Setup Yubico Authenticator Mobile on iOS

Note

This article covers basic YubiKey / Security Key use on iOS and iPadOS. For information such as can I log into my service on iOS/iPadOS, consult the Works with YubiKey Catalog or reach out to the service directly for more information. Yubico does not maintain setup documentation for third party products or services.

Depending on the iOS/iPadOS hardware as well as the YubiKey or Security Key model, there are three methods for using a YubiKey with iOS/iPadOS:

• The YubiKey 5Ci can connect directly to an iOS/iPadOS device via a Lightning connector.
• The YubiKey 5 NFC, YubiKey NEO, and Security Key NFC can be used over NFC on NFC-enabled iPhones.(1)
• Any YubiKey model can be plugged either directly into an iOS/iPadOS device or using a compatible adapter to take advantage of both the OTP functionality, as well as WebAuthn.(1)

Note

Yubico Authenticator does not support this option.(2)

NOTES:

1. iOS/iPadOS 13.3 and Safari are required to leverage native support for WebAuthn.

2. iOS/iPadOS is only able to communicate with the YubiKey’s OATH application (required for Yubico Authenticator functionality) via NFC and Lightning.

   • Since the one-time passwords generated by Yubico Authenticator are time-based, and the YubiKey does not have the ability to track time (due to its lack of a battery), proper functionality requires iOS/iPadOS being able to both write to and read from the YubiKey (it sends the YubiKey the current time and receives the one-time password).
   • Read/write is possible over NFC due to Apple’s recent expansion, and via Lightning due to the YubiKey 5Ci’s MFi certification, but not using other connection methods, namely USB-C, which has replaced the Lightning connector on third-generation and later iPad Pros. At this time, there is no way to use Yubico Authenticator on these iPads, as they do not support NFC.

3. For developers, the Yubico Mobile iOS SDK (software development kit) can be integrated into your apps to enable the YubiKey 5Ci and NFC-enabled YubiKeys to interact with iOS apps beyond the basic functionality covered in this document (e.g. OpenPGP, PIV, Challenge-Response, etc.).

4. Important: Depending on the service you’re attempting to use, as well as the model and method of connecting your YubiKey to iOS/iPadOS, your desired use case may not be supported.

   • The Works With YubiKey Catalog is intended to list all known YubiKey integrations, including what devices the integration is supported on.
   • Instructions for how to add and use the YubiKey with the service is also linked from every integration in the Works With YubiKey Catalog. Please consult this list to determine if your use case is supported on iOS/iPadOS.
   • If you discover that a service supports the YubiKey but isn’t located in the catalog, reach out either by opening a support case (via https://yubi.co/support).

5. For information about iOS using protocols other than OATH, see Getting Started with iOS.

Using your YubiKey 5Ci on iOS/iPadOS

Yubico Authenticator for iOS can be used to store TOTP and HOTP accounts, as well as to generate codes to authenticate to services that support “authenticator apps.” Basic account adding and code generation is covered below.

Note

Once an HOTP/TOTP account is stored on the YubiKey, it can be accessed on any version of Yubico Authenticator where the YubiKey is plugged in. For example, you can store an account using Yubico Authenticator for iOS and then access the accounts code on an Android phone using Yubico Authenticator for Android, or on a Windows/MacOS/Linux desktop or laptop running Yubico Authenticator for Desktop.

Since the secret is stored on the YubiKey, generating a code requires both the YubiKey and the Yubico Authenticator. Since the secret cannot be extracted once it is added to a YubiKey, it is important to consider account recovery and backups before you add an account to the YubiKey. Backups cannot be made after the Authenticator app setup for any given service is completed without going through the setup process again.

Adding accounts on iOS/iPadOS

To add accounts to your YubiKey using Yubico Authenticator for iOS, complete the steps:

Step 1: Download and install Yubico Authenticator for iOS, available in the App Store for any iPhone/iPad with a Lightning port.

iPads with USB-C ports are not supported.

Step 2: Open Yubico Authenticator for iOS.

Step 3: Plug in a YubiKey 5Ci.

Step 4: On another device:

1. Set up the service you are trying to secure with the Authenticator app.
2. Continue until the service provides a QR code.

If you need assistance with the Authenticator app setup process for a service, please refer to the service’s setup instructions.

Step 5: In Yubico Authenticator for iOS, tap the + button at the top right.

Step 6: Tap Scan QR code. If a pop-up appears requesting permission to access the camera, tap Allow.

Step 7: Point the iPhone/iPad’s camera at the QR code on the other device until the QR code is read.

The iPhone/iPad should vibrate and a New Account screen should appear.

Step 8: Tap Save.

At this point, if you wish to store the same account on a second YubiKey in your possession, simply repeat steps 3-7 for each YubiKey.

Alternatively, if you wish to add this account to another YubiKey but don’t have one currently, you can save a copy of the QR code (or secret key) in a safe place to scan and add later.

Step 9: Use the current code displayed in Yubico Authenticator for iOS for this account to complete setup of the account on the other device.

Generating codes on iOS/iPadOS

To generate codes for accounts stored on your YubiKey using Yubico Authenticator for iOS, follow the process below:

Step 1: Open Yubico Authenticator for iOS.

Step 2: Plug in a YubiKey 5Ci.

All current TOTP codes should be displayed.

If an account you added uses HOTP, or if you set the TOTP account to require touch, you will first have to display the current code:

1. Tap the credential.
2. Tap the gold YubiKey contact, if prompted.

Using your YubiKey 5 NFC, YubiKey NEO

Yubico Authenticator for iOS can be used to store TOTP and HOTP accounts, as well as to generate codes to authenticate to services that support “authenticator apps.” Basic account adding and code generation is covered below.

Note

Once an HOTP/TOTP account is stored on the YubiKey, it can be accessed on any version of Yubico Authenticator where the YubiKey is plugged in. For example, you can store an account using Yubico Authenticator for iOS and then access the accounts code on an Android phone using Yubico Authenticator for Android, or on a Windows/MacOS/Linux desktop or laptop running Yubico Authenticator for Desktop.

Since the secret is stored on the YubiKey, generating a code requires both the YubiKey and the Yubico Authenticator. Since the secret cannot be extracted once it is added to a YubiKey, it is important to consider account recovery and backups before you add an account to the YubiKey. Backups cannot be made after athe Authenticator app setup for any given service is completed without going through the setup process again.

Adding accounts on YubiKey 5 NFC, YubiKey NEO

To add accounts to your YubiKey using Yubico Authenticator for iOS, follow the process below

Step 1: Download and install Yubico Authenticator for iOS, available in the App Store for any iPhone/iPad with a Lightning port

iPads with USB-C ports are not supported.

Step 2: Open Yubico Authenticator for iOS.

Step 3: On another device:

1. Set up the service you are trying to secure with the Authenticator app.
2. Continue until the service provides a QR code.

If you need assistance with the Authenticator app setup process for a service, please refer to the service’s setup instructions.

Step 4: In Yubico Authenticator for iOS, tap the + button at the top right.

Step 5: Tap Scan QR code. If a pop-up appears requesting permission to access the camera, tap Allow.

Step 6: Point the iPhone/iPad’s camera at the QR code on the other device until the QR code is read.

The iPhone/iPad should vibrate and a New Account screen should appear.

Step 7: Tap Save.

A Ready to Scan pop-up should appear.

Step 8: Tap and hold your NFC-capable YubiKey to your phone’s NFC antenna (typically at the top-rear of the phone).

A checkmark will appear if the account is securely added to the YubiKey.

At this point, if you wish to store the same account on a second YubiKey in your possession, simply repeat steps 4-8 for each YubiKey.

Alternatively, if you wish to add this account to another YubiKey but don’t have one currently, you can save a copy of the QR code (or secret key) in a safe place to scan and add later.

Step 9: Use the current code displayed in Yubico Authenticator for iOS for this account to complete setup of the account on the other device.

With an NFC capable YubiKey, only one set of codes will be generated each time you tap the YubiKey to your phone.

If the service doesn’t accepted the current code, try swiping down from the top of the Yubico Authenticator application which will prompt you to rescan your YubiKey (and provide a new code).

Generating codes on YubiKey 5 NFC, YubiKey NEO

To generate codes for accounts stored on your YubiKey using Yubico Authenticator for iOS, follow the process below:

Step 1: Open Yubico Authenticator for iOS.

Step 2: Pull down from below the Quick Find search box (as if you are trying to “refresh”).

This initiates the prompt to scan an NFC-capable YubiKey. All current TOTP codes should be displayed.

If an account you added uses HOTP, or if you set the TOTP account to require touch, you will first have to display the current code:

1. Tap the credential.
2. Scan your YubiKey again to generate the code.

---

To file a support ticket with Yubico, click Support.