What is a YubiKey and how does it work?

As I understand it, Yubikey acts like a USB keyboard. You plug it in your computer, place the cursor in a form field, press the button on the Yubikey, and it sends out a text string of 44 characters to the computer like you are typing those 44 characters. The computer doesn't know the difference between you typing it or the Yubikey generating it.

A website like a Wordpress site with Yubikey plugin, or the Lastpass addon in Firefox, or any other website that has a Yubikey option, has a login form with username, password, and Yubikey password. You enter your username and password, place the cursor in the Yubikey field, then press the Yubikey button, and it enters the Yubikey password into the field.

Then the form is submitted, and the Yubikey is validated in the Yubicloud. The website checks if the entered Yubikey password is valid. The Yubikey itself does not connect to the Yubicloud. It's just a device generating a string sending it out acting like a keyboard, and it does not connect to the internet or anything except as that keyboard.

Before all this works, you need to update your account on the website to use Yubikey. That means you need to link your key to the account. That way the Yubicloud can check the generated code and validate it against your account.

The website of course needs to implement the Yubikey functionality, which is available as a free service for website owners.

If the Yubikey gets lost, you can use the normal recovery methods the website has to recover your account and disable the Yubikey. Normally this means that you get a password recovery link via email, and that link disables the Yubikey function in your account.

I mailed Yubikey support to see if this answer is correct. They said this explanation was correct, except that it explained only one part of the way the key works.

The other answers here don't give any real explanation. Even the Linuxjournal article doesn't explain it this way. The accepted answer gives a black-box answer - not what I was looking for when I opened this page. I hope this answer gives a better explanation and writing it made me understand the Yubikey better.

I have one, and I'd recommend them! I actually got it for free from the Yubico guys, when I was attending BSidesLondon.

Think of it as an RSA secure-key, except much smaller, cheaper and without a battery. You get (essentially) the same security, though YubiKeys have a signficantly larger keyspace than the RSA ones. They're also incredibly sturdy, and can be fully immersed in water without damage.

Here's mine:

I know this sounds like an advert, but they really are great. Compared to carrying around a bunch of those secure-keys, they're almost unnoticeable on a keyring.

As for how they work, they validate against a cloud service that Yubico run, and provide two-factor authentication. All the server software is open-source, and they're happy for you to run your own authentication servers. It's entirely transparent.

Have a dig around on their website, there's plenty of technical info and descriptions on there.

The YubiKey comes in different variants, for example the YubiKey 4 and the YubiKey U2F. All YubiKeys are hardware tokens and are connected to a USB port. Most feature an inductive button and one model also has NFC (the YubiKey Neo). The variants differ regarding form factor and the number of supported features.

The YubiKey 4 provides several functions:

• OTP generation
• OATH compatible OTP generation (i.e. HOTP and TOTP)
• emulate a chipcard reader with inserted OpenPGP chipcard (up to 4K bit RSA or 256 bit ECC private key size)
• act as PIV device (up to 2K bit RSA or 256 bit ECC private key size)
• act as U2F device
• replay a static password

For some of its features it presents itself as a USB HID device.

There are alternative solutions available that provide similar or a subset of the multi-feature YubiKey 4. For example, classic hardware chipcard readers (perhaps even featuring a keypad) in combination with an OpenPGP compatible chipcard.

The YubiKey U2F is only a U2F device, i.e. a device that is able to generate a origin specific public/private key pair and returns a key handle and a public key to the caller. Like other inexpensive U2F devices, the private keys are not stored, instead they are symmetrically encrypted (with an internal key) and returned as the key handle. Using the key-handle, the U2f device is then able to sign a challenge, thus creating a response as part of a multi factor authentication.

Since U2F is an open standard (that is also pushed by corporations like Google), there are several alternative inexpensive U2F hardware tokens available (search for 'FIDO U2F key').