YubiKey

A YubiKey is a physical hardware security key made by Yubico that provides the strongest form of two-factor authentication available. It's a small USB/NFC device about the size of a house key that you tap or insert when logging into your accounts. Unlike SMS codes (which can be intercepted via SIM swapping) or authenticator apps (which can be compromised if your phone is seized), a YubiKey requires physical possession of the device — an attacker who steals your password still cannot access your account without the key in their hand. YubiKeys support FIDO2/WebAuthn, U2F, TOTP, PIV smart card, and OpenPGP, making them compatible with virtually every service that supports hardware authentication.

For crisis preparedness, a YubiKey provides a critical layer of protection that travels with you physically. Your passwords might be compromised through a data breach, a keylogger, or coercion. Your phone might be seized or stolen, taking your authenticator app with it. But a YubiKey on your keychain or around your neck is under your physical control. Google's internal security team eliminated all successful phishing attacks against 85,000+ employees by requiring YubiKeys for authentication — this is the most effective anti-phishing technology that exists.

The YubiKey also serves as an encrypted storage device for PGP keys and SSH keys, which means you can carry your cryptographic identity on a device the size of a thumbnail. For someone who may need to access secure systems from unfamiliar hardware — internet cafés, borrowed laptops, library computers — having your authentication credentials on a hardware device rather than stored in software is a significant security advantage.

YubiKeys implement multiple cryptographic protocols on a secure element chip that is resistant to physical tampering and side-channel attacks. FIDO2/WebAuthn (the primary authentication protocol) uses public-key cryptography: the YubiKey generates a unique key pair for each service, stores the private key in its secure element, and shares only the public key with the service. Authentication requires the YubiKey to sign a challenge from the server — the private key never leaves the device, making it impossible to clone or extract through a remote attack.

For TOTP (time-based one-time passwords), the YubiKey stores the shared secret in its secure element and generates codes when requested through the Yubico Authenticator app. This is more secure than phone-based authenticators because the secrets are stored on tamper-resistant hardware rather than in an app that can be backed up, cloned, or extracted. The YubiKey's OpenPGP applet stores PGP private keys on the secure element, allowing you to sign and decrypt messages without your private key ever being present on a potentially compromised computer. RSA keys up to 4096 bits and ECC keys (including Curve25519) are supported.

YubiKeys themselves contain no identifying information linked to your real identity. There is no account required to use a YubiKey — you plug it in and register it with services directly. The key doesn't broadcast an identifier; it responds only when triggered by a service's authentication challenge. Each service gets a unique cryptographic key pair, so services cannot correlate your identity across sites by comparing YubiKey identifiers (this is a specific privacy property of the FIDO2 protocol called "attestation privacy").

However, purchasing a YubiKey creates a paper trail if you buy it online with a credit card. For anonymous acquisition, purchase from a retail store with cash (Best Buy and some electronics retailers carry them) or buy from Yubico's website using a privacy.com virtual card or cryptocurrency. Yubico does not require an account to use the key — the account on yubico.com is only for purchasing and managing firmware updates, not for authentication. The key functions entirely independently of Yubico once it's in your hands.

Yubico's position on open source is mixed. The FIDO2 and U2F protocols that YubiKeys implement are open standards maintained by the FIDO Alliance, and the protocol specifications are fully public and have been extensively audited. The Yubico Authenticator app (for managing TOTP codes on the key) is open source. However, the YubiKey firmware itself is closed source — Yubico argues that opening the firmware would enable attackers to find vulnerabilities in the secure element, but this position is debated in the security community.

The closed firmware is the primary criticism of YubiKeys. Alternatives like the Nitrokey and SoloKeys offer fully open-source firmware, though they are less widely supported and have smaller security teams. YubiKeys have been audited by NCC Group and other security firms, and the results have been favorable. The secure element hardware (made by NXP and Infineon) is Common Criteria certified. The FIDO2 protocol has been formally verified by academic researchers. While the closed firmware is a legitimate concern, the YubiKey's hardware security and protocol-level transparency provide a strong trust foundation.

Yubico AB is headquartered in Stockholm, Sweden, with U.S. operations in Santa Clara, California. Swedish jurisdiction is subject to the Fourteen Eyes intelligence-sharing alliance, and U.S. operations are subject to U.S. law. However, YubiKeys are hardware devices with no cloud component — Yubico does not store your authentication credentials, does not operate any service that handles your logins, and has no access to the private keys stored on your YubiKey. There is no data for Yubico to hand over.

The jurisdictional risk with a YubiKey is not about Yubico — it's about the physical key itself. At a border crossing, you may be asked to use the key to unlock devices or accounts. In the U.S., courts have generally held that you can be compelled to provide a physical key or biometric (something you have/are) but not a password (something you know). This means a YubiKey could theoretically be used against you at a border, while a memorized password cannot. For this reason, some security experts recommend using a YubiKey as one factor in combination with a password, ensuring that neither alone is sufficient.

Yubico was founded in 2007 and has shipped over 100 million YubiKeys. The company is one of the primary architects of the FIDO2 standard and has been instrumental in pushing the industry toward hardware-based authentication. YubiKeys are used by Google, Facebook, Microsoft, the U.S. Department of Defense, and numerous government agencies worldwide. The 2017 Google case study — zero successful phishing attacks across 85,000 employees after YubiKey deployment — remains the strongest evidence for hardware security keys' effectiveness.

One notable security incident: in 2024, a side-channel vulnerability (EUCLEAK) was discovered in YubiKey 5 series devices using Infineon's SL97 chip that could theoretically allow key extraction with physical access, specialized equipment, and significant expertise. Yubico responded with a security advisory and firmware updates for newer production. The attack required physical possession and lab equipment, making it impractical for most threat models but relevant for users facing state-level adversaries. No mass exploitation has been observed, and the incident demonstrated that even hardware security is not absolute — but the bar was extremely high.

Using a YubiKey is remarkably simple once it's set up. For FIDO2/WebAuthn authentication, the flow is: enter your username and password on a website, the site prompts for your security key, you tap the YubiKey (USB) or hold it near your phone (NFC), and you're logged in. There's no code to type, no app to open, no time pressure from an expiring TOTP code. The physical tap is the authentication. Setup for each service involves going to the service's security settings, selecting "Add security key," and tapping the YubiKey when prompted.

For TOTP management, install the Yubico Authenticator app (desktop or mobile). The app reads TOTP secrets from the YubiKey via USB or NFC and displays the current codes. This is slightly less convenient than a phone-only authenticator (you need the key nearby), but significantly more secure. The initial setup of a YubiKey — registering it with each service — takes 15-30 minutes to cover your critical accounts. After that, daily use is a single tap per login. The main usability concern is remembering to carry the key, which is why many users keep it on their physical keychain.

YubiKeys work on virtually every platform. USB-A and USB-C models connect to Windows, macOS, Linux, and Android desktops/laptops. NFC-enabled models (YubiKey 5 NFC, YubiKey 5C NFC) work with NFC-capable Android phones and iPhones. The Lightning-connector model (YubiKey 5Ci) works with iPhones and iPads via Lightning and USB-C. Every major browser — Chrome, Firefox, Safari, Edge, Brave — supports FIDO2/WebAuthn with YubiKeys.

Service support is extensive: Google, Microsoft, Apple, GitHub, GitLab, Facebook, Twitter/X, Bitwarden, ProtonMail, Cloudflare, AWS, and hundreds more support YubiKey authentication. The YubiKey also works as a smart card (PIV) for Windows login, SSH key storage for terminal access, and OpenPGP card for email encryption — all from the same device. For crisis use, carry two YubiKeys: one primary and one backup registered with the same services. Store the backup in a separate, secure location (a safe deposit box, a trusted contact's home, or a second hidden location on your person).

YubiKeys range from $25 for the basic Security Key to $75 for the YubiKey 5 series with NFC. Purchasing two (primary + backup) costs $50-150 depending on the model. Yubico's online store accepts credit cards and PayPal. For anonymous purchase, buy from a retail store (Best Buy carries the YubiKey 5 NFC and Security Key series) with cash.

You can also purchase YubiKeys from Amazon using a gift card bought with cash, though Amazon delivery requires an address. For maximum anonymity, buy in-store with cash and no loyalty card. Once purchased, the YubiKey has no ongoing cost — there is no subscription, no firmware update fee, and no account required. The device works indefinitely with no recurring payments.

Purchase two YubiKeys of the same model — a primary and a backup. The YubiKey 5 NFC (USB-A + NFC, ~$50) or YubiKey 5C NFC (USB-C + NFC, ~$55) are recommended for maximum compatibility with both computers and phones. If your primary computer has only USB-C and your phone uses Lightning (older iPhone), the YubiKey 5Ci provides both connectors. Buy with cash at a retail store for maximum anonymity.

Start registering your primary YubiKey with your most critical accounts. Begin with your password manager (Bitwarden: Settings > Security > Two-step Login > FIDO2 WebAuthn). Then your email (ProtonMail: Settings > Security > Two-factor authentication > Add security key). Then any other accounts that support hardware keys. The process for each service is similar: navigate to security settings, select "Add security key" or "Register hardware key," insert or tap your YubiKey when prompted, and give it a name (e.g., "Primary Key"). Immediately repeat the process with your backup YubiKey for every service.

For TOTP codes on services that don't support FIDO2, install the Yubico Authenticator app on your desktop or phone. When a service asks you to scan a QR code for 2FA setup, use Yubico Authenticator instead of a phone-based app — it stores the secret on the YubiKey's secure element rather than on your phone. For advanced use, configure the YubiKey's OpenPGP applet for email encryption using gpg --card-edit or the YubiKey Manager app. Store your backup YubiKey in a physically separate, secure location — if you lose your primary key, your backup is your only way back into FIDO2-protected accounts. Keep a printed list of backup codes (provided by most services when setting up 2FA) in an encrypted volume or physical safe as a last-resort recovery option.