Yubikey Generate Key On Card
⚠️ Content below I now consider obsolete. My latest guide is now located here: Technical guide for using YubiKey series 4 for GPG and SSH. Please consult that resource instead.
- Yubikey Generate Key On Card Account
- Yubikey Generate Key On Card Number
- Yubikey Generate Key On Card Template
- Yubikey Generate Key On Card Game
- Yubikey Generate Key On Cards
We will generate a master key with only the Certify capability and three subkeys with each of the Sign, Encrypt and Authenticate capabilities. These latter three keys are meant for daily use and will be transferred to an OpenPGP smartcard, which has three corresponding slots. The master private key can then be moved to offline cold storage, or stored on a second smartcard.
We are generating keys on a secure computer instead of on the card, because it allows more flexibility. Ideally this means a machine running Tails or one that is air-gapped and not connected to the internet.
Hi, I have an installation whereby I cannot connect using AnyConnect 4.5.01044 (on Windows 10) when a Yubico Yubikey is present. This is because the certificate required is on the machine, not the Yubikey (which is presenting a Smart Card certificate store). Is there any way (through policy or AC pr. Gpg/card generate Key generation options: Make a backup copy of the private key? No, do not make a backup. This card will be used for SSH Authentication only, which means that if the key is lost, you can have a backup card to authenticate against your servers. If you don't make a backup copy then the private key will never leave your YubiKey. Protect your digital world with YubiKey. Stop account takeovers, go passwordless and modernize your multifactor authentication. Get the world’s leading security key for superior security, user experience and return on investment. Gpg/card generate Key generation options: Make a backup copy of the private key? No, do not make a backup. This card will be used for SSH Authentication only, which means that if the key is lost, you can have a backup card to authenticate against your servers. If you don't make a backup copy then the private key will never leave your YubiKey. There is a signature counter that might indicate key/card usage. Furthermore, you can (but do not have to) set the card holder's name, language, sex, public key's URI and some login data. Programmable Microcontrollers. The YubiKey actually is a full computer, and all the smart card operations are implemented in software. The Certificates dialog provides a Generate new key button to start this process. Each slot is represented as a tab in the dialog, and each tab has its own button to generate a key. You will need to specify the algorithm for the key, and the output format. The private key will be generated on the YubiKey, and will never leave the device. Protect your digital world with YubiKey. Stop account takeovers, go passwordless and modernize your multifactor authentication. Get the world’s leading security key for superior security, user experience and return on investment.
This guide assumes that if you want to sign other peoples keys, then you will require the aforementioned secondary smartcard with your master key stored in its Signature slot, or if you only have one smartcard, then you'll have to fetch the master key out of cold storage. By default, GPG generates a master key with the Certify and Sign capabilities and a subkey with the Encrypt capability. We will override this using expert mode.
About Django Secret Key Generator. The Django Secret Key Generator is used to generate a new SECRETKEY that you can put in your settings.py module. Generate secret key django app.
First, make sure you're running GnuPG 2.x. This is important because you can't use 4096-bit RSA keys on most smartcards with GnuPG 1.x. A Bash alias will suffice, i.e.alias gpg=gpg2
.
If you use the Enigmail Thunderbird add-on, make sure the GPG path to /usr/bin/gpg2
.
If you're using a YubiKey on Tails, you might need to add udev rules in order to interact with the device. Create a file named 70-yubikey.rules
in /etc/udev/rules.d
with the following contents:
Then run sudo udevadm control --reload-rules
.
For the sake of brevity, this guide assumes that you will always enter passphrases and PINs, and answer Yes by typing y
when prompted.
At some point either before or after you should initialize your new smartcard, setting some of the variables if you so choose (stuff like name, url, login, lang, sex), but most importantly modify the default PIN (123456) and admin PIN (12345678). You can do this by running gpg --card-edit
and typing admin
and then help
to list available commands. Use passwd
to change your PINs. You can also toggle the forcesig
flag to control whether you'd like to require a PIN to be entered every time you sign a message.
Generate the master key
Select 8: RSA (set your own capabilities)
Select S, E, and Q so that you're left with only the Certify capability.
Set a 4096 bit key size.
Set the expiration date.
Setup a UID.
Setup a passphrase.
The key is generated.
Add UIDs
Use gpg> adduid
to add as many UIDs or e-mail addresses as you need. Once you're done, toggle to gpg> uid <#>
and use the gpg> primary
command to set the primary UID.
Now we will add subkeys for each capability to be transferred to the main smartcard designated for daily use.
Create the Sign key
Select 4: RSA (sign only).
Set a 4096 bit key size.
Set the expiration date.
The key is generated.
Create the Encrypt key
Select 6: RSA (encrypt only).
Set a 4096 bit key size.
Set the expiration date.
The key is generated.
Create the Authenticate key
Select 8: RSA (set your own capabilities)
Select S and E to toggle off the Sign and Encrypt capabilities.
Select A to toggle on the Authenticate capability and press Q.
Set a 4096 bit key size.
Set the expiration date.
The key is generated.
Set trust level
By the way, you should probably set the public key to the ultimate trust level.
Select 5 = I trust ultimately.
Add signatures
Yubikey Generate Key On Card Account
If you want to sign the new master key with your previous key that you're transitioning from, the time is now.
Generate revocation certificate
While you still have access to the master key with the Certify capability, it's a good idea to create a revocation certificate.
Backup everything
You can move these private keys plus the revocation certificate someplace safe, like an encrypted partition or offline storage media.
Transfer your master key to a secondary smartcard
If you have two smartcards available, then you can store your master key in the Signature slot of a second smartcard, and use this one for stuff like signing other peoples keys, and making changes to your key, as in the scheme recommended by Tom Lowenthal's guide. After initializing the card and setting new PINs:
gpg> toggle
gpg> keytocard
Answer 'y' to 'Really move the primary key?'
Select 1: Signature key.
gpg> save
As mentioned, switching to this smartcard will be required whenever you want to sign somebody else's key or make modifications to your key. Now eject it and put it away somewhere. You may want to create a label so you can tell them apart. Insert the primary smartcard that you've selected for daily use.
Load subkeys onto the smartcard
You can use gpg --card-edit
to initialize your smartcard: set the PINs, and variables like language, sex, your first and last name, or a URL for downloading your key. Now let's load the keys onto it.
Select 1: Signature key.
Un-toggle key one:gpg> key 1
Toggle key two:gpg> key 2
Select 2: Encryption key.
Un-toggle key two: gpg> key 2
Toggle key three: gpg> key 3
Select 3: Authentication key.
Now what?
You shouldn't have to delete any secret keys, as they were moved to the smartcard. When you use either keytocard
command or perform key generation on the card, GnuPG places a 'stub' in your keyring so that it knows the actual secret key material is located on the smartcard. It looks like you have the secret key on your computer but you actually don't, and you can't decrypt anything without the card. It's just a stub pointing to the smartcard — which is something you do want to keep if you'd like this to be usable.
So what if you deleted the secret keys anyway and lost the stubs? Just run $ gpg --card-status
or open the 'Manage Smartcard' menu in Enigmail in order to instantly re-associate and populate your keyring with the information from your smartcard. However, always keep in mind that you need the corresponding public key in your keyring to work with the smartcard on whatever computer you're using.
After you purposely delete the secret key stubs from your keyring (otherwise it will say the keys are already associated with another card), you can even put these same keys on a different smartcard by repeating part of the process above.
However, you should probably backup or transfer these stubs to your regular computer first, since they're pointing to separate smartcards for different subkeys, and it's very difficult to re-create if you lose them—but it can be done using a tool called gpgsplit. Without all of the correct stubs, GnuPG won't prompt you to insert your other smartcard with a different serial number when you try to certify another key or alter attributes.
Transfer this file to your regular, non-airgapped machine and run gpg --import
. This doesn't contain any actual secret key material — that's been migrated to the smartcard(s). Also make sure you transfer and import a copy of your pubkey.asc
for things to work properly.
You now have a working OpenPGP smartcard for use with GPG, Enigmail and more! Now you can let people know about your new key, upload it to keyservers, publish a transition statement, and all of that fun stuff.
Tips
gnome-keyring-daemon has a bad habit of hijacking the GnuPG agent, causing cards and readers to be unrecognized or to behave unpredictably. Many of these issues go away if you disable the ssh & gpg components of gnome-keyring-daemon and let gpg-agent handle them instead. Run gnome-keyring-daemon with only --components=pkcs11,secrets
..
To do this you can rm /etc/xdg/autostart/gnome-keyring-ssh.desktop
and gnome-keyring-gpg.desktop
or just add Hidden=true
plus X-GNOME-Autostart-enabled=false
to those launchers. If you prefer, you can create a new launcher just for starting gpg-agent (more ideally in ~/.config/autostart
).
If you are experiencing 'Card not available' or 'Card error', then you might want to try killing and restarting gpg-agent.
This resolved many issues and my smartcard now works reliably this way on Debian jessie with GnuPG 2.x.
To make sure your smartcard works in every Bash shell you open, it helps to add the following to ~/.bashrc
:
This assumes the presence of write-env-file ~/.gnupg/gpg-agent-info
in your gpg-agent.conf. Evaluating that file helps make sure you have the correct GPG_AGENT_INFO, SSH_AUTH_SOCK and SSH_AGENT_PID environment variables in each terminal session. While we're at it, here's what my ~/.gnupg/gpg-agent.conf
looks like:
This configuration depends on two packages you must install via apt-get, pinentry-qt4
and scdaemon
.
One annoying thing about most pinentry applications is that they don't allow pasting from clipboard, making them hard to use with a password manager. If you want to be able to do this, just grab the latest source of pinentry-qt4 (0.8.4 or greater) and then compile it with this option: ./configure --enable-pinentry-qt4-clipboard=yes
.
Using the smartcard key for SSH authentication
You can use your 4096-bit Authenticate key on the smartcard with SSH. This has the advantage that you can't log in to any servers without possession of the device. It's easiest to do with the latest GnuPG 2.1.x, otherwise you may have to install monkeysphere and use the openpgp2ssh
tool, which we're going to skip. Note: this won't work unless you've set a non-default smartcard PIN of at least 6 digits.
On GnuPG 2.0.x, when you run gpg-agent with enable-ssh-support
so that it takes over for ssh-agent, your smartcard's Authenticate subkey should automatically be recognized as a valid SSH key and become available for the SSH client to use as an identity. But you might have trouble getting it to work, so here are some extra steps which can assist the process:
Add enable-ssh-support
and write-env-file
to ~/.gnupg/gpg-agent.conf
Fetch the keygrip of your master public key with gpg2 --with-keygrip -k
and add these 40 hex digits as a line to~/.gnupg/sshcontrol
.
Make sure gpg-agent --daemon --options ~/.gnupg/gpg-agent.conf
is running in the background. If you run ssh-add -l
it should list an SSH identity corresponding to the RSA key on your smartcard.
Check echo $SSH_AUTH_SOCK
- it should be pointing to gpg-agent's socket instead of ssh-agent. If it's not you have to kill ssh-agent or make sure it doesn't start.
Get the 16-digit long ID of your Authenticate subkey and feed it into gpgkey2ssh
:
You can add the contents of ssh_id.pub to ~/.ssh/authorized_keys
on any system you like, or you can try ssh-copy-id
.
Now your SSH agent should be communicating with gpg-agent and the RSA Authenticate key on your smartcard is a valid SSH identity. When you run SSH with your smartcard connected, it will automatically attempt to authenticate using it.
More resources:
How to obtain the OpenPGP smartcards and USB readers
I now recommend the YubiKey version 4 instead of the OpenPGP smartcard from g10 code. It's modern hardware, much faster, and has many great features. These devices can be purchased from Amazon.
If you have any questions about the information in this guide, you can reach me on Twitter @ageis, by e-mail to kevin [at] freedom [dot] press (PGP key), or XMPP/Jabber: ageis@jabber.calyxinstitute.org.
Private | |
Industry | Software |
---|---|
Founded | 2007 |
Headquarters | Palo Alto, California, United States |
Key people | Stina Ehrensvärd(CEO and Founder) Jakob Ehrensvärd (CTO) |
Website | www.yubico.com/products/ |
The YubiKey is a hardware authentication device manufactured by Yubico that supports one-time passwords, public-key cryptography and authentication, and the Universal 2nd Factor (U2F) and FIDO2 protocols[1] developed by the FIDO Alliance. It allows users to securely log into their accounts by emitting one-time passwords or using a FIDO-based public/private key pair generated by the device. YubiKey also allows for storing static passwords for use at sites that do not support one-time passwords.[2]Facebook uses YubiKey for employee credentials,[3] and Google supports it for both employees and users.[4][5] Some password managers support YubiKey.[6][7] Yubico also manufactures the Security Key, a device similar to the YubiKey, but focused on public-key authentication.[8][9]
The Yubikey implements the HMAC-based One-time Password Algorithm (HOTP) and the Time-based One-time Password Algorithm (TOTP), and identifies itself as a keyboard that delivers the one-time password over the USB HID protocol. The YubiKey NEO and YubiKey 4 include protocols such as OpenPGP card using 2048-bit RSA and elliptic curve cryptography (ECC) p256 and p384, Near Field Communication (NFC), and FIDO U2F. The YubiKey allows users to sign, encrypt and decrypt messages without exposing the private keys to the outside world. The 4th generation YubiKey launched on November 16, 2015. It has support for OpenPGP with 4096-bit RSA keys, and PKCS#11 support for PIV smart cards, a feature that allows for code signing of Docker images.[10][11]
Founded in 2007 by CEO Stina Ehrensvärd, Yubico is a private company with offices in Palo Alto, Seattle, and Stockholm.[12] Yubico CTO, Jakob Ehrensvärd, is the lead author of the original strong authentication specification that became known as Universal 2nd Factor (U2F).[13]
Yubikey released the Yubikey 5 series in 2018 which adds support for FIDO2.[14]
History[edit]
Yubico was founded in 2007 and began offering a Pilot Box for developers in November of that year.[15] The original YubiKey product was shown at the annual RSA Conference in April 2008,[16][17] and a more robust YubiKey II model was launched in 2009.[18]
YubiKey II and later models have two 'slots' available, for storing two distinct configurations with separate AES secrets and other settings. When authenticating the first slot is used by only briefly pressing the button on the device, while the second slot gets used when holding the button for 2 to 5 seconds.
In 2010, Yubico began offering the YubiKey OATH and YubiKey RFID models. The YubiKey OATH added the ability to generate 6- and 8-character one-time passwords using protocols from the Initiative for Open Authentication (OATH), in addition to the 32-character passwords used by Yubico's own OTP authentication scheme. Generate ssh key on a cluster. The Yubikey RFID model included the OATH capability plus also included a MIFARE Classic 1k radio-frequency identification chip,[19] though that was a separate device within the package that could not be configured with the normal Yubico software over a USB connection.[20]
Yubico announced the YubiKey Nano in February 2012, a miniaturized version of the standard YubiKey which was designed so it would fit almost entirely inside a USB port and only expose a small touch pad for the button.[21] Most later models of the YubiKey have also been available in both standard and 'nano' sizes.
2012 also saw the introduction of the YubiKey Neo, which improved upon the previous YubiKey RFID product by implementing near-field communication (NFC) technology and integrating it with the USB side of the device.[22] The YubiKey Neo (and Neo-n, a 'nano' version of the device) are able to transmit one-time passwords to NFC readers as part of a configurable URL contained in a NFC Data Exchange Format (NDEF) message. The Neo is also able to communicate using the CCID smart-card protocol in addition to USB HID (human interface device) keyboard emulation. The CCID mode is used for PIV smart card and OpenPGP support, while USB HID is used for the one-time password authentication schemes.[23]
In 2014, the YubiKey Neo was updated with FIDO Universal 2nd Factor (U2F) support.[24] Later that year, Yubico released the FIDO U2F Security Key, which specifically included U2F support but none of the other one-time password, static password, smart card, or NFC features of previous YubiKeys.[8] At launch, it was correspondingly sold at a lower price point of just $18, compared to $25 for the YubiKey Standard ($40 for the Nano version), and $50 for the YubiKey Neo ($60 for Neo-n).[25] Some of the pre-release devices issued by Google during FIDO/U2F development reported themselves as 'Yubico WinUSB Gnubby (gnubby1)'.[26]
In April 2015, the company launched the YubiKey Edge in both standard and nano form factors. This slotted in between the Neo and FIDO U2F products feature-wise, as it was designed to handle OTP and U2F authentication, but did not include smart card or NFC support.[27]
The YubiKey 4 family of devices was first launched in November 2015, with USB-A models in both standard and nano sizes. The YubiKey 4 includes most features of the YubiKey Neo, including increasing the allowed OpenPGP key size to 4096 bits (vs. the previous 2048), but dropped the NFC capability of the Neo.
At CES 2017, Yubico announced an expansion of the YubiKey 4 series to support a new USB-C design. The YubiKey 4C was released on February 13, 2017.[28] On Android OS over the USB-C connection, only the one-time password feature is supported by the Android OS and YubiKey, with other features not currently supported including Universal 2nd Factor (U2F).[29] A 4C Nano version became available in September 2017.[30]
In April 2018, the company brought out the Security Key by Yubico, their first device to implement the new FIDO2 authentication protocols, WebAuthn (which reached W3C Candidate Recommendation status in March[31]) and Client to Authenticator Protocol (CTAP, still under development as of May 2018). At launch, the device is only available in the 'standard' form factor with a USB-A connector. Like the previous FIDO U2F Security Key, it is blue in color and uses a key icon on its button. It is distinguished by a number '2' etched into the plastic between the button and the keyring hole. It is also less expensive than the YubiKey Neo and YubiKey 4 models, costing $20 per unit at launch because it lacks the OTP and smart card features of those previous devices, though it retains FIDO U2F capability.[9]
ModHex[edit]
When being used for one-time passwords and stored static passwords, the YubiKey emits characters using a modified hexadecimal alphabet which is intended to be as independent of system keyboard settings as possible. This alphabet, referred to as ModHex or Modified Hexadecimal, consists of the characters 'cbdefghijklnrtuv', corresponding to the hexadecimal digits '0123456789abcdef'.[32] Due to YubiKeys using raw keyboard scan codes in USB HID mode, there can be problems when using the devices on computers that are set up with different keyboard layouts, such as Dvorak. It is recommended to either use operating system features to temporarily switch to a standard US keyboard layout (or similar) when using one-time passwords, although YubiKey Neo and later devices can be configured with alternate scan codes to match layouts that aren't compatible with the ModHex character set.[33]
Yubikey Generate Key On Card Number
U2F authentication in YubiKeys and Security Keys bypasses this problem by using the alternate U2FHID protocol, which sends and receives raw binary messages instead of keyboard scan codes.[34] CCID mode acts as a smart card reader, which does not use HID protocols at all.
Security issues[edit]
YubiKey 4 closed-sourcing concerns[edit]
Yubikey Generate Key On Card Template
In an example of security through obscurity, Yubico replaced all open-source components in YubiKey 4 with closed-source code, which can no longer be independently reviewed for security flaws.[35] Yubikey NEOs still use open-source code.
On May 16, 2016, Yubico CTO Jakob Ehrensvärd responded to the open-source community's concerns with a blog post saying that 'we, as a product company, have taken a clear stand against implementations based on off-the-shelf components and further believe that something like a commercial-grade AVR or ARM controller is unfit to be used in a security product.'[36]
Techdirt founder Mike Masnick strongly criticized this decision, saying 'Encryption is tricky. There are almost always vulnerabilities and bugs -- a point we've been making a lot lately. But the best way to fix those tends to be getting as many knowledgeable eyes on the code as possible. And that's not possible when it's closed source.'[37]
These decisions involved the use of highly specialized silicon that comes from only a few sources, whose firmware is designed using manufacturer-provided emulators (since the firmware cannot be tested on a live device due to countermeasures against reading and probing). Both the specialized silicon itself, and the emulators and other tools required to program it, are invariably covered by non disclosure agreements by their suppliers and unavailable to the public or other non-recognized customers.
Accordingly, the keys contain firmware that even an end user cannot read (and therefore cannot validate the actual firmware against an expected firmware). Further, if the firmware could be read, the end user would still lack access to the supplier's emulators and other tools required to change or validate it using a toolchain (and therefore cannot confirm that the source code compiles to the given firmware). They could also not rewrite an existing or modified firmware to their key nor obtain blank silicon to program 'from clean', to test it in situ.
ROCA vulnerability in certain YubiKey 4, 4C, and 4 Nano devices[edit]
In October 2017, security researchers found a vulnerability (known as ROCA) in the implementation of RSAkeypair generation in a cryptographic library used by a large number of Infineon security chips, as used in a wide range of security keys and security token products (including YubiKey). The vulnerability allows an attacker to reconstruct the private key by using the public key.[38][39] All YubiKey 4, YubiKey 4C, and YubiKey 4 Nano devices within the revisions 4.2.6 to 4.3.4 were affected by this vulnerability.[40] Yubico remedied this issue in all shipping YubiKey 4 devices by switching to a different key generation function and offered free replacements for any affected keys. The replacement offer ended on March 31, 2019. In some cases the issue can be bypassed by generating new keys outside of the YubiKey and importing them onto the device.[41]
Reduced initial randomness on certain FIPS series devices[edit]
In June 2019, Yubico released a security advisory reporting reduced randomness in FIPS-certified devices with firmware version 4.4.2 and 4.4.4, shortly after power-up (there is no version 4.4.3).[42] Security keys with reduced randomness may leave keys more easily discovered and compromised than expected. The issue affected the FIPS series only, and then only certain scenarios, although FIPS ECDSA usage was 'at higher risk'. The company offered free replacements for any affected keys.
Social activism[edit]
In 2019 Hong Kong protests, there is great concern over the online security of protesters in face of aggravating police abuse of power. Yubico sponsored Hong Kong protesters with 500 Yubikeys to protect the protesters. The company says the decision is based on their mission to protect vulnerable Internet users, and works with free speech supporters.[43][44]
See also[edit]
References[edit]
Yubikey Generate Key On Card Game
- ^'Specifications Overview'. FIDO Alliance. Retrieved 4 December 2015.
- ^'What Is A Yubikey'. Yubico. Retrieved 7 November 2014.
- ^McMillan (3 October 2013). 'Facebook Pushes Passwords One Step Closer to Death'. Wired. Retrieved 7 November 2014.
- ^Diallo, Amadou (30 November 2013). 'Google Wants To Make Your Passwords Obsolete'. Forbes. Retrieved 15 November 2014.
- ^Blackman, Andrew (15 September 2013). 'Say Goodbye to the Password'. The Wall Street Journal. Archived from the original on 3 January 2014. Retrieved 15 November 2014.
- ^'YubiKey Authentication'. LastPass. Retrieved 15 November 2014.
- ^'KeePass & YubiKey'. KeePass. Retrieved 15 November 2014.
- ^ ab'Yubico Releases FIDO U2F Security Key'. Yubico (Press release). 2014-10-21. Retrieved 2018-05-05.
- ^ ab'Yubico Launches New Developer Program and Security Key for FIDO2 and WebAuthn W3C Specifications' (Press release). 2018-04-10. Retrieved 2018-05-06.
- ^'Launching The 4th Generation YubiKey'. Yubico. Retrieved 20 November 2015.
- ^'With a Touch, Yubico, Docker Revolutionize Code Signing'. Yubico. Retrieved 20 November 2015.
- ^'The Team'. Yubico. Retrieved 12 September 2015.
- ^'History of FIDO'. FIDO Alliance. Retrieved 16 March 2017.
- ^'Yubico launches new YubiKey 5 Series 2FA keys, supports passwordless FIDO2 and NFC'. Android Police. 2018-09-24. Retrieved 2019-10-07.
- ^'Yubico launches YubiKey Pilot Box'. Yubico. 2007-11-26. Archived from the original on 2008-02-21.
- ^Steve Gibson (April 2008). 'Security Now! Notes for Episode #141'. Security Now!. Gibson Research Corporation. Retrieved 2018-05-05.
- ^Leo Laporte and Steve Gibson (2008-04-24). 'Episode #141 - RSA Conference 2008'. Security Now!. Gibson Research Corporation. Retrieved 2018-05-05.
- ^Mike (2009-08-27). 'Yubikey II – got it'. Read My Damn Blog. Retrieved 2018-05-05.
- ^'RFID YubiKey'. Yubico Store. Archived from the original on 2011-08-29. Retrieved 2018-05-05.
- ^'RFID YubiKey'. IDivine Technology. Retrieved 2018-05-05.
- ^'Yubico Launches YubiKey Nano, The World's Smallest One-Time Password Token' (Press release). Yubico. 2012-02-28. Retrieved 2018-05-05.
- ^Clark, Sarah (2012-02-22). 'Yubico introduces one-time password token that secures access to the contents of NFC phones'. NFC World. Retrieved 2018-05-05.
- ^Maples, David (2012-12-26). 'YubiKey NEO Composite Device'. Yubico. Retrieved 2018-05-05.
- ^'Yubico Introduces Industry's First FIDO Ready™ Universal 2nd Factor Device'. Yubico (Press release). 2014-01-06. Retrieved 2018-05-05.
- ^'YubiKey Hardware'. Yubico. Archived from the original on 2014-11-07.
- ^'pamu2fcfg doesn't support test devices'.
- ^'Yubico Launches YubiKey Edge at RSA 2015; OTP and U2F Two-Factor Authentication in One Key'. Yubico (Press release). Retrieved 2018-05-05.
- ^'NEW YubiKey 4C featuring USB-C revealed at CES 2017 Yubico'. Yubico. 2017-01-05. Retrieved 2017-09-14.
- ^'Can the YubiKey 4C be plugged directly into Android phones or tablets with USB-C ports? Yubico'. Yubico. Retrieved 2017-09-14.
- ^'Our Family is Growing! YubiKey 4C Nano Unveiled at Microsoft Ignite'. Yubico. 2017-09-25. Retrieved 2018-05-05.
- ^Jones, Michael (2018-03-20). 'Candidate Recommendation (CR) for Web Authentication Specification'. W3C Web Authentication Working Group. Retrieved 2018-05-06.
- ^E, Jakob (12 June 2008). 'Modhex - why and what is it?'. Yubico. Retrieved 6 November 2016.
- ^Toh, Alvin (2013-07-24). 'Expanding YubiKey Keyboard Support'. Yubico. Retrieved 2018-05-05.
- ^'FIDO U2F HID Protocol Specification'. FIDO Alliance. 2017-04-11. Retrieved 2018-05-06.
- ^Ryabitsev, Konstantin. 'I must, sadly, withdraw my endorsement of yubikey 4 devices (and perhaps all newer yubikeys)'. Google+. Retrieved 12 November 2016.
- ^'Secure Hardware vs. Open Source'. Yubico.com. Retrieved 16 March 2017.
- ^Masnick, Mike (16 May 2016). 'Bad News: Two-Factor Authentication Pioneer YubiKey Drops Open Source PGP For Proprietary Version'. Techdirt. Retrieved 27 March 2020.
- ^'ROCA: Vulnerable RSA generation (CVE-2017-15361) [CRoCS wiki]'. crocs.fi.muni.cz. Retrieved 2017-10-19.
- ^'NVD - CVE-2017-15361'. nvd.nist.gov. Retrieved 2017-10-19.
- ^'Infineon RSA Key Generation Issue - Customer Portal'. Yubico.com. Retrieved 11 June 2019.
- ^'Yubico Mitigation Recommendations'. Yubico.com. Retrieved 11 June 2019.
- ^'Security Advisory YSA-2019-02 Reduced initial randomness on FIPS keys'. Retrieved 2019-06-14.
- ^'Swedish tech firm Yubico hands Hong Kong protesters free security keys amid fears over police tactics online'. South China Morning Post. 2019-10-10. Retrieved 2019-10-18.
- ^'Yubico 贊助香港抗爭者世上最強網上保安鎖匙 Yubikey 立場新聞'. 立場新聞 Stand News. Retrieved 2019-10-18.
External links[edit]
- Official website