YubiKey

Last updated
Yubico Inc.
Company typePublic
Industry Hardware
Founded2007
Headquarters Santa Clara, California, United States
Key people
Stina Ehrensvärd (Chief Evangelist and founder)
Jakob Ehrensvärd (CTO)
Mattias Danielsson (CEO)
Website yubico.com/products OOjs UI icon edit-ltr-progressive.svg
First YubiKey USB token of the FIDO standard in 2014 U2F.USB-Token.jpg
First YubiKey USB token of the FIDO standard in 2014

The YubiKey is a hardware authentication device manufactured by Yubico to protect access to computers, networks, and online services that supports one-time passwords (OTP), public-key cryptography, authentication, and the Universal 2nd Factor (U2F) and FIDO2 protocols [1] developed by the FIDO Alliance. It allows users to securely log into their accounts by emitting one-time passwords or using a FIDO-based public/private key pair generated by the device. YubiKey also allows storing static passwords for use at sites that do not support one-time passwords. [2] Google, Amazon, Microsoft, Twitter, and Facebook use YubiKey devices to secure employee accounts as well as end-user accounts. [3] [4] [5] Some password managers support YubiKey. [6] [7] Yubico also manufactures the Security Key, a similar lower-cost device with only FIDO2/WebAuthn and FIDO/U2F support. [8] [9] [10]

Contents

The YubiKey implements the HMAC-based one-time password algorithm (HOTP) and the time-based one-time password algorithm (TOTP), and identifies itself as a keyboard that delivers the one-time password over the USB HID protocol. A YubiKey can also present itself as an OpenPGP card using 1024, 2048, 3072 and 4096-bit RSA (for key sizes over 2048 bits, GnuPG version 2.0 or higher is required) and elliptic curve cryptography (ECC) p256, p384 and more, depending on version, [11] allowing users to sign, encrypt and decrypt messages without exposing the private keys to the outside world. Also supported is the PKCS#11 standard to emulate a PIV smart card. This feature allows code signing of Docker images as well as certificate-based authentication for Microsoft Active Directory and SSH. [12] [13] [14] [15]

Founded in 2007 by former CEO now Chief Evangelist Stina Ehrensvärd, Yubico is a Public company with offices in Santa Clara, CA, Bellevue, WA, and Stockholm, Sweden. [16] Yubico CTO, Jakob Ehrensvärd, is the lead author of the original strong authentication specification that became known as Universal 2nd Factor (U2F). [17]

YubiKey released the YubiKey 5 series in 2018, which adds support for FIDO2. [18]

History

Yubico was founded in 2007 and began offering a Pilot Box for developers in November of that year. [19] The original YubiKey product was shown at the annual RSA Conference in April 2008, [20] [21] and a more robust YubiKey II model was launched in 2009. [22] Yubico's explanation of the name "YubiKey" is that it derives from the phrase "your ubiquitous key", and that "yubi" is the Japanese word for finger. [23]

YubiKey II and later models have two "slots" available, for storing two distinct configurations with separate AES secrets and other settings. When authenticating the first slot is used by only briefly pressing the button on the device, while the second slot gets used when holding the button for 2 to 5 seconds.

In 2010, Yubico began offering the YubiKey OATH and YubiKey RFID models. The YubiKey OATH added the ability to generate 6- and 8-character one-time passwords using protocols from the Initiative for Open Authentication (OATH), in addition to the 32-character passwords used by Yubico's own OTP authentication scheme. The YubiKey RFID model included the OATH capability plus also included a MIFARE Classic 1k radio-frequency identification chip, [24] though that was a separate device within the package that could not be configured with the normal Yubico software over a USB connection. [25]

Yubico announced the YubiKey Nano in February 2012, a miniaturized version of the standard YubiKey which was designed so it would fit almost entirely inside a USB port and only expose a small touch pad for the button. [26] Most later models of the YubiKey have also been available in both standard and "nano" sizes.

2012 also saw the introduction of the YubiKey Neo, which improved upon the previous YubiKey RFID product by implementing near-field communication (NFC) technology and integrating it with the USB side of the device. [27] The YubiKey Neo (and Neo-n, a "nano" version of the device) are able to transmit one-time passwords to NFC readers as part of a configurable URL contained in a NFC Data Exchange Format (NDEF) message. The Neo is also able to communicate using the CCID smart-card protocol in addition to USB HID (human interface device) keyboard emulation. The CCID mode is used for PIV smart card and OpenPGP support, while USB HID is used for the one-time password authentication schemes. [28]

In 2014, the YubiKey Neo was updated with FIDO Universal 2nd Factor (U2F) support. [29] Later that year, Yubico released the FIDO U2F Security Key, which specifically included U2F support but none of the other one-time password, static password, smart card, or NFC features of previous YubiKeys. [8] At launch, it was correspondingly sold at a lower price point of just $18, compared to $25 for the YubiKey Standard ($40 for the Nano version), and $50 for the YubiKey Neo ($60 for Neo-n). [30] Some of the pre-release devices issued by Google during FIDO/U2F development reported themselves as "Yubico WinUSB Gnubby (gnubby1)". [31]

In April 2015, the company launched the YubiKey Edge in both standard and nano form factors. This slotted in between the Neo and FIDO U2F products feature-wise, as it was designed to handle OTP and U2F authentication, but did not include smart card or NFC support. [32]

The YubiKey 4 family of devices was first launched in November 2015, with USB-A models in both standard and nano sizes. The YubiKey 4 includes most features of the YubiKey Neo, including increasing the allowed OpenPGP key size to 4096 bits (vs. the previous 2048), but dropped the NFC capability of the Neo.

At CES 2017, Yubico announced an expansion of the YubiKey 4 series to support a new USB-C design. The YubiKey 4C was released on February 13, 2017. [33] On Android OS over the USB-C connection, only the one-time password feature is supported by the Android OS and YubiKey, with other features not currently supported including Universal 2nd Factor (U2F). [34] A 4C Nano version became available in September 2017. [35]

In April 2018, the company brought out the Security Key by Yubico, their first device to implement the new FIDO2 authentication protocols, WebAuthn (which reached W3C Candidate Recommendation status in March [36] ) and Client to Authenticator Protocol (CTAP). At launch, the device is only available in the "standard" form factor with a USB-A connector. Like the previous FIDO U2F Security Key, it is blue in color and uses a key icon on its button. It is distinguished by a number "2" etched into the plastic between the button and the keyring hole. It is also less expensive than the YubiKey Neo and YubiKey 4 models, costing $20 per unit at launch because it lacks the OTP and smart card features of those previous devices, though it retains FIDO U2F capability. [9]

Product features

A list of the primary features and capabilities of the YubiKey products. [37]

ModelYears soldSecure
static
passwords
OTP standardsSmartcardsFIDO standardsHSM FIPS
140-2

variant
Interface
OATH
OTP
Yubico
OTP
OATH: HOTP
(event)
OATH: TOTP
(time)
PIVOpenPGP U2F FIDO2 NFC USB-AUSB-C Lightning
YubiKey VIP2011–2017YesYes
YubiKey Nano2012–2016YesYesYesYes
YubiKey NEO2012–2018YesYesYesYesYesYesYesYesYes
FIDO U2F Security Key2013–2018YesYes
YubiKey Plus2014⁠–⁠2015YesYesYes
YubiKey NEO-n2014–2016YesYesYesYesYesYesYesYes
YubiKey Standard2014–2016YesYesYesYes
YubiKey Edge-n2015–2016YesYesYesYesYesYesYes
YubiKey 4 Nano2016–2017YesYesYesYesYesYesYes
YubiHSM 12015–2017YesYes
YubiKey 42015–2018YesYesYesYesYesYesYesYes
YubiKey 4 Nano2015–2018YesYesYesYesYesYesYesYes
YubiKey 4C Nano2017–2018YesYesYesYesYesYesYesYes
YubiKey 4C2017–2018YesYesYesYesYesYesYesYes
YubiHSM 22017–YesAvailableYes
Security Key by Yubico2018–2020YesYesYes
Security Key NFC by Yubico2019–YesYesYesYes
YubiKey 5C Nano2018–YesYesYesYesYesYesYesYesAvailableYes
YubiKey 5C2018–YesYesYesYesYesYesYesYesAvailableYes
YubiKey 5 Nano2018–YesYesYesYesYesYesYesYesAvailableYes
YubiKey 5 NFC2018–YesYesYesYesYesYesYesYesAvailableYesYes
YubiKey 5Ci2019–YesYesYesYesYesYesYesYesAvailableYesYes
YubiKey 5C NFC2020–YesYesYesYesYesYesYesYesAvailableYesYes

ModHex

When being used for one-time passwords and stored static passwords, the YubiKey emits characters using a modified hexadecimal alphabet which is intended to be as independent of system keyboard settings as possible. This alphabet is referred to as ModHex and consists of the characters "cbdefghijklnrtuv", corresponding to the hexadecimal digits "0123456789abcdef". [38]

Since YubiKeys use raw keyboard scan codes in USB HID mode, there can be problems when using the devices on computers that are set up with different keyboard layouts, such as Dvorak. ModHex was created to avoid conflicts between different keyboard layouts. It only uses characters that are located in the same place on most Latin alphabet keyboards, but is still 16 characters, allowing it to be used in place of hexadecimal. [39] Alternatively, this issue can be addressed by using operating system features to temporarily switch to a standard US keyboard layout (or similar) when using one-time passwords. However, YubiKey Neo and later devices can be configured with alternate scan codes to match layouts that aren't compatible with the ModHex character set. [40]

This problem only applies to YubiKey products in HID mode, where it must emulate keyboard input. U2F authentication in YubiKey products bypasses this problem by using the alternate U2FHID protocol, which sends and receives raw binary messages instead of keyboard scan codes. [41] CCID mode acts as a smart card reader, which does not use HID protocols at all.

Security issues

YubiKey 4 closed-sourcing concerns

Most of the code that runs on a YubiKey is closed source. While Yubico has released some code for industry standard functionality like PGP and HOTP it was disclosed that as of the 4th generation of the product this is not the same code that the new units ship with. [42] [43] Because new units are permanently firmware locked at the factory it is not possible to compile the open source code and load it on the device manually, a user must trust that the code on a new key is authentic and secure.

Code for other functionality such as U2F, PIV and Modhex is entirely closed source.

On May 16, 2016, Yubico CTO Jakob Ehrensvärd responded to the open-source community's concerns with a blog post saying that "we, as a product company, have taken a clear stand against implementations based on off-the-shelf components and further believe that something like a commercial-grade AVR or ARM controller is unfit to be used in a security product." [44]

Techdirt founder Mike Masnick strongly criticized this decision, saying "Encryption is tricky. There are almost always vulnerabilities and bugs -- a point we've been making a lot lately. But the best way to fix those tends to be getting as many knowledgeable eyes on the code as possible. And that's not possible when it's closed source." [45]

ROCA vulnerability in certain YubiKey 4, 4C, and 4 Nano devices

In October 2017, security researchers found a vulnerability (known as ROCA) in the implementation of RSA keypair generation in a cryptographic library used by a large number of Infineon security chips, as used in a wide range of security keys and security token products (including YubiKey). The vulnerability allows an attacker to reconstruct the private key by using the public key. [46] [47] All YubiKey 4, YubiKey 4C, and YubiKey 4 Nano devices within the revisions 4.2.6 to 4.3.4 were affected by this vulnerability. [48] Yubico remedied this issue in all shipping YubiKey 4 devices by switching to a different key generation function and offered free replacements for any affected keys until March 31, 2019. In some cases, the issue can be bypassed by generating new keys outside of the YubiKey and importing them onto the device. [49]

OTP password protection on YubiKey NEO

In January 2018, Yubico disclosed a moderate vulnerability where password protection for the OTP functionality on the YubiKey NEO could be bypassed under certain conditions. The issue was corrected as of firmware version 3.5.0, and Yubico offered free replacement keys to any user claiming to be affected until April 1, 2019. [50]

Reduced initial randomness on certain FIPS series devices

In June 2019, Yubico released a security advisory reporting reduced randomness in FIPS-certified devices with firmware version 4.4.2 and 4.4.4 (there is no version 4.4.3), shortly after power-up. [51] Security keys with reduced randomness may leave keys more easily discovered and compromised than expected. The issue affected the FIPS series only, and then only certain scenarios, although FIPS ECDSA usage was "at higher risk". The company offered free replacements for any affected keys.

Infineon ECDSA Private Key Recovery

In September 2024, security researchers from NinjaLab discovered a cryptographic flaw in Infineon chips that would allow a person to clone a Yubikey if an attacker gained physical access to it. The security vulnerability permanently affects all Yubikeys prior to firmware update 5.7. Yubico rated the issue as "moderate" citing the need for an attacker to have physical access to the key, expensive equipment, and advanced cryptographic and technical knowledge. [52] [53] [54]

Social activism

In 2018, Yubico gave away free YubiKeys with laser engraved logos to new WIRED and ArsTechnica subscribers. [55]

Yubico provided 500 YubiKeys to protesters during the 2019–2020 Hong Kong protests. The company states the decision was based on their mission to protect vulnerable Internet users and work with free speech supporters. [56] [57]

See also

Related Research Articles

An authenticator is a means used to confirm a user's identity, that is, to perform digital authentication. A person authenticates to a computer system or application by demonstrating that he or she has possession and control of an authenticator. In the simplest case, the authenticator is a common password.

RSA SecurID, formerly referred to as SecurID, is a mechanism developed by RSA for performing two-factor authentication for a user to a network resource.

<span class="mw-page-title-main">One-time password</span> Password that can only be used once

A one-time password (OTP), also known as a one-time PIN, one-time passcode, one-time authorization code (OTAC) or dynamic password, is a password that is valid for only one login session or transaction, on a computer system or other digital device. OTPs avoid several shortcomings that are associated with traditional (static) password-based authentication; a number of implementations also incorporate two-factor authentication by ensuring that the one-time password requires access to something a person has as well as something a person knows.

<span class="mw-page-title-main">Security token</span> Device used to gain access to restricted resource

A security token is a peripheral device used to gain access to an electronically restricted resource. The token is used in addition to, or in place of, a password. Examples of security tokens include wireless key cards used to open locked doors, a banking token used as a digital authenticator for signing in to online banking, or signing transactions such as wire transfers.

Extensible Authentication Protocol (EAP) is an authentication framework frequently used in network and internet connections. It is defined in RFC 3748, which made RFC 2284 obsolete, and is updated by RFC 5247. EAP is an authentication framework for providing the transport and usage of material and parameters generated by EAP methods. There are many methods defined by RFCs, and a number of vendor-specific methods and new proposals exist. EAP is not a wire protocol; instead it only defines the information from the interface and the formats. Each protocol that uses EAP defines a way to encapsulate by the user EAP messages within that protocol's messages.

<span class="mw-page-title-main">Forward secrecy</span> Practice in cryptography

In cryptography, forward secrecy (FS), also known as perfect forward secrecy (PFS), is a feature of specific key-agreement protocols that gives assurances that session keys will not be compromised even if long-term secrets used in the session key exchange are compromised, limiting damage. For HTTPS, the long-term secret is typically the private key of the server. Forward secrecy protects past sessions against future compromises of keys or passwords. By generating a unique session key for every session a user initiates, the compromise of a single session key will not affect any data other than that exchanged in the specific session protected by that particular key. This by itself is not sufficient for forward secrecy which additionally requires that a long-term secret compromise does not affect the security of past session keys.

<span class="mw-page-title-main">OpenPGP card</span> Type of cryptographic smart card

In cryptography, the OpenPGP card is an ISO/IEC 7816-4, -8 compatible smart card that is integrated with many OpenPGP functions. Using this smart card, various cryptographic tasks can be performed. It allows secure storage of secret key material; all versions of the protocol state, "Private keys and passwords cannot be read from the card with any command or function." However, new key pairs may be loaded onto the card at any time, overwriting the existing ones.

<span class="mw-page-title-main">Multi-factor authentication</span> Method of computer access control

Multi-factor authentication is an electronic authentication method in which a user is granted access to a website or application only after successfully presenting two or more pieces of evidence to an authentication mechanism. MFA protects personal data—which may include personal identification or financial assets—from being accessed by an unauthorized third party that may have been able to discover, for example, a single password.

multiOTP Authentication system

multiOTP is an open source PHP class, a command line tool, and a web interface that can be used to provide an operating-system-independent, strong authentication system. multiOTP is OATH-certified since version 4.1.0 and is developed under the LGPL license. Starting with version 4.3.2.5, multiOTP open source is also available as a virtual appliance—as a standard OVA file, a customized OVA file with open-vm-tools, and also as a virtual machine downloadable file that can run on Microsoft's Hyper-V, a common native hypervisor in Windows computers.

<span class="mw-page-title-main">FIDO Alliance</span> Industry consortium working on authentication mechanisms

The FIDOAlliance is an open industry association launched in February 2013 whose stated mission is to develop and promote authentication standards that "help reduce the world’s over-reliance on passwords". FIDO addresses the lack of interoperability among devices that use strong authentication and reduces the problems users face creating and remembering multiple usernames and passwords.

Universal 2nd Factor (U2F) is an open standard that strengthens and simplifies two-factor authentication (2FA) using specialized Universal Serial Bus (USB) or near-field communication (NFC) devices based on similar security technology found in smart cards. It is succeeded by the FIDO2 Project, which includes the W3C Web Authentication (WebAuthn) standard and the FIDO Alliance's Client to Authenticator Protocol 2 (CTAP2).

Stina Ehrensvärd is a Swedish-American entrepreneur, innovator and industrial designer. She is the founder and Chief Evangelist of Yubico and co-inventor of the YubiKey authentication device.

Nitrokey is an open-source USB key used to enable the secure encryption and signing of data. The secret keys are always stored inside the Nitrokey which protects against malware and attackers. A user-chosen PIN and a tamper-proof smart card protect the Nitrokey in case of loss and theft. The hardware and software of Nitrokey are open-source. The free software and open hardware enables independent parties to verify the security of the device. Nitrokey is supported on Microsoft Windows, macOS, Linux, and BSD.

privacyIDEA

privacyIDEA is a two factor authentication system which is multi-tenency- and multi-instance-capable. It is open source, written in Python and hosted at GitHub. privacyIDEA is a LinOTP's fork from 2014.

Biometric tokenization is the process of substituting a stored biometric template with a non-sensitive equivalent, called a token, that lacks extrinsic or exploitable meaning or value. The process combines the biometrics with public-key cryptography to enable the use of a stored biometric template for secure or strong authentication to applications or other systems without presenting the template in its original, replicable form.

Web Authentication (WebAuthn) is a web standard published by the World Wide Web Consortium (W3C). WebAuthn is a core component of the FIDO2 Project under the guidance of the FIDO Alliance. The goal of the project is to standardize an interface for authenticating users to web-based applications and services using public-key cryptography. WebAuthn credentials that are available across multiple devices are commonly referred to as passkeys.

The Client to Authenticator Protocol (CTAP) or X.1278 enables a roaming, user-controlled cryptographic authenticator to interoperate with a client platform such as a laptop.

<span class="mw-page-title-main">Titan Security Key</span> Security token by Google

The Titan Security Key is a FIDO-compliant security token developed by Google which contains the Titan M cryptoprocessor which is also developed by Google. It was first released on October 15, 2019.

The following is a general comparison of OTP applications that are used to generate one-time passwords for two-factor authentication (2FA) systems using the time-based one-time password (TOTP) or the HMAC-based one-time password (HOTP) algorithms.

<span class="mw-page-title-main">OnlyKey</span> Hardware security token

OnlyKey is a multi-function hardware security key combining features of a password manager, two-factor authentication (2FA) token, file encryption token, and secure storage device. The device incorporates hardware storage for password and username combinations, while also acting as a portable password manager.

References

  1. "Specifications Overview". FIDO Alliance. Retrieved 4 December 2015.
  2. "What Is A Yubikey". Yubico. Retrieved 7 November 2014.
  3. McMillan (3 October 2013). "Facebook Pushes Passwords One Step Closer to Death". Wired. Retrieved 7 November 2014.
  4. Diallo, Amadou (30 November 2013). "Google Wants To Make Your Passwords Obsolete". Forbes. Retrieved 15 November 2014.
  5. Blackman, Andrew (15 September 2013). "Say Goodbye to the Password". The Wall Street Journal. Archived from the original on 3 January 2014. Retrieved 15 November 2014.
  6. "YubiKey Authentication". LastPass. Retrieved 15 November 2014.
  7. "KeePass & YubiKey". KeePass. Retrieved 15 November 2014.
  8. 1 2 "Yubico Releases FIDO U2F Security Key". Yubico (Press release). 2014-10-21. Retrieved 2018-05-05.
  9. 1 2 "Yubico Launches New Developer Program and Security Key for FIDO2 and WebAuthn W3C Specifications" (Press release). 2018-04-10. Retrieved 2018-05-06.
  10. Lemos, Robert (2014-10-22). "Google Offers USB Security Key to Make Bad Passwords Moot". Ars Technica . Archived from the original on 2018-10-18.
  11. "YubiKey 5.2 Enhancements to OpenPGP 3.4 Support – Yubico".
  12. "Launching The 4th Generation YubiKey". Yubico. Retrieved 20 November 2015.
  13. "With a Touch, Yubico, Docker Revolutionize Code Signing". Yubico. Retrieved 20 November 2015.
  14. "Setting up Windows Server for YubiKey PIV Authentication". Yubico. Retrieved 2021-06-06.
  15. "SSH user certificates". developers.yubico.com. Retrieved 2021-06-06.
  16. "The Team". Yubico. Retrieved 12 September 2015.
  17. "History of FIDO". FIDO Alliance. Retrieved 16 March 2017.
  18. "Yubico launches new YubiKey 5 Series 2FA keys, supports passwordless FIDO2 and NFC". Android Police. 2018-09-24. Retrieved 2019-10-07.
  19. "Yubico launches YubiKey Pilot Box". Yubico. 2007-11-26. Archived from the original on 2008-02-21. Retrieved 2018-05-06.
  20. Steve Gibson (April 2008). "Security Now! Notes for Episode #141". Security Now!. Gibson Research Corporation. Retrieved 2018-05-05.
  21. Leo Laporte and Steve Gibson (2008-04-24). "Episode #141 - RSA Conference 2008". Security Now!. Gibson Research Corporation. Retrieved 2018-05-05.
  22. Mike (2009-08-27). "Yubikey II – got it". Read My Damn Blog. Retrieved 2018-05-05.
  23. "Company Information". Yubico. Retrieved 2020-11-30.
  24. "RFID YubiKey". Yubico Store. Archived from the original on 2011-08-29. Retrieved 2018-05-05.
  25. "RFID YubiKey". IDivine Technology. Retrieved 2018-05-05.
  26. "Yubico Launches YubiKey Nano, The World's Smallest One-Time Password Token" (Press release). Yubico. 2012-02-28. Retrieved 2018-05-05.
  27. Clark, Sarah (2012-02-22). "Yubico introduces one-time password token that secures access to the contents of NFC phones". NFC World. Retrieved 2018-05-05.
  28. Maples, David (2012-12-26). "YubiKey NEO Composite Device". Yubico. Retrieved 2018-05-05.
  29. "Yubico Introduces Industry's First FIDO Ready™ Universal 2nd Factor Device". Yubico (Press release). 2014-01-06. Retrieved 2018-05-05.
  30. "YubiKey Hardware". Yubico. Archived from the original on 2014-11-07.
  31. "pamu2fcfg doesn't support test devices". GitHub .
  32. "Yubico Launches YubiKey Edge at RSA 2015; OTP and U2F Two-Factor Authentication in One Key". Yubico (Press release). Retrieved 2018-05-05.
  33. "NEW YubiKey 4C featuring USB-C revealed at CES 2017 | Yubico". Yubico. 2017-01-05. Retrieved 2017-09-14.
  34. "Can the YubiKey 4C be plugged directly into Android phones or tablets with USB-C ports? | Yubico". Yubico. Archived from the original on 2017-09-14. Retrieved 2017-09-14.
  35. "Our Family is Growing! YubiKey 4C Nano Unveiled at Microsoft Ignite". Yubico. 2017-09-25. Retrieved 2018-05-05.
  36. Jones, Michael (2018-03-20). "Candidate Recommendation (CR) for Web Authentication Specification". W3C Web Authentication Working Group. Retrieved 2018-05-06.
  37. "What YubiKey Do You Have" . Retrieved 2021-02-11.
  38. E, Jakob (12 June 2008). "Modhex - why and what is it?". Yubico. Archived from the original on 16 November 2017. Retrieved 6 November 2016.
  39. "Modified hexadecimal encoding (ModHex)". docs.yubico.com. Retrieved 2023-09-01.
  40. Toh, Alvin (2013-07-24). "Expanding YubiKey Keyboard Support". Yubico. Retrieved 2018-05-05.
  41. "FIDO U2F HID Protocol Specification". FIDO Alliance. 2017-04-11. Retrieved 2018-05-06.
  42. "A comparison of cryptographic keycards". LWN.net. Retrieved 21 September 2020.
  43. "Bad News: Two-Factor Authentication Pioneer YubiKey Drops Open Source PGP For Proprietary Version". techdirt. Retrieved 21 September 2020.
  44. "Secure Hardware vs. Open Source". Yubico.com. Retrieved 18 September 2022.
  45. Masnick, Mike (16 May 2016). "Bad News: Two-Factor Authentication Pioneer YubiKey Drops Open Source PGP For Proprietary Version". Techdirt. Retrieved 27 March 2020.
  46. "ROCA: Vulnerable RSA generation (CVE-2017-15361) [CRoCS wiki]". crocs.fi.muni.cz. Retrieved 2017-10-19.
  47. "NVD - CVE-2017-15361". nvd.nist.gov. Retrieved 2017-10-19.
  48. "Infineon RSA Key Generation Issue - Customer Portal". Yubico.com. Retrieved 11 June 2019.
  49. "Yubico Mitigation Recommendations". Yubico.com. Retrieved 11 June 2019.
  50. "Security Advisory YSA-2018-01 – Security Issue with Password Protection in Oath Applet on Yubikey NEO" (Press release). Yubico. 2018-01-16. Archived from the original on 2020-10-01.
  51. "Security Advisory YSA-2019-02 – Reduced Initial Randomness on FIPS Keys" (Press release). Yubico. 2019-06-13. Archived from the original on 2019-06-14.
  52. Roche, Thomas. (2024-09-03) "EUCLEAK: Side Channel Attack on the YubiKey 5 Series." (PDF) White Paper. Montpellier, France: NinjaLab. Archived from the original on 2024-09-03.
  53. "Security Advisory YSA-2024-03 Infineon ECDSA Private Key Recovery" (Press release). Yubico. 2024-09-03. Archived from the original on 2024-09-03.
  54. Goodin, Dan (2024-09-03). "Hackers Can Clone Yubikeys by Exploiting Side Channel that Leaks Their Private Key". Ars Technica . Archived from the original on 2024-09-03.
  55. Manning, Ronnie (2018-02-01). "WIRED and Ars Technica Experts Choose YubiKey 4 for New Subscribers". Yubico. Retrieved 2023-09-01.
  56. "Swedish tech firm Yubico hands Hong Kong protesters free security keys amid fears over police tactics online". South China Morning Post. 2019-10-10. Retrieved 2019-10-18.
  57. "Yubico 贊助香港抗爭者世上最強網上保安鎖匙 Yubikey | 立場新聞". 立場新聞 Stand News (in Chinese). Retrieved 2019-10-18.