Introduction to Yubikey

1. Introduction to Yubikey

1. Yubikeys offer:

  1. OTP: one-time passwords
  2. U2F: FIDO Universal 2nd Factor
  3. PIV: Personal Identity Verification
  4. OpenPGP: Open Pretty Good Privacy
  5. OATH: Open Authentication

2. how to backup

Note: you cannot rename or make any changes to a credential after you add it.

It is not possible to create an exact copy of a YubiKey, but in some cases it is possible to duplicate the credentials stored on the YubiKey. When you add a credential, be sure you copy the secret key for that credential and store it in a safe place.

YubiKeys are, by design, write-only devices. This means that the secrets stored in the YubiKey can only be written into, and not read out, of the device. If a credential is to be copied, it must be known beforehand, either written down (or copied) while programming the YubiKey.

1. The best ways to plan for backup YubiKeys are:

  1. Add credentials at the same time to multiple YubiKeys if you have them.
  2. Save a copy of the QR code (capture the screen) or make a copy of the secret key.

TIP: When you are adding a credential, there is usually a clickable link below the QR code. Click this link to view the secret key.

IMPORTANT: If you add credentials to one YubiKey, and then later decide to buy another YubiKey for a backup, you must log into every account and go through the setup process again with the Yubico Authenticator app. To get a new credential for each account, delete the original credentials from the original YubiKey, and then add the new credentials to both YubiKeys.

2. To copy the secret key when adding a credential

Do one of the following:

  1. When you add a credential with Yubico Authenticator, copy the secret key from Secret key (base32), and save it to a text file so you can use it on another YubiKey.
    NOTE: Secret key (base32) is automatically populated when you scan the QR code from the website.or
  2. Click the link below the QR code, which enables you to view and copy the secret code associated with the QR code.

3. Edit the Credential Naming

Credentials only can only be viewed or deleted. If you want to change anything about the credential, including the name of the credential, you must delete the existing credential, go through the setup process again, and create a new credential with the settings and the name that you want.

2. Intruduction to software of Yubico

1. Yubico Authenticator

The Yubico Authenticator application enables you to generate: time-based OTP codes or counter-based OTP codes directly from your computer or on your Android device. All the YubiKeys have 2 configuration slots, but there are differences in the number of credentials the different YubiKeys store.

1. YubiKey 4 and YubiKey 4 Nano:

You can store up to 32 OATH credentials (TOTP or HOTP) on the YubiKey 4 and access them using the Yubico Authenticator for Desktop application.

2. YubiKey NEO and YubiKey NEO-n

You can store up to 28 OATH credentials (TOTP or HOTP) on the YubiKey NEO and YubiKey NEO-n, and you can access those credentials using both the Yubico Authenticator for Desktop application and the Yubico for Authenticator for Android application.

NOTE: On Android devices, credentials can only be added or viewed over the NFC interface.

3. Difference Between TOTP and HOTP Codes

There are two standards for generating One-Time passcodes (OTPs): TOTP and HOTP. Both of these standards are regulated by the Initiative for Open Authentication (OATH). TOTP is the most commonly used authenticator code (used for Amazon, Gmail, Evernote, and other applications).

  1. Time-Based One-Time Password:
    Time-based one-time password (TOTP) is a temporary passcode based on a time counter. The Yubico Authenticator app automatically refreshes the TOTP codes every 30 seconds.
  2. HMAC-Based One-Time Password:
    HMAC-based one-time password (HOTP) is an event-based passcode, based on an event counter. To refresh an HOTP code, click the code within the Yubico Authenticator app.

4. Choosing TOTP or HOTP:

The application for which you are generating credentials defaults to using TOTP passwords, and we recommend you accept the default.

A TOTP password has:

  1. a shorterlifespan than an HOTP password, which may be valid for an unknown amount of time (or until your next login).2. A TOTP password requires less maintenance than an HOTP password but the time between the device and the server needs to be synchronized. HOTP passwords require more maintenance but no synchronization.

TOTP is the more secure one-time password solution.

2. YubiKey Personalization Tool

Use the YubiKey Personalization Tool to configure the 2 slots on your YubiKey on Windows, Linux, and Mac OS X operating systems.


You can program your YubiKey in the following modes:

  1. Yubico OTP
  3. Static Password
  4. Challenge-Response

check the type and firmware of a YubiKey


perform batch programming of a large number of YubiKeys.


you can use the extended settings to specify other features, such as to disable fast triggering, which prevents the accidental triggering of the nano- sized YubiKeys when only slot 1 is configured.


IMPORTANT: Re-programming your YubiKey’s first configuration slot will overwrite the YubiCloud configuration, and you cannot undo this action. Use care when you re-configure your YubiKey.

NOTE: The configuration details of the YubiKey are never exposed; this includes the mode type (Yubico OTP, OATH-HOTP, Challenge-Response, and Static Password) that is loaded in each slot.

1.Yubico OTP Configuration

configure the YubiKey to emit the standard Yubico OTP of 44 characters

1. Quick Mode

YubiKey to upload the AES Key to the online Yubico OTP validation server.

NOTE: An internet connection is required for the online Yubico OTP validation server.

2. Advanced Mode

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.