Yubikey 5
Yubico’s flagship product, the Yubikey 5 is one of the most feature complete security tokens on the market.
Yubikey 5
CTAP 2.1
Supports CTAP 2.1, including features like enforced PIN complexity, credBlob, largeBlob, and alwaysUv
More InfoEnterprise Attestation
Reveals a unique attestation certificate during FIDO registration so identity providers can tie a credential to a specific device
More Info
Management Application
Vendor provides applications that extend or configure the device
Android management application
Management application runs on Android smartphones with appropriate hardware (NFC, BLE, etc)
iOS management application
Management application runs on Apple iOS devices
MacOS management application
Management application runs on MacOS
Windows management application
Management application runs on Windows
Resident Cryptographic Keys
Supports WebAuthn discoverable resident credentials, the building block of passkeys
More Info
Resident ECDSA keys
Supports ECDSA discoverable keys
Resident ED25519 keys
Supports ED25519 discoverable keys
Stored passwords
Supports stored, static passwords, usually configured with a vendor-specific application
Yubikeys are credited with starting the personal USB token industry, and for good measure. With the fifth generation of Yubikey comes a unification of the overall line. The 5Ci and Nano variants lack NFC, but the rest of the family carries NFC as a standard feature.
The Yubikey 5 family ships in many variants. This entry covers the standard line: Yubikey 5 NFC, 5C NFC, 5C, 5 Nano, and 5C Nano. The variants with meaningfully different feature sets have their own pages:
- Yubikey 5Ci for users with older iPhones that still use a Lightning connector.
- The Yubikey 5 FIPS family for FIPS 140 compliance.
The Yubikey Bio family is documented separately as well: see Yubikey Bio FIDO Edition and Yubikey Bio Multi-protocol Edition. For a FIDO only sibling at a lower price, see the Security Key NFC.
In addition to FIDO2 and U2F, the Yubikey 5 supports PKCS#11 PIV (smart card) functionality. For more information, see Yubikey as a PIV Compatible Smart Card on the Yubico website.
Firmware 5.7 and EUCLEAK
In September 2024, security researchers at NinjaLab disclosed EUCLEAK, a side channel attack against the Infineon ECDSA library running on the NXP A700x secure element used by the Yubikey 5 series, the Yubikey 5 FIPS series, the Security Key Series, and the Google Titan keys. The attack requires physical possession of the key, removal of its plastic shell, and around eleven thousand dollars worth of equipment, so the practical risk to most users is low. Yubico’s advisory YSA-2024-03 has the full details.
Yubico fixed the issue in firmware 5.7, released in May 2024, by replacing Infineon’s library with a Yubico written implementation. Firmware on Yubikeys cannot be updated in the field, so a Yubikey 5 you bought before May 2024 is still affected. The mitigation in that case is replacement, not patching.
Firmware 5.7 also brings CTAP 2.1, RSA-3072 and RSA-4096, Ed25519, enterprise attestation, enhanced PIN complexity, restricted NFC mode, and a higher discoverable credential capacity. If you are buying a new Yubikey 5 today, it will be on 5.7 or higher.
Using the Yubikey with other services
The Yubikey series supports OpenPGP keys as well as other cryptographic functions through the SmartCard interface.
Several community guides exist on these topics:
- Configuring OpenPGP and Yubikeys (the “Ultimate Yubikey Setup Guide”)
- Yubikey GPG and SSH Auth on Windows and WSL
TOTP/HOTP and the Yubikey series
Yubikeys support TOTP and HOTP through the Yubico Authenticator application. This application allows adding and removing TOTP and HOTP credentials. These are stored on the key, not on the phone or desktop, however it is not possible to retrieve the secret once the values have been added.
ED25519 support in SSH U2F
Support for ED25519 is limited to firmware 5.2.3 and above (supporting FIDO2). (source) This may be important to you if you have concerns over ECDSA.