A YubiKey is a hardware authentication device that provides the strongest form of two-factor authentication available to consumers. Unlike TOTP codes (which can be phished), a YubiKey uses cryptographic protocols (FIDO2/WebAuthn, FIDO U2F) that bind authentication to the specific website’s domain — making credential phishing attacks mathematically impossible. This guide covers setting up a YubiKey for web 2FA, SSH authentication, and GPG signing.
Choosing the Right YubiKey
Yubico offers several models:
| Model | Best For |
|---|---|
| YubiKey 5 NFC | Most users — USB-A, NFC for phones |
| YubiKey 5C NFC | USB-C laptops + NFC |
| YubiKey 5 Nano | Always-in USB-A, low profile |
| YubiKey Bio | Biometric fingerprint authentication |
| Security Key NFC | Budget option — FIDO2/U2F only |
The YubiKey 5 NFC (~$55) is the best all-around choice for most people. It supports FIDO2, FIDO U2F, TOTP, PIV, OpenPGP, and OTP.
Setting Up YubiKey for Website 2FA (FIDO2/WebAuthn)
This is the simplest and most important use case. FIDO2 works on any site that supports “Security Key” or “Hardware key” as a 2FA option.
Registering on a Website
- Go to your account security settings (e.g., GitHub, Google, Cloudflare, Fastmail)
- Find Two-Factor Authentication → Security Key or Hardware Key
- Click Add security key
- When prompted, insert your YubiKey and touch the gold circle
- Name the key (e.g., “YubiKey 5 NFC”) and save
That’s it. The next time you log in, after entering your password, you’ll be prompted to insert and touch the key. No codes to type.
Always register a backup key — if you lose your only YubiKey, you lose access to accounts. Buy a second YubiKey and register it on every service alongside your primary.
Supported Services
FIDO2 is supported by: Google, GitHub, Microsoft, Cloudflare, Twitter/X, Facebook, Dropbox, LastPass, Bitwarden, Fastmail, and hundreds more. Check dongleauth.com for a comprehensive list.
Setting Up YubiKey Manager
Download YubiKey Manager from yubico.com for configuring the key:
# Linux
sudo snap install yubikey-manager
# Or via pip
pip install yubikey-managerYubico also offers a GUI version. Key settings you may want to configure:
- OTP mode (slot 1/2) — for generating one-time passwords
- FIDO2 PIN — set a PIN for FIDO2 resident credentials
- PIV PIN/PUK — for smart card authentication
SSH Authentication with YubiKey
Using a YubiKey for SSH provides hardware-backed authentication that can’t be extracted from the machine, unlike file-based SSH keys.
Method 1: FIDO2 SSH Key (OpenSSH 8.2+)
Modern OpenSSH supports FIDO2-backed SSH keys that require physical key touch for each authentication:
# Generate a FIDO2-backed SSH key (requires YubiKey inserted)
ssh-keygen -t ed25519-sk -O resident -C "yubikey-ssh" -f ~/.ssh/id_ed25519_sk-t ed25519-sk— ed25519 key backed by security key-O resident— stores the key on the YubiKey itself (useful if switching machines)
You’ll be prompted to touch the YubiKey. The private key file is a “handle” — the actual cryptographic material lives on the hardware.
Copy the public key to servers:
ssh-copy-id -i ~/.ssh/id_ed25519_sk.pub user@serverNow when you SSH, you must physically touch the YubiKey. Even if someone steals your laptop, they can’t SSH without the physical key.
Method 2: PIV Smart Card SSH
YubiKey’s PIV application acts as a smart card and can hold RSA or ECC certificates. This is common in enterprise environments but also works for personal SSH:
# Install required tools
sudo apt install opensc scdaemon
# List the YubiKey as a smart card
pkcs15-tool --list-keys
# Export the public key for SSH
ssh-keygen -D /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so -eGPG Signing and Encryption with YubiKey
The YubiKey OpenPGP applet stores up to 3 GPG subkeys (signing, encryption, authentication) directly on the hardware. GPG operations require the physical key to be present.
Setup
Install required packages:
sudo apt install gpg gnupg2 scdaemon pcscdGenerate a GPG master key (or use an existing one):
gpg --full-gen-key
# Choose RSA and RSA, 4096 bitsMove subkeys to the YubiKey:
gpg --edit-key YOUR_KEY_ID
# Inside the gpg prompt:
> key 1 # Select the signing subkey
> keytocard # Move to card, choose slot 1 (signing)
> key 2 # Select encryption subkey
> keytocard # Move to card, choose slot 2 (encryption)
> saveNow GPG operations (signing commits, decrypting emails) require the YubiKey to be inserted.
Git Commit Signing
# Configure GPG key for git
git config --global user.signingkey YOUR_KEY_ID
git config --global commit.gpgsign true
# Test signing
git commit -m "signed commit"You’ll need to touch the YubiKey when making each signed commit. GitHub, GitLab, and others will show a “Verified” badge on these commits.
TOTP with YubiKey Authenticator
The Yubico Authenticator app stores TOTP secrets on the YubiKey itself rather than in a phone app. Even if your phone is compromised, the TOTP seeds are on the hardware:
- Install Yubico Authenticator on your phone (iOS/Android)
- Open the app and scan the TOTP QR code normally — secrets are stored on the connected YubiKey rather than the phone’s storage
- Generating codes requires the YubiKey (via NFC or USB)
Protect Your YubiKey with a PIN
For FIDO2 resident credentials (passkeys stored on the key), set a PIN via YubiKey Manager:
Applications → FIDO2 → Set PIN
The PIN adds a second factor even if someone steals your physical key — they’d need both the hardware and the PIN to authenticate.
A YubiKey transforms your most sensitive accounts from SMS-2FA or TOTP (both phishable) to hardware-backed cryptographic authentication. For GitHub, email, VPN, and password manager accounts, it’s one of the highest-impact security upgrades you can make.