Yubico’s flagship product, the Yubikey 5 is one of the most feature complete security tokens on the market.
Has been certified by the FIDO Alliance as conforming to FIDO2 standardsMore Info
FIDO L1 Certification
Certified by the FIDO Alliance to meet L1 Security StandardsMore Info
Vendor provides applications that extend or configure the device
Android management application
Management application runs on Android smartphones with appropriate hardware (NFC, BLE, etc)
MacOS management application
Management application runs on MacOS
Windows management application
Management application runs on Windows
Resident Cryptographic Keys
Supports U2F/WebAuthn discoverable/resident authentication keysMore Info
Resident ECDSA keys
Supports ECDSA discoverable keys
Resident ED25519 keys
Supports ED25519 discoverable keys
Conforms to PKCS11 SmartCard interface standardsMore Info
Supports stored, static passwords, usually configured with a vendor-specific application
Conforms to the U2F Authenticator/WebAuthn standardMore Info
Enables use of Yubico YubiOTP one-time-passwordsMore Info
Yubikeys are credited with starting the personal USB token industry, and for good measure. With the fifth generation of yubikey comes a unification of the overall line. The 5ci and Nano lack NFC, but the classic Yubikey series has NFC as a standard feature.
In addition to U2F functions, the YubiKey supports PKCS#11 PIV (Smart Card) functionality. For more information, see Yubikey as a PIV Compatible Smart Card on the Yubico website.
Using the Yubikey with other services
The Yubikey series supports OpenPGP keys as well as other cryptographic functions through the SmartCard interface.
Several community guides exist on these topics:
- Configuring OpenPGP and Yubikeys (the “Ultimate Yubikey Setup Guide”)
- Yubikey GPG and SSH Auth on Windows and WSL
TOTP/HOTP and the Yubikey series
Yubikeys support TOTP and HOTP through the Yubico Authenticator application. This application allows adding and removing TOTP and HOTP credentials. These are stored on the key, not on the phone or desktop, however it is not possible to retrieve the secret once the values have been added.
ED25519 support in SSH U2F
Support for ED25519 is limited to firmware 5.2.3 and above (supporting FIDO2). (source) This may be important to you if you have concerns over ECDSA.