What is a YubiKey and how does it work?

What is a YubiKey and how does it work?


Many apps I use require two-factor authentication (an extra step in the login process to confirm you are who you say you are). Once upon a time, this meant I had to pull out my phone, open an authenticator app, and manually enter a unique code. And if I fumbled the code—which, let’s be honest, was often—I’d have to repeat the process. 

At Zapier, though, we use a YubiKey to do this. It’s way more convenient. And much to the delight of our security team, it’s more secure than other two-factor authentication devices. Here’s why, and how you can set up your YubiKey, too.  

Table of contents:

What is a YubiKey? 

The YubiKey is a device that makes two-factor authentication (2FA) as simple as possible. Many apps, online services, and computers enforce 2FA every time a user wants to connect. Instead of a code being texted to you or generated by an authenticator app, you press a button on your YubiKey, and you’re logged in. That’s it. 

We could get into the math and break down the various protocols supported by devices like this, but all you probably need to know is that each device has a unique code built into it, which is used to generate codes that help confirm your identity.

YubiKey isn’t the only hardware 2FA device on the market—just the most popular. There are a number of similar devices out there, and most of the information outlined in this article applies to them.

What is two-factor authentication?

We’ve written extensively about two-factor authentication, but it’s necessary to go over the basics before we can explain why hardware 2FA devices are a good idea.

Passwords are terrible. Most are too easy for hackers to guess, and the rest are too long or complicated for humans to remember. Even secure passwords are useless once they’ve been leaked, and leaks are basically inevitable. For these reasons and more, it’s a good idea not to rely entirely on passwords. That’s the entire idea behind two-factor authentication. 

With two-factor authentication, you need two things to sign in: your password, yes, but also something else that proves you are who you say you are. You’re probably familiar with two ways of doing 2FA:

  • SMS or email codes. Apps send you a code, which you need to enter before you can log in. This is the easiest method to set up because you don’t need to install any software or purchase any hardware. It’s also the least secure because email and SMS are both unencrypted and easily compromised.

  • Authentication apps. Apps you want to log in to will ask you for a code that you can retrieve by opening an app on your phone, like Google Authenticator or Authy. This is far more secure than relying on SMS or email, but it’s not exactly convenient—you need to grab your phone, open an app, and then manually enter a code.

The YubiKey represents a third way of doing 2FA: hardware authentication. Apps ask you to plug a tool like a YubiKey into your device and press a button. The YubiKey then sends a unique code that the service can use to confirm your identity. 

There’s a lot more nuance than this, of course. But for the most part, you just need to know that hardware 2FA is more secure and easier to use.

Why is a YubiKey better than other 2FA devices?

We’ve gone over this a little, but let’s talk about why a YubiKey (and similar devices) is better than other forms of 2FA. To name a few:

  • Convenience. SMS, email, and authentication apps all require that you manually enter or copy and paste a code. With the YubiKey, you just press a button on a device attached to your computer to populate the code. 

  • Much longer codes. Other 2FA methods typically only send you a six-digit code to confirm your identity, mostly because it would be unreasonable to expect humans to type much more than that. YubiKeys don’t require you to manually enter a code, so they’re free to use much longer codes. That’s more secure.

  • Easy to migrate. Did you get a new computer? Just unplug your YubiKey from the old one and plug it into the new one. You’ll still be able to log in to all of your apps, the same as before. You can also use one key to log in to your account on multiple computers.

  • Really hard to hack. It’s relatively easy for hackers to compromise your email or SMS. It’s a lot harder—close to impossible with current technology—to fake the codes generated by a unique hardware device.

Again, there’s a lot more nuance here, but these are the broad advantages of the YubiKey over other forms of 2FA.

How to set up your YubiKey

Setting up your YubiKey isn’t that different from setting up a 2FA app. If you’re using a YubiKey (not another hardware authenticator), here’s what you need to do:

  1. Plug in your YubiKey.

  2. Go to Yubico.com/setup and click your device.

  3. In the Compatible accounts and services section, browse the list of supported apps and services, and select the ones you want to secure with your device.

  4. Your selection will appear in a list next to the available apps. 

  5. Click the play icon next to your selected app, and follow the video setup instructions. Or click the diagonal arrow in a box to access the text version.  

Yubico website with a list of apps and services to secure with a YubiKey.

The setup will vary based on the app and device, but I’ll set up Google on my computer as an example. 

  1. Click the text instructions link. 

  2. The instructions for adding your YubiKey to your Google account will appear.  

  3. Click Enroll your security key

  4. Insert your YubiKey in your computer’s USB port, and touch it or press the button on it.

    Popup from Google to insert a security key and touch it.
  5. Give your browser permission to access your YubiKey, if needed. 

    Prompt from Google to give it access to your YubiKey.
  6. Optionally, you can give your YubiKey a name, which is useful if you have security keys.

    Confirmation from Google that the YubiKey is registered.

That’s it. Now you can use your YubiKey to log in to your Google account on any device. Repeat this process for every account you want to lock down in this way.

What is a YubiKey: FAQs

Still have questions about how to use your YubiKey? Check out the answers to these frequently asked questions. 

How do I stop accidentally triggering my YubiKey?

I own the YubiKey 5C Nano, which is a tiny USB-C dongle that I leave plugged into my laptop. It’s not so much a button as it is a thin strip of metal that triggers when touched—which, for me, is every time I pick up my laptop. 

When you touch the YubiKey, it thinks you’re trying to log in to something, which results in a secure code populating in whatever text box you have open, and then the enter key being “pressed.” The result, on Slack, looks like this:

An example of what happens if you press your YubiKey in Slack: a long series of random letters in a Slack message.

These codes are generated by OTP, which is one of the protocols that your YubiKey uses to connect to servers. You could stop this from happening altogether by turning off OTP, but that might break your ability to log in to some services. 

I think, for most users, it’s better to configure OTP to not trigger unless you hold the button for three seconds. YubiKey offers instructions for fixing this, but they’re kind of hard to follow, so here’s a summary.

  1. Download YubiKey manager on your computer. 

  2. Install it. 

  3. Open the program. 

  4. Click Applications, and then select OTP.

    YubiKey manager app with the OTP application selected.
  5. By default, the Short Touch in Slot 1 is configured; the Long Touch in Slot 2 is empty. Click Swap to change this.

    How to configure the short and long touch slots in the YubiKey manager app.

Now you’ve bought yourself 2.9 seconds to freely touch your YubiKey without it accidentally sputtering nonsense in your team chat app

Note: If you already configured Slot 2 for another purpose, the setup gets slightly more complicated. Here are the instructions from Yubico

Is accidentally triggering my YubiKey in a chat room really bad?

If you accidentally paste your YubiKey code into something like Slack or a text editor, that’s not a reason to immediately panic—it’s not completely obvious who it belongs to or what it can be used to log in to. And, if you posted it in Slack, hopefully your coworkers aren’t trying to hack you.

Having said that, there’s always a chance a leaked 2FA code could enable a particularly creative hacker, so try not to make a habit out of this.

You’re also not helpless if it happens. Every YubiKey code is unique and becomes invalid every time you use the device to log in to something. If you’re worried, though, you can manually invalidate codes. Just paste your leaked code on this website

Can I use one YubiKey with multiple devices?

Yes! You can use your YubiKey to log in on as many devices as you want, so long as there’s a slot for it. Just plug your YubiKey into any computer and log in the way you normally would. 

What if I lose my YubiKey?

It’s not great. Without your YubiKey, you probably won’t be able to log in. But there are a few things you can do to reduce the risk.

  • Use backup codes. Most services that support 2FA (including YubiKey) allow you to create backup codes. Make sure you do this, and that you keep the codes somewhere secure—ideally offline. Consider printing them and putting them in a lockbox, if you can.

  • Add a backup security key. You can buy a second YubiKey as a fallback, add it as an option for all your services, and then store it somewhere safe (a different lockbox than the one your backup codes are in, maybe?). Or you could add some other kind of app-based 2FA to any service you set up with your YubiKey.

If you don’t have backup codes or another 2FA method and have already lost your YubiKey, you’re not necessarily out of luck. Most services that offer 2FA have some kind of verification process for logging in after losing your credentials, but be warned: it’s going to take a while, and it’s going to be a lot of trouble. It’s far better to be prepared, so make sure you have backup codes somewhere secure or a second 2FA method set up.

Be sure to remove your lost YubiKey as a 2FA method after you regain access to your account. Odds are, whoever finds your YubiKey won’t know which accounts it provides access to, but better safe than sorry.

To clarify: your Yubikey doesn’t store identifiable usernames and does not store any of your passwords. Anyone who finds your YubiKey would have absolutely no way of knowing which accounts it can log in to. This changes a little if the person who “finds” it knows it’s yours—say because they stole it from your house or office. But anyone who finds a YubiKey on the street or in an airport won’t be able to figure out whose key it is.

Automate your digital security

No one is below the notice of hackers and other cybersecurity bad actors. Everyone, including small business owners, are at risk for digital security issues. Taking proactive steps can improve your digital security’s effectiveness against all threats. Learn more about how you can improve your digital security with automation.

Related reading: 

This article was originally published in July 2020 by Justin Pot. The most recent update was in November 2023.

Leave a Reply

Your email address will not be published. Required fields are marked *