What is a Yubikey?

A Yubikey is a hardware cryptographic engine and secret key storage device that is designed at the hardware level to prevent (if not just uncapable) to export the secrets it contains. It is most commonly used as a second factor in MFA authentication schemes.

TL:DR - The Yubikey is a write only device with built in crypographic silicon.

What are the use cases for the Yubikey?

High Level

What is this used for?

Typically used for second factor auth, can be used to sign content with PGP

Slotted Functionality

These functions are required to be assigned to a “slot” in order to function.

Yubico OTP

Yubico OTP is a OTP designed and configured from the factory from Yubico. Yubico’s public auth servers are already configured with the key from the box.

Tip.

If you remove the config for Yubico OTP, You will not be able to restore this config, EVER… You will instead get a “less trusted” keypair.

 Used in... SSH Auth, PAM, Web services

OATH-HTOP

Almost identical to Yubico OTP.. But not using the Yubico syntax form.

Used in... SSH Auth, PAM, Web services

Static Password

Press button, spits out the same thing every time. mainly used with legacy systems.

Used in... wherever you deem fit. acts identical to a normal password

Challange Response

The program and the yubikey talk to each other to perform a cryptographic challenge to authenticate.

Used in... KeepassXC, Local programs, some web services, PAM

Non-Slotted Functionality

The below functions do not require a slot to work and will work out of the box… Most of the time, some config may be required

U2F

A web-to-hardware API for using hardware tokens as a means of auth. Extremely easy to use.

Used in... Web services, PAM

Fido2

Like U2F, but upgraded and becoming the new standard in web auth. Can be used as single factor auth as well.

Only on the Yubikey 5 and later

Used in... Web services, PAM

OpenPGP Card

Used to store private and public openPGP keys for PGP things.

Used in.. Signing, encryption and decryption.

PIV Functionality

The hardest to grasp, Uses a PKI infra to identify a user. But can easily be set up to use with SSH Auth.

This is the best use case for ssh keypairs, as it requires no extra configuration on the remote server. All required information is stored in the public key.

Used in... Corporations, SSH, PAM, AD, FreeIPA,