YubiKey Overview
A YubiKey is a hardware device for Duo two-factor authentication. Models vary in capabilities—some function only as security keys, while others also generate passcodes. This is an alternate option for those who do not have or prefer not to use their smartphone or tablet device with Duo. While there is a cost to purchase a YubiKey, using it with Duo at Caltech is free.
Below is a summary of its two operating modes.
YubiKey Security Key Mode
- Available on most modern YubiKey devices, including multi-protocol devices such as "YubiKey 5 Series", as well as FIDO-only devices such as "YubiKey Security Key Series" devices.
- Does not require Help Desk to set up. Can be done using the Duo Device Management Portal.
- Only supports browser-based applications; it does not support command-line and Windows login.
YubiKey Passcode Mode
- Requires a YubiKey device that supports OTP protocols (often described as multi-protocol devices), such as the "YubiKey 5 Series" devices.
- Must be set up by IMSS Help Desk. Generally requires bringing the YubiKey device into the Help Desk in-person.
- Works as a second-factor option for a broad range of Duo-protected applications including browser-based applications as well as command-line and Windows login.
Which YubiKey should I buy?
Some YubiKey devices support both Security Key and Passcode modes, while others only support Security Key mode. At Caltech, some systems may require both, so IMSS recommends the YubiKey 5 Series for the best compatibility. Choose one that fits your computer's ports - USB-A (older/larger) and USB-C (newer/smaller).
- For USB-A, IMSS recommends the YubiKey 5 NFC:
https://www.yubico.com/product/yubikey-5-series/yubikey-5-nfc/ - For USB-C, IMSS recommends the YubiKey 5C NFC:
https://www.yubico.com/product/yubikey-5-series/yubikey-5c-nfc/
For a budget-friendly option, the YubiKey Security Key NFC works only in security key mode with browser-based apps. Ensure you are comfortable with these limitations before purchasing, as this does not support command-line and Windows login.