Introduction

This collection of guides is intended to help service providers, organizations and individuals make good decisions about supporting, requiring, and using the protocols that the YubiKey supports. It includes frequently asked questions, best practices, and reference architectures.

Audiences

This guidance is broken down into three main sections, each intended for a different audience:

• Service Providers
• Organizations
• Individuals

The main difference for what these audiences require generally comes down to what part of the authentication design and authenticator selection processes they have control over. Service providers typically only control the design of the service or relying party, but they may be able to encourage use of a specific authenticator (by providing free authenticators to customers). They usually lack the authority to require a specific authenticator or even a specific authentication method. Organizations, on the other hand, typically control all aspects of authentication, from the authenticator selection to the relying party or service configuration. Finally, individuals typically only control the authenticator they use for personal use and what services they use it with.

While there are some exceptions to these situations in the form of laws or regulations around certain industries or types of services, those exceptions tend to make the decision making process easier by removing some choice.

Not all types of guidance will be applicable to all audiences, and in some cases (like the Passkey Frequently Asked Questions), guidance may be applicable to all audiences.

Passkeys

Before the introduction of synced passkeys, the choices for modern phishing-resistent authentication were limited to two options: use a FIDO2 hardware security key or a platform authenticator (such as Windows Hello for Business or TouchID for the Mac). Nowadays, there is a much broader spectrum of authenticator choice, and with it, a more challenging set of decisions to make.

For all audiences:

• Passkey Frequently Asked Questions

For Service Providers:

• Passkey Best Practices for Service Providers

Updates

This is a living document. The computer security landscape is constantly evolving. Changes in regulations, security needs, threat actor behavior, and the technology itself all have the potential to change how the YubiKey and the protocols it supports are best used. This document will be updated periodically and represents the current consensus within Yubico. Specific recommendations may change from time to time. Consider bookmarking this documentation and returning to it periodically to ensure you’re still following the most up-to-date guidance.