What Is YubiKey and How Do You Set it Up?

It’s widely understood that a simple username-password combination doesn’t provide the level of security that many organizations and regulatory standards require. In 2022, 81% of confirmed data breaches were due to weak, reused, or stolen passwords¹. Thus, two-factor or multi-factor authentication is now the standard for security across various apps, online accounts, devices, and even some physical premises.

Not all multi-factor authentication (MFA) methods offer enhanced security without adding friction to the user experience. Even common MFA methods, like using an authenticator app, can slow down the login process and may require users to have access to a separate device. 

However, using a physical token, like YubiKey, gives users a secure and reliable authentication factor that is quick and convenient to use. Below, we’ll cover what a YubiKey is, how it works, and some best practices for enhancing MFA security with this physical token.

A YubiKey is a hardware token used to help verify users in multi-factor authentication. It’s similar in size and appearance to a USB flash drive with a button on the side. YubiKeys are long-lasting and reliable, as they do not require a battery or internet connection to function. 

Today, there are a range of YubiKey models compatible with USB-A, USB-C, and Lightning ports, as well as NFC on supported devices. 

How does a YubiKey work? Each key is assigned a unique code that is used to verify your identity during authentication. You can simply insert the key into the port on your device, press the button on the hardware, and you should be granted access if you are an authorized user of the account or device. With an NFC-enabled device, you can tap the YubiKey against the phone to complete authentication. 

YubiKey supports multiple security protocols, including:

• FIDO2/WebAuthn
• FIDO U2F
• One-time password (OTP)
• OpenPGP 3
• Smart card authentication

YubiKey offers significant security advantages and can enhance standard authentication methods. They do not store or generate any data and aren’t connected to a network or software program, so hackers cannot remotely compromise or steal the unique code stored in the key.

Aside from better security, a YubiKey is convenient to use, making it easy to implement throughout an organization. It doesn’t require account holders to remember another password or use an authenticator app on a separate device. This can be beneficial in environments where users have limited access to their phones or other devices, like military settings, hospitals, or financial institutions.

As long as the user possesses the key upon authentication, they can access their accounts with the press of a button. The key does not store personally identifiable information, so even if it gets misplaced or stolen, the user’s data is not at risk of being exposed.

When it comes to multi-factor authentication (MFA), not all methods offer the same level of security, usability, or reliability. Organizations often face a tradeoff between protecting sensitive data and minimizing user frustration. Understanding how YubiKey compares to other commonly used MFA options—such as SMS codes, authenticator apps, and biometric verification—can help you determine the best fit for your organization’s security strategy.

YubiKey vs. SMS-Based Two-Factor Authentication

SMS-based authentication is one of the most widely used MFA methods, largely because it’s easy to deploy and familiar to most users. However, it’s also among the least secure. Hackers can exploit vulnerabilities in cellular networks or use social engineering tactics to perform SIM-swapping attacks, gaining access to the verification codes sent via text. Approximately 5% of phishing attacks targeting Multi-Factor Authentication (MFA) methods, such as SMS-based 2FA, result in a successful breach. In contrast, YubiKey does not rely on a mobile carrier, phone number, or wireless connection. Because it’s a physical device, it’s immune to phishing attempts, SIM hijacking, and man-in-the-middle attacks.

YubiKey vs. Authenticator Apps

Authenticator apps like Google Authenticator or Microsoft Authenticator generate time-based one-time passwords (TOTP) on a user’s device. These apps offer stronger protection than SMS codes and are compatible with many online services. In 2021, authenticator applications were the most prevalent choice for MFA, representing 57.8% of adoption among companies⁴. However, they still require access to a mobile device, manual input of a 6-digit code, and synchronization with the correct timestamp—all of which can introduce usability issues or delays.

YubiKey simplifies this process. With the press of a button or a tap via NFC, users can instantly verify their identity without needing to open an app or enter a code. This makes YubiKey particularly helpful in environments where users may not have access to their phones or where operational speed is critical.

YubiKey vs. Email Verification

Some systems rely on email-based verification for login confirmation or password resets. While convenient, this method is highly dependent on the user’s email account security. If a hacker gains access to the user's email, they can easily bypass this second layer of authentication. YubiKey eliminates this dependency by offering offline, tamper-resistant verification that doesn't rely on potentially vulnerable external accounts.

YubiKey vs. Biometric Authentication

Biometric methods, such as fingerprint or facial recognition, offer high convenience and are increasingly built into mobile devices and laptops. However, they carry risks as well. Unlike passwords, biometric data cannot be changed if compromised. Additionally, some devices may struggle to accurately identify users in low-light or high-variation conditions (e.g., facial recognition with masks or changes in appearance).

YubiKey’s Bio Series bridges this gap by combining biometric scanning with strong cryptographic protocols like FIDO2 and U2F. It delivers the security of public-key cryptography with the ease of fingerprint-based login, without needing an online connection or cloud-based biometric storage.

YubiKey vs. Software-Based MFA Solutions

Software MFA solutions are attractive because they’re easy to deploy across large organizations, but they often come with hidden dependencies—such as needing a secondary device, frequent updates, and backend integrations. They may also be vulnerable to keylogging, phishing, or malware if not properly secured.

YubiKey, by contrast, is self-contained and doesn’t require software dependencies once configured. It doesn’t store sensitive data that can be extracted remotely, making it an ideal solution for organizations with strict compliance requirements, including finance, healthcare, defense, and government sectors.

A Physical Layer of Security That Travels with You

Perhaps the most defining difference between YubiKey and other authentication methods is its form factor. It’s a small, portable device that requires physical possession—offering a real-world layer of defense that remote attackers cannot bypass. Even if a user’s password or account credentials are stolen, the absence of the physical YubiKey renders them useless.

For users who are frequently on the move or working across multiple systems and accounts, the simplicity of plugging in a key or tapping a device can dramatically reduce authentication time and error rates.

1. YubiKey 5 Series

Of all the YubiKey models, this is the most popular. This versatile, multi-protocol security key protects against phishing attacks and account takeovers. The 5 Series has several different types, including keys with form factors like USB-A, USB-C, NFC, and Lightning for compatibility with various devices. 

It can be used as a single factor for secure passwordless authentication, combined with a password for strong two-factor authentication, or with a PIN for multi-factor authentication.

2. YubiKey 5 FIPS Series

This series is designed to meet the strict requirements of Federal Information Processing Standards (FIPS) and protect against account takeovers. The YubiKey 5 FIPS Series ensures compliance with government regulations, making it best for organizations that handle sensitive data. 

These keys support multiple protocols like FIDO2/WebAuthn, U2F, Smart Card, OpenPGP, and one-time password (OTP). They are available in six form factors for versatile use across various devices and locations.

3. YubiKey Security Key Series

The Security Key series is specifically designed to prevent account takeovers through FIDO2 and U2F protocols. Four different models are available in this series, addressing both personal and enterprise needs. Enterprise models are distributed with a serial number on the back to help organizations track usage. This key's physical design and manufacturing make it the most durable model available. 

This series is best for users who need a strong second authentication factor to enable passwordless security. It can store up to 100 different passkeys for FIDO2 passwordless authentication, and it’s widely accepted across major platforms like Google, Dropbox, Microsoft, Facebook, and more.

4. YubiHSM

The YubiHSM comes in either a FIPS or non-FIPS version and is the smallest hardware security module available. It allows enterprises to protect the storage of cryptographic keys and other sensitive data, helping highly regulated organizations such as financial institutions and government agencies meet compliance standards. 

The YubiHSM solution is tamper-proof and keeps remote attackers or malicious insiders from compromising, copying, and distributing stored keys. Its portable nano size makes it highly versatile and easy to deploy across various devices. Users can slip the YubiHSM into the USB slot of their devices, lying flush within the port. The device can also be shared across the network to protect applications on other servers.

5. YubiKey Nano

Nano versions of Yubikeys have a compact design and are meant to be left plugged into a user’s device. They offer all the same security features as the larger versions of YubiKeys, though they are a more suitable size for laptops and other small devices.

6. YubiKey Bio Series

The YubiKey Bio Series supports passwordless security through biometric verification and PIN-based authentication. It offers a seamless and convenient user login experience for consumer and enterprise use, as they can access accounts and devices with a simple fingerprint scan on the hardware. 

This model is compatible with USB-C and USB-A ports and supports FIDO2/WebAuthn and U2F protocols. Future editions of the series are also expected to support smart card standards.

7. YubiKey for Mobile

YubiKeys can support authentication on mobile devices in two ways. Any YubiKey series equipped with NFC can be used to authenticate users on an NFC-enabled mobile device. These keys can be tapped on the back of Android or iOS devices for frictionless authentication. 

Another way for YubiKeys to authenticate on a mobile device is with a direct connection through the USB-C or Lightning port. This is similar to how you would use the key to authenticate on a laptop or desktop computer.

The largest online services and applications support YubiKey authentication, including:

Google

Google allows its millions of users to enable two-factor authentication with a YubiKey to keep their accounts safe, including Gmail, YouTube, Google Maps, and other applications. The Yubikey 5 Series, BioSeries, FIPS Series, Security Key Series, and certain legacy models are compatible with Google on Chrome or Mozilla Firefox browsers to enable passwordless security. Users can easily pair their YubiKey to Google from their account settings.

Facebook

Facebook users can safeguard their accounts through two-factor authentication with a YubiKey. Users can protect their accounts with a YubiKey from nearly any browser or operating system. Facebook even allows users to register more than one YubiKey to their account for backup security options. Like with Google, you can use the Yubikey 5 Series, BioSeries, FIPS Series, Security Key Series, and certain legacy models for Facebook authentication.

Dropbox

With YubiKey two-factor authentication, you can protect your personal Dropbox account and the various photos, videos, and documents stored within the platform. You can use the Yubikey 5 Series, BioSeries, FIPS Series, Security Key Series, and certain legacy models to secure your Dropbox account and stored contents.

Password Managers

Several password managers, including Bitwarden, LastPass, KeePass, and Password Safe, also support YubiKey two-factor authentication. Depending on the specific platform, the password manager will generally require both a master password and the YubiKey to enable access to the user’s encrypted password and username database. Most of these platforms are compatible with the YubiKey 5 Series, FIPS Series, and certain legacy models.

YubiKey setup is generally a pretty simple process, and they’re ready to use right out of the box. The exact setup steps will vary by service provider, though this is the typical process you’ll go through to register your YubiKey for the first time:

1. Insert Your YubiKey: Depending on the model, insert your YubiKey into a USB-A, USB-C, or Lightning port on your computer or mobile device.

2. YubiKey Configuration Tool: Download and install the YubiKey Configuration Tool. This tool is essential for customizing your YubiKey settings. Here are some settings or adjustments you may need to make:

a. Make sure your device has the latest security patches and an up-to-date operating system

b. Use the Works with Yubikey tool to find compatible services and accounts

c. Register each YubiKey individually

d. Add two keys to each account and online service, as recommended by Yubico

e. Set up a PIN before adding services to your YubiKey

3. Set Up a PIN: Some Yubikeys require a PIN. Follow the on-screen instructions to set one up.

YubiKeys can enhance the security of your devices, networks, and online accounts without adding friction to the user experience. To keep your YubiKey and associated accounts secure, here are some best practices to abide by:

1. Secure Your Physical YubiKey

Treat your YubiKey as you would any other physical key. Anyone who possesses the key will be able to complete authentication if they’ve also compromised your other credentials, such as your password or PIN. 

If you need it to access systems and accounts at work, it may be worthwhile to attach it to a lanyard and wear it around your neck with your ID badge or other necessary credentials. If you use it for your personal accounts, keep it somewhere safe where others cannot access it.

2. Enable PIN Protection

You can enable PIN protection for YubiKeys to add an extra layer of security and prevent unauthorized access to your account or device. Within the YubiKey Manager application, you can navigate to the Personal Identity Verification (PIV) option and set a new PIN of six to eight digits. 

Test that it’s properly set by removing and reinserting the YubiKey to see if you are prompted to enter your new PIN before accessing your account.

3. Create Backups

It’s recommended to use backup YubiKeys, just like you typically have a backup house or car key. 

You can register one key as your primary and the other as the spare, allowing you to access critical accounts and devices even if your primary key is lost or damaged. Thus, you can avoid getting locked out of your accounts and going through the lengthy account recovery process.

4. Use Two-Factor Authentication (2FA)

In some cases, you can use a hardware authenticator like YubiKey as your single factor for authentication. However, you should enhance the security of your accounts, networks, and devices by enabling two-factor authentication (2FA). 

Depending on the service provider, the steps to set up 2FA with YubiKey may differ. Oftentimes, you can do so in a few steps within your security preferences under account settings and follow the steps we listed above to pair the key with your account.

5. Record Recovery Codes

During the YubiKey setup process, you will have the option to generate recovery codes. If you no longer possess your security key, these codes are the only way to access your account, so record them accurately and keep them in a safe storage location. Once you've finished configuring your key, it will be impossible to retrieve the codes. 

You may choose to store the codes in an encrypted file on your device. Or, you can print them off and store them in a locked safe or security deposit box that only you have access to.

6. Be Cautious with U2F

If you use YubiKey for U2F authentication, always verify website URLs, ensuring they match what you expect when prompted to insert your YubiKey. If you notice an abnormal or unusual URL, it could be a sign that a bad actor is trying to redirect you and compromise your credentials through a phishing attempt. 

The YubiKey’s LED blinking pattern should also match your expectations during U2F authentication.

7. Lock Devices

If you leave the YubiKey attached, like if you’re using a nano model, always set up a lock screen and password protection to prevent unauthorized access to your device and accounts. 

Otherwise, anyone who could access your laptop, mobile device, or desktop computer would be able to view, change, or steal its contents.

8. Segregate Keys

Consider using unique YubiKeys for different accounts and devices to minimize potential security risks if one of your keys is compromised. 

For instance, if one of your keys is stolen but you’ve only registered it to access your personal email account, the thief could not use it to access your laptop, work email, password manager, Facebook account, or other YubiKey-protected devices and applications.

YubiKey authentication enhances account security without detracting from the user experience. It helps organizations embrace a passwordless environment and prevent account takeovers and other attacks.

Combining YubiKey and PingID allows enterprise users to strengthen system-wide MFA security further, supporting Yubico OTP and security key FIDO2/U2F protocols.

Configure YubiKey authentication in PingID today by following these steps:

1. In the admin console, go to Setup > PingID > Configuration
2. Go to the Alternate Authentication Methods section
3. In the Enable column, select the YubiKey checkbox
4. Click Save

Once complete, users can pair and authenticate with their YubiKeys.

^1. 2017 Data Breach Investigations Report, Verizon

^2. 2017 Data Breach Investigations Report, Verizon

^3. Understanding MFA Phishing: Protection Measures and Key Statistics, keepnet labs

^4. Multi-Factor Authentication Statistics 2025 By Best Security, Market.us Scoop