KuppingerCole Report
Executive View
By Alexei Balaganski

YubiKey by Yubico

YubiKey is a hardware authentication device that provides two-factor authentication using either one-time passwords or public key infrastructures. Combining strong cryptography with ease of use and supporting a wide range of authentication methods and protocols, YubiKeys are widely deployed by both enterprises and consumer-oriented online services.

1 Introduction

Yubico is a privately held company headquartered in Palo Alto, CA, USA. Originally founded in 2007 in Sweden with a specific focus on developing a secure, yet simple and affordable alternative to password authentication, the company now has a global presence with offices in the USA, UK and Sweden and over 100,000 customers in 150 countries including such companies as Google, Salesforce and Facebook.

Security experts have been predicting “death to passwords” for over a decade. Unfortunately, despite all their efforts and despite a number of stronger alternatives available on the market, passwords are still a reality we have to deal with. In fact, with the continuing proliferation of online services and a wide variety of devices to access them, the number of credentials users have to deal with is only increasing. Although passwords are universally known to be subject to a wide variety of risks, most stronger alternatives fail to get significant traction for a number of reasons: equipment costs, lack of interoperability and vendor lock-in, inability to scale to a large number of identities, and last but not least, complicated deployment involving hardware adapters, drivers, client software and so on.

Although Yubico’s first product, the original YubiKey, was merely a one-time password token with a USB connector, it managed to address most of these concerns quite successfully. First of all, it provided completely plug and play one-touch operation without any client software. Second, although the device was created for a specific customer project, the infrastructure around it was designed to be open and extensible, with all components published as Open Source projects. Finally, a single YubiKey was enough to secure multiple independent online services.

Since then, the company has developed several generations of their flagship product, and Yubico’s current portfolio includes several YubiKey models with different interfaces (USB and NFC with Bluetooth in development) and a wide variety of supported authentication methods and protocols including Yubico and OATH One-time Password (OTP), Personal Identity Verification (PIV), OpenPGP and the latest FIDO U2F standard. Thus, a single YubiKey can replace multiple OTP tokens and smartcards, not to mention securing existing password-based authentication with a strong hardware-based second factor.

Although the company’s primary focus is manufacturing and distribution of their hardware devices, Yubico is very active in promoting strong authentication to the public and maintaining a large developer and partner community. The company provides cloud services for validating OTP transactions, as well as a number of open source projects for strong authentication, encryption and digital signatures. Yubico is a member of several open identity standard bodies including W3C, OpenID Foundation, and the FIDO Alliance, where the company actively participates in development of the Universal 2nd Factor (U2F) standard.

With a number of large-scale end user online services making support for the open standards that the YubiKey works with (for example, by Google, Dropbox and, most recently, GitHub), YubiKey has arguably become one of the most popular hardware authentication devices for consumers.

2 Product Description

A YubiKey is a specialized hardware device that can perform various authentication functions, including one-time password generation, public key crypt ...

Login Get full Access

3 Strengths and Challenges

With YubiKeys, Yubico is able to provide a scalable, future-proof and easy to deploy strong authentication platform, which still remains backwards com ...

Login Get full Access


©2021 KuppingerCole Analysts AG all rights reserved. Reproduction and distribution of this publication in any form is forbidden unless prior written permission. All conclusions, recommendations and predictions in this document represent KuppingerCole´s initial view. Through gathering more information and performing deep analysis, positions presented in this document will be subject to refinements or even major changes. KuppingerCole disclaim all warranties as to the completeness, accuracy and/or adequacy of this information. Even if KuppingerCole research documents may discuss legal issues related to information security and technology, KuppingerCole do not provide any legal services or advice and its publications shall not be used as such. KuppingerCole shall have no liability for errors or inadequacies in the information contained in this document. Any opinion expressed may be subject to change without notice. All product and company names are trademarks™ or registered® trademarks of their respective holders. Use of them does not imply any affiliation with or endorsement by them.

KuppingerCole Analysts support IT professionals with outstanding expertise in defining IT strategies and in relevant decision-making processes. As a leading analyst ompany, KuppingerCole provides first-hand vendor-neutral information. Our services allow you to feel comfortable and secure in taking decisions essential to your business.

KuppingerCole, founded in 2004, is a global, independent analyst organization headquartered in Europe. We specialize in providing vendor-neutral advice, expertise, thought leadership, and practical relevance in Cybersecurity, Digital Identity & IAM (Identity and Access Management), Cloud Risk and Security, and Artificial Intelligence, as well as for all technologies fostering Digital Transformation. We support companies, corporate users, integrators and software manufacturers in meeting both tactical and strategic challenges and make better decisions for the success of their business. Maintaining a balance between immediate implementation and long-term viability is at the heart of our philosophy.

For further information, please contact clients@kuppingercole.com.