What is Yubico OTP?

Yubico OTP is a simple yet strong authentication mechanism that is supported by all YubiKeys out of the box. Yubico OTP can be used as the second factor in a 2-factor authentication scheme or on its own, providing 1-factor authentication.

The most common pattern is to use Yubico OTP in combination with a username and password:

otp_login_form.png

YubiCloud

YubiCloud is the name of Yubico’s web service for verifying OTPs. Before using YubiCloud, you need to get an API key from here — it’s quick, free and helps us preventing misuse of YubiCloud.

If you prefer to not use YubiCloud, you can instead host a verification server yourself.

Advantages

Apart from the general advantages of 2-factor authentication, Yubico OTP has the following characteristics:

  • No client software needed. The OTP is just a string. If you can send a password, you can send an OTP.

  • YubiKey ID embedded in OTP. This allows for self-provisioning, as well as authenticating without a username.

  • Easy to implement. Using YubiCloud, supporting Yubico OTP is not much harder than supporting regular passwords.

One api.yubico.com One HTTP GET

In 2020, Yubico consolidated all YubiOTP validation API servers behind a single endpoint: api.yubico.com. This modernized, cloud-based service enhances reliability and scalability. Customers now need only to make a single HTTP GET request to api.yubico.com for OTP validation.

To optimize performance, domain names pointing to this service are geolocated, directing YubiCloud clients to the nearest endpoint. We recommend configuring your clients to use api.yubico.com if you haven’t already done so.

Please note that Yubico’s legacy client libraries in PHP, C, .NET, Perl, and Java on GitHub are archived and will not be updated to support the new endpoint. These libraries previously handled multiple YubiCloud endpoints, a function now obsolete. Directly implementing the HTTP GET call in client applications removes the dependency on third-party libraries.

For detailed guidance on generating and verifying signatures and constructing HTTP GET calls for OTP verification, refer to the Yubico OTP Validation Protocol Version 2.0.

Implementing

We provide two alternatives:

Understanding

While not required, it can be interesting and useful to know how a Yubico OTP is generated. This is explained in OTPs explained.