Understanding the Applications¶
The YubiKey 5 Series provides applications for a wide variety of authentication options: OTP, U2F, FIDO2, Smart Card, OATH, and OpenPGP. The applications are all separate from each other, with separate storage for keys and credentials.
For information on managing these applications, see Managing Applications.
The OTP application provides two programmable slots, each of which can hold one of the types of credentials listed below. A Yubico OTP credential is programmed to slot 1 during manufacturing.
- Trigger the YubiKey to produce the credential in the first slot by briefly touching the metal contact of the YubiKey.
- If a credential has been programmed to the second slot, trigger the YubiKey to produce it by touching the contact for 3 seconds.
Output is sent as a series of keystrokes from a virtual keyboard.
Yubico OTP is a strong authentication mechanism that is supported by all series 5 YubiKeys. Yubico OTP can be used as the second factor in a two-factor authentication (2FA) scheme or on its own, providing single-factor authentication.
The OTP generated by the YubiKey has two parts, with the first 12 characters being the public identity which a validation server can link to a user, while the remaining 32 characters are the unique passcode that is changed each time an OTP is generated.
The character representation of the Yubico OTP is designed to handle a variety of keyboard layouts. It is crucial that the same code is generated if a YubiKey is inserted into a German computer with a QWERTZ layout, a French one with an AZERTY layout, or a US one with a QWERTY layout. The “Modhex”, or Modified Hexadecimal coding, was invented by Yubico to use only specific characters to ensure that the YubiKey works with the maximum number of keyboard layouts. (USB keyboards send their keystrokes by means of “scan codes” rather than the actual character. The translation to keystrokes is done by the device to which the YubiKey is connected).
A static password can be programmed to the YubiKey so that it will type the password for you when you touch the metal contact.
For managing multiple passwords, see the password managers that the YubiKey can secure with two-factor authentication (2FA).
This type of credential is most often used for offline authentication, as it does not require contacting a server for validation.
An HMAC-SHA1 Challenge-Response credential enables software to send a challenge to the YubiKey and verify that an expected, predetermined response is returned. This credential can also be set to require a touch on the metal contact before the response is sent to the requesting software. This type of credential must be activated by the software sending the challenge; it cannot be activated by touching the metal contact on the YubiKey.
Developers: as the Challenge-Response function requires two-way communication with the YubiKey, using this feature on iOS requires the Yubico iOS SDK.
When an OATH-HOTP credential is programmed, the OTP is generated using the standard RFC 4226 HOTP algorithm and the YubiKey will automatically type the OTP. Optionally, the OTP can be prefixed by a public identity, conforming to the openauthentication.org Token Identifier Specification.
FIDO U2F is an open standard that provides strong, phishing-resistant two-factor authentication for web services using public key cryptography. U2F does not require any special drivers or configuration to use, just a compatible web browser. The U2F application on the YubiKey can be associated with an unlimited number of U2F sites.
Like FIDO U2F, the FIDO2 standard offers the same high level of security, as it is based on public key cryptography. In addition to providing phishing resistant two-factor authentication, the FIDO2 application on the YubiKey allows for the storage of resident credentials. As the resident credentials can accommodate the username and other data, this enables truly passwordless authentication. YubiKeys in the 5 Series can hold up to 25 resident keys.
Locking FIDO2 Credentials¶
The resident credentials can be left unlocked and used for strong single-factor authentication, or they can be protected by a PIN for two-factor authentication.
- The FIDO2 PIN must be between 4 and 128 characters in length.
- Once a FIDO2 PIN is set, it can be changed but it cannot be removed without resetting the FIDO2 application.
- If the PIN is entered incorrectly 8 times in a row, the FIDO2 application will be locked, and FIDO2 authentication will not be possible. In order to restore this functionality, the FIDO2 application must be reset.
Resetting the FIDO2 application will also reset the U2F key. No site you have registered the YubiKey with using U2F will work until the YubiKey is re-registered with that site.
The YubiKey 5Ci supports Credential Management to allow for selective deletion of resident keys. See the guide to the Enhancements to FIDO 2 Support for details.
PIN: None set.
The YubiKey 5 Series only supports the AppID extension (
Smart Card (PIV Compatible)¶
The YubiKey 5 Series provides a PIV-compatible smart card application. PIV, or FIPS 201, is a US government standard. It enables RSA or ECC sign/encrypt operations using a private key stored on a smart card through common interfaces like PKCS#11. On Windows, the smart card functionality can be extended with the YubiKey Smart Card Minidriver. The YubiKey Smart Card Minidriver is not available for Android, Linux, macOS or iOS.
YubiKey in the 5 Series support extended APDUs, extended Answer To Reset (ATR)`, and Answer To Select (ATS). Using the PIV APDUs on iOS requires the Yubico iOS SDK.
- PIN: 123456
- PUK: 12345678
- Management Key (3DES):
The YubiKey 5 Series supports the following algorithms on the PIV smart card application.
- RSA 1024
- RSA 2048
- ECC P-256
- ECC P-384
To specify how often the PIN needs to be entered for access to the credential in a given slot, set a PIN policy for that slot. This policy must be set upon key generation or import; it cannot be changed later.
In addition to requiring the PIN, the YubiKey can require a physical touch on the metal contact. Similar to the PIN policy, the touch policy must be set upon key generation or import.
The keys and certificates for the smart card application are stored in slots, which are described below. The PIN policies described below are the defaults, before they are overridden with a custom PIN policy. These slots are separate from the programmable slots in the OTP application.
Slot 9a: PIV Authentication¶
This certificate and its associated private key is used to authenticate the card and the cardholder. This slot is used for system login, etc. To perform any private key operations, the end user PIN is required. Once the correct PIN has been provided, multiple private key operations may be performed without additional cardholder consent.
Slot 9c: Digital Signature¶
This certificate and its associated private key is used for digital signatures for the purpose of document, email, file, and executable signing. To perform any private key operations, the end user PIN is required. The PIN must be submitted immediately before each sign operation to ensure cardholder participation for every digital signature generated.
Slot 9d: Key Management¶
This certificate and its associated private key is used for encryption to assure confidentiality. This slot is used for encrypting emails or files. The end user PIN is required to perform any private key operations. Once the correct PIN has been provided, multiple private key operations may be performed without additional cardholder consent.
Slot 9e: Card Authentication¶
This certificate and its associated private key is used to support additional physical access applications, such as providing physical access to buildings via PIV-enabled door locks. The end user PIN is NOT required to perform private key operations for this slot.
Slots 82-95: Retired Key Management¶
These slots are meant for previously used Key Management keys to be able to decrypt earlier encrypted documents or emails.
Slot f9: Attestation¶
This slot is only used for attestation of other keys generated on device with instruction f9. This slot is not cleared on reset, but can be overwritten.
Attestation enables you to verify that a key on the smart card application was generated on the YubiKey and was not imported. An X.509 certificate for the key to be attested is created if the key has been generated on the YubiKey. Included in the certificate are the following extensions that provide information about the YubiKey.
184.108.40.206.4.1.41482.3.3: Firmware version, encoded as three bytes. For example, 050100 indicates firmware version 5.1.0.
220.127.116.11.4.1.41482.3.7: Serial number of the YubiKey, encoded as an integer.
18.104.22.168.4.1.41482.3.8: Two bytes, the first encoding the PIN policy and the second encoding the touch policy.
- PIN policy:
- 01 - never require PIN
- 02 - require PIN once per session
- 03 - always require PIN.
- Touch policy:
- 01 - never require touch
- 02 - always require touch
- 03 - cache touch for 15 seconds.
22.214.171.124.4.1.41482.3.9: YubiKey’s form factor, encoded as a one-byte octet-string.
- USB-A Keychain: 0x01
- USB-A Nano: 0x02
- USB-C Keychain: 0x03
- USB-C Nano: 0x04
- USB-C and Lightning®: 0x05
- Undefined: 0x00
Answer to Reset (ATR) and Answer to Select (ATS)¶
The ATR has been changed from “Yubikey 4” to “YubiKey” and adds support for ATS.
The OATH application can store up to 32 OATH credentials, either OATH-TOTP (time based) or OATH-HOTP (counter based). These credentials are separate from those stored in the OTP application, and can only be accessed via the CCID channel. In order to manage these credentials and read the OTPs generated by the YubiKey, the Yubico Authenticator is needed. The Yubico Authenticator is supported on Windows, Linux, macOS, Android and iOS.
In order to restrict access to the OTPs, a password can be set for this application.
Developers: using the OATH application functions on iOS requires the Yubico iOS SDK.
The OpenPGP application provides an OpenPGP-compatible smart card in compliance with version 2.0 of the specification. This can be used with compatible PGP software such as GnuPG (GPG) and can store one PGP key each for authentication, signing, and encryption. Similar to the PIV / Smart Card touch policy, the OpenPGP application can also be set to require the metal contact be touched to authorize an operation.
Developers: using the OpenPGP functions on iOS requires the Yubico iOS SDK.
The YubiKey 5Ci supports the new OpenPGP Smart Card specification version 3.4. For details on the new features, including key attestation, expanded encryption algorithms and additional cardholder certificates, refer to Enhancements to OpenPGP Support.
- PIN: 123456
- Admin PIN: 12345678
- RSA 1024
- RSA 2048
- RSA 3072
- RSA 4096
RSA 3072 and RSA 4096 require GnuPG version 2.0 or higher.