Every password you create is a shared secret. If a server leaks, your account is compromised. Phishing attacks exploit this weakness 24/7, tricking users into surrendering credentials willingly.
Shared Secrets
Servers store your passwords — a breach exposes everything.
Phishing Risk
Fake sites steal credentials in seconds with zero resistance.
FIDO2 Flips the Script
The secret never leaves your physical control.
The Three Pillars of FIDO2
FIDO2 authentication is built on a triad of components working in harmony. Each plays a distinct role in ensuring your identity is verified securely — without ever transmitting a password.
The Authenticator
Your YubiKey holds the private key securely within its hardware, never exposing it to any external system.
The Client
Your browser or platform manages the connection, acting as the bridge between the authenticator and the service.
The Relying Party
The website or service verifying your identity using the public key stored during registration.
Stage 1
Registration: Making a Credential
Before you can log in with your YubiKey, you must register it with the service. This one-time process creates a unique cryptographic bond between your key and that specific website.
Each service gets its own unique key pair. A breach at one site cannot compromise your credentials at another — isolation is built into the design.
Stage 2
Authentication: Getting an Assertion
When you return to log in, the process is swift and secure. No passwords typed, no codes entered — just a touch of your YubiKey.
What Happens
Service sends a fresh login challenge
YubiKey signs it with your private key
Signed response returned to the service
Service verifies using the stored public key
Why It's Secure
The private key never travels. Only a cryptographic signature is sent — useless to attackers without the physical key. Replay attacks fail because each challenge is unique.
Why Your YubiKey is Unhackable
Cryptographic Isolation
Private keys are generated and stored inside the YubiKey's secure element. They are never exposed to the host OS, browser, or any software layer.
Phishing Resistance
The YubiKey verifies the origin (RP ID) of the site before signing. A fake site will never receive a valid signature — the key simply refuses.
No Backdoors
Credentials cannot be extracted from the hardware, even with physical access. Yubico's firmware is auditable and the design is open-standard.
The Power of User Verification (UV)
A YubiKey with User Verification enabled becomes a true single-factor authenticator — combining something you have (the key) with something you know (PIN) or something you are (biometric).
Biometric UV
Fingerprint-enabled YubiKeys unlock only when your fingerprint is recognised — tying credentials to your biology.
PIN Protection
A user-set PIN must be entered before the key will sign. Brute-force attempts are rate-limited by the hardware itself.
Theft Protection
Even if your YubiKey is physically stolen, credentials remain locked. The thief cannot authenticate without your PIN or biometric.
The Developer's Toolkit
FIDO2 is built on two open standards that make implementation straightforward for developers — no proprietary SDKs, no vendor lock-in.
1
WebAuthn
The W3C web API that handles the browser-side handshake. Supported natively in Chrome, Firefox, Safari, and Edge.
2
CTAP
Client to Authenticator Protocol — the communication layer linking the browser to the YubiKey via USB, NFC, or Bluetooth.
Strategic Implementation
Deploying FIDO2 at scale requires thoughtful planning. Follow these best practices to ensure a smooth, secure transition for your organisation.
1
Register Two Keys Minimum
Always maintain a backup YubiKey to avoid being locked out. Store it in a secure, separate location.
2
Use Yubico Authenticator
Manage PINs, view stored passkeys, and configure your keys through the official Yubico Authenticator application.
3
Meet NIST AAL3 Compliance
Transition from legacy MFA (SMS, TOTP) to FIDO2 to satisfy the highest assurance level defined by NIST guidelines.
A Passwordless Future
The era of shared secrets and human error is ending. Hardware-backed, phishing-resistant authentication is the new standard — and the global shift is already underway.
Beyond Passwords
Eliminate the attack surface that passwords create entirely.
Physical-Grade Security
Secure your digital identity with cryptographic hardware you control.
Join the Movement
Millions of users and thousands of enterprises have already made the switch.