk mulch in a GR Supra, for instance). Be aware of your second factor framework. It matters.