The YubiKey supports Open Authentication (OATH) standards for generating one-time password (OTP) codes. Configure the YubiKey to generate the OTP for users to enter as their passcode.
The YubiKey-generated passcode can be used as one of the authentication options in two-factor or multi-factor authentication. The user’s login credentials are typically the other half of the two-factor authentication. Go to Two Factor Auth (2FA) for a list of software and web sites that support two-factor authentication.
Configure the YubiKey using the tools to read and generate the OATH codes. The end user or a provisioning administrator configures the YubiKey for one of the supported methods.
Provide secret key. Go to the Yubico API key signup page to generate a shared symmetric key for use with Yubico Web Services. The YubiKey securely stores it to use in combination with a timestamp or authentication counter to generate the OTP code.
OTP verification server. Use the YubiCloud server with a Yubico API key, or host one of two YubiCloud Validation Servers.
The configuration steps below apply to both of the authentication methods:
Time-based One-Time Password algorithm (TOTP) — Requires an application that can read OATH codes from YubiKeys. Uses a timestamp to calculate the OTP code.
HMAC-based One-time Password algorithm (HOTP) — Can be configured using the YubiKey Manager as a GUI, or as a CLI. Uses an authentication counter to calculate the OTP code.
Use the Yubico Authenticator app to read OATH codes from your YubiKey over NFC or over USB (Android app for OATH).
Step 1: If using USB, verify USB connection requirements:
Device has either a USB on-the-go adapter or USB-C port
Device supports USB Host mode
Chip Card Interface Device (CCID) mode is enabled on the YubiKey.
Step 2: From Google Play, download the Yubico Authenticator app to your device.
Step 3: Add app for Android device to read OATH codes from YubiKey.
a) Build the APK to install on the Android device. From the device command line, run the following command to build the debug version of the app:
flutter build apk --debug
The compiled file is stored in the directory build/app/outputs/flutter-apk/. More information about building for Android can be found at Development documentation page.
b) Manage OATH credentials by command. See YKOATH protocol specification. The YKOATH protocol includes commands for: Select, Put, Delete, Set Code, Reset, List, Calculate, Validate, Calculate All, Send Remaining.
Step 4: Add credentials to the YubiKey:
a) Select the credential method: scan a QR code or enter Base32-encoded secret. On the YubiKey, tap the + to select the option.
b) Tap the YubiKey or connect it to display the codes.
The Yubico Authenticator for Desktop enables you to read OATH codes from your YubiKey over USB. Support the newer OATH implementation as well as the older slot-based implementation.
Step 1: Verify supported version:
Windows 7 or later
macOS High Sierra 10.13 or later
Ubuntu 16.04 LTS or later
Step 2: For Linux, ensure the pcscd service is installed and running.
Step 3: If using USB, verify USB connection requirements:
Device has either a USB on-the-go adapter or USB-C port
Device supports USB Host mode
Chip Card Interface Device (CCID) mode enabled on the YubiKey.
Step 4: Download the YubiOATH Desktop.
Step 5: Add credentials to the YubiKey:
a) Select the credential method: Scan a QR code or enter Base32-encoded secret. On the YubiKey, tap the + to select the option.
b) Tap the YubiKey or connect it to display the codes.