The Swiss army knife of security tokens
The YubiKey offers multiple functions for protecting your log-in.
Each YubiKey (except the blue Security Key) has 2 slots that you can configure separately with the Yubico personalization tool. So, in practical terms, the key operates like two separate keys. (As delivered, slot 1 is configured with the Yubico OTP.)
The following functions may be available (depending on the type of YubiKey):
OTP (One Time Passwort / Einmalpasswort)
The YubiKey generates an encrypted password that can only be used once. A hacker would therefore need your YubiKey to generate the necessary one-time password. Yubico OTP can be used with all YubiKeys except the U2F Security Keys.
U2F is an open 2-factor authentication standard which enables secure access to any number of web-based services (such as Gmail or Dropbox) – immediately and without drivers or client software. The U2F specifications were originally developed by Google with participation by Yubico and NXP. Today, everything is managed under the auspices of the FIDO Alliance (Fast IDentity Online).
Currently, FIDO U2F only works in a Chrome browser. The feature can be used with any YubiKey except the Standard and Nano versions of the YubiKey.
Learn more about FIDO U2F.
OATH – HOTP (event-based one-time password)
The YubiKey generates a six or eight-digit one-time password for any service that supports OATH-HOTP. This action is event-based, so a new password is generated for each event. The OATH-HOTP feature is available for every YubiKey except the blue U2F Security Key.
OATH – TOTP (time-based one-time password)
The YubiKey generates a six-digit or eight-digit one-time password for any services that support OATH-TOTP. These include Microsoft Cloud accounts, Google apps, Dropbox and EverNote. A new one-time password is generated for each time interval, generally every 30 seconds. OATH-TOTP can be configured on all YubiKeys except the U2F Security Keys.
Static Password is a significant YubiKey feature that generates a 38-digit static password for logging into any application. This feature is used most often for old systems which cannot be retrofitted for other two-factor options. Static Password can be used with all YubiKeys except the U2F Security Keys. You will find instructions for configuring a static password here.
CHALLENGE AND RESPONSE (HMAC-SHA1, YUBICO OTP)
Challenge-response is best suited for offline authentication and can be used for Windows, Mac or Linux. Challenge-response is supported by all YubiKeys except the blue U2F Security Key.
We explain how to set up challenge & response for your YubiKey in our knowledge database.
PIV-COMPLIANT SMART CARD
Smart cards contain a computer chip for data exchange. The YubiKey Neo also has this feature, which is based on the industry standard for PIV (Personal Identity and Verification) cards.
In the real world, documents and data are often validated by a signature. OpenPGP, a standard-based public key cryptographic method, is used to sign and to encrypt and decrypt SMS, emails and files in the virtual world. The OpenPGP feature is included in the YubiKey Neo.
You will find an overview of which YubiKey supports which functions here.