Introduction to Yubico Authenticator App
This document describes using Yubico Authenticator with the YubiKey 5 Series, the YubiKey Bio - FIDO Edition, the YubiKey 5 FIPS Series, and the Security Key Series.
Yubico Authenticator is a software-based authenticator by Yubico for authenticating users of software applications.
There are many differences between the Yubico Authenticator and other authenticators. This is because all the secrets (One-Time Passwords (OTPs) that are used to authenticate to your accounts) are stored on your YubiKey and not in the app. In most of the other authenticators the secrets are stored on your phone or computer, which can be compromised or stolen. Yubico Authenticator stores the credentials in the secure element of the YubiKey and cannot be extracted from the YubiKey.
That means that if you lose your phone, change your phone, or lose access to the Yubico Authenticator, you will not be locked out of your accounts. All you will need to do is download the app on a desktop or mobile device, plug in or scan your key, and you are able to access to all the codes on it.
The Yubico Authenticator adds a layer of security to your online accounts by generating 2-step verification codes on your mobile or desktop device. It uses the OATH-TOTP protocol to do this. OATH Initiative for Open Authentication is an industry-wide collaboration that has specified two open authentication standards: the Time-based One-time Password Algorithm (TOTP, see RFC 6238) and the HMAC-based One-time Password algorithm (HOTP, see RFC 4226).
To authenticate, the user enters a 6-8 digit code that changes with the Yubico Authenticator counter. The code is generated using HMAC (sharedSecret, and counter or timestamp). For HOTP, the counter is different with each login. For TOTP, the timestamp changes every 30 seconds.
The shared secret is often provisioned as a QR-code or preprogrammed into a hardware security key. The advantage of HOTP (HMAC-based One-time Password) is that passcodes require no clock. The Yubico Authenticator counter is encrypted and remains in sync with your YubiKey. The advantage of TOTP is that their passcodes are only available for a specific amount of time.
Since the YubiKey does not contain a battery it cannot track time and requires software to generate OATH codes. Yubico provides Yubico Authenticator for all major platforms (Windows, MacOS, Linux, Android, and iOS) to display the OTPs generated on the YubiKey.
Yubico Authenticator for Desktop
Use the Yubico Authenticator for Desktop on your Windows, Mac, or Linux computers to generate OATH credentials on your YubiKeys. In addition, the Yubico Authenticator for Desktop implements FIDO application management on YubiKeys, supporting the creation and management of FIDO2 PINs, management of existing discoverable credentials, resetting the FIDO application on the YubiKey, and on the YubiKey Bio managing fingerprint templates.
Yubico Authenticator for Mobile
Use the Yubico Authenticator for Android and iOS, including secure tap-and-go authentication for NFC-enabled mobile devices.
Use Yubico Authenticator to manage keys in the Yubikey 5 Series, the YubiKey Bio Series, and the Security Key Series. Management features include:
- Add, delete, and manage up to 5 fingerprints.
- Reset your YubiKey to factory defaults.
- Manage the YubiKey PIN.
- Troubleshoot common issues.
Yubico Authenticator supports iOS and Android for mobile, with a separate app for the three Desktop platforms. All platforms display similar instructions when you pull up Yubico Authenticator:
- Get a shared secret from any service you wish to secure, store it on the YubiKey and use it to generate your security codes. You will need a YubiKey 5Ci or a compatible YubiKey with NFC to get started.
- If you have a YubiKey 5Ci, plug it in. Touch the contacts on the sides when prompted.” A green LED flashes on the right side of the key.
- If you have a YubiKey with NFC, pull down the main view to activate NFC. Hold the key horizontally and tilt the iPhone towards the key. Touch the center of the key to the edge of the phone.
- QR codes are available from the services you wish to secure. Simply scan the QR code when you add your YubiKey and generate your own security codes.
- You can mark your credential as ‘Favorite’ and it will appear at the top of the list. Simply swipe all the way or swipe and tap the Add to Favorites button.
How it works
For maximum security we always recommend protecting your user accounts with the YubiKey. However where an authenticator app is preferred, the Yubico Authenticator app allows you to store your credentials on a YubiKey and not on your mobile phone, so that your secrets cannot be compromised. Yubico Authenticator requires a YubiKey 5 Series to generate OTP codes.
Use Yubico Authenticator to generate the 6-8 digit one-time code (also called passcode or password) that you need to enter (in addition to username and password) when you log on to sites that support Yubico Authenticator. By implementing two-step verification services, Yubico Authenticator enables you to safeguard access to your services and applications, protecting them from unauthorized access. Example sites where you can use codes to authenticate include Amazon, Dropbox (unless you are using U2F), Evernote, Facebook, and many others.
Yubico Authenticator generates Open Authentication (OATH) Time-based One-time Password (TOTP) and event-based HMAC-based One-Time Password (HOTP) codes.
Add your credential to the YubiKey with touch or NFC-enabled tap. Hardware-backed strong two-factor authentication raises the bar for security while delivering the convenience of an authenticator app. Users can also experience greater convenience by unlocking their YubiKey with FaceID or TouchID.
Easy and fast setup
Generate your unique credential using QR codes available from the services you wish to protect with 2FA. Secures all the services currently compatible with other Authenticator apps. For example, Azure MFA supports TOTP authentication to secure Office 365.
Secure multiple work and personal accounts
Start protecting all of your accounts with stronger two-factor authentication. Easily generate new security codes that change periodically to add protection beyond passwords. And your secrets are never shared between services.
The YubiKey Advantage
Stronger hardware-backed security
Storing your credentials on a hardware key is safer than storing them on a mobile phone. Your credential stays safe in the secure element of the YubiKey and cannot be extracted.
Portable credentials across devices
Your credentials work seamlessly across multiple devices. With a portable hardware root of trust you do not lose your credentials when your phone is compromised or upgraded.
The Yubico Authenticator app works across Windows, macOS, Linux, iOS and Android. Get the same set of codes across all Yubico Authenticator apps for desktops as well as for all leading mobile platforms.
Self-service reduces IT costs
Users switch phones often. With other authenticator apps, when a user has a new phone or OS upgrade, IT often needs to help reset the enrollment flow and support calls rack up costs. The Yubico Authenticator app allows for user self-service to enroll multiple secrets across various services, making this a secure and efficient solution at scale.