
Hardware Security
YubiKey
Hardware security keys for phishing-resistant MFA and passwordless authentication.
YubiKey Overview
What it does
YubiKey is a hardware authentication security key that eliminates account takeovers through phishing-resistant multi-factor authentication (MFA) using cryptographic proof of identity. Unlike SMS codes or authenticator apps vulnerable to phishing, man-in-the-middle, and SIM-swap attacks, YubiKey creates a cryptographic link between user credentials and specific website domains, refusing to authenticate even when users click fraudulent links. The physical security token combines something you know (password/PIN) with something you have (the physical key), requiring user presence to complete authentication and supporting passwordless login via FIDO2/WebAuthn passkey technology.
How it works
YubiKey supports multiple authentication protocols including FIDO2/WebAuthn for passwordless authentication, FIDO U2F for two-factor authentication, OATH-TOTP/HOTP for one-time passwords, OpenPGP for email encryption and code signing, and Smart Card (PIV) for certificate-based authentication on legacy systems. The device requires no batteries, software installation, or network connectivity, functioning as a USB keyboard that works offline across Windows, macOS, Linux, iOS, and Android. YubiKey integrates natively with hundreds of services including Google Workspace, Microsoft 365, AWS, Azure, GitHub, password managers (1Password, LastPass, Bitwarden), and identity providers (Okta, Ping Identity, Microsoft Entra ID).
Credentials and traction
The YubiKey 5 FIPS Series is FIPS 140-3 validated (Certificate #5291, Overall Level 2 with Physical Security Level 3) and supports NIST authenticator assurance level AAL3. Yubico was named Best Security Company of the Year at the 2025 Cyber Security Awards and one of PCMag's Best Tech Brands for 2025, and holds a TrustRadius 2025 Top Rated Award. More than 22 million keys are in use across 160-plus countries; in a 2025 deployment, T-Mobile rolled out over 200,000 phishing-resistant YubiKeys.
Key Capabilities
mapped to solution categoriesProvides an enterprise portal for registering, managing, and auditing hardware key deployment across the organization at scale.
Implements the FIDO2 WebAuthn specification for phishing-resistant authentication, binding authentication to the registered origin, preventing credential use on phishing domains.
Supports FIDO2, FIDO U2F, PIV (smart card), and TOTP on a single device, enabling use across web applications, VPNs, OS login, and legacy systems.
Supports NFC tap-based authentication for mobile devices alongside USB-C and USB-A, determining which use cases and device types the key supports.
Uses FIDO attestation during registration to verify the make and model of each hardware key, so an enterprise can require only approved, certified authenticators.
Binds passkeys to specific device hardware (TPM, Secure Enclave), the private key cannot be exported or used from a different device.
Implements FIDO2/WebAuthn for phishing-resistant authentication, binding credentials cryptographically to the registered origin to prevent use on phishing domains.
Supports parallel operation of password and passwordless authentication during transition, allowing gradual user migration without a hard cutover.
Enables passwordless authentication for applications that do not natively support FIDO2, using reverse proxy, credential injection, or identity broker patterns.
Compliance
certificationsIntegrations
compatible toolsImplementation & support
Info last updated on May 27, 2026
Vendors
Is this your product?
Claim your profile to connect with the teams looking for your solutions.