YubiKey Explained: How It Works Compared to Other Security Keys

What is a YubiKey?

A YubiKey is a hardware security key manufactured by Yubico. This physical device delivers multi-factor authentication by generating cryptographic proofs of user identity. Unlike software-based authenticators vulnerable to malware extraction, the YubiKey stores secret keys in tamper-resistant hardware that cannot be copied or extracted. 

Physical Design and Form Factors

YubiKeys come in several physical configurations to match different connectivity needs. The standard USB-A model measures approximately 18mm x 45mm, designed to remain plugged into a laptop port. USB-C variants serve modern devices, while the YubiKey 5Ci features dual connectors for both Lightning and USB-C. NFC-enabled models allow wireless authentication with compatible smartphones. The device contains no battery — it draws power directly from the host device. Most models feature a gold contact pad or button that requires physical touch to activate, ensuring user presence during authentication.

Authentication requires physical interaction with the device. For most operations, you touch the gold contact pad, which completes a capacitive circuit confirming human presence. This prevents malware from silently authenticating in the background. The YubiKey Bio series adds fingerprint verification, creating a true multi-factor approach combining something you have (the device) with something you are (your biometric). PIN protection adds another layer — certain operations require entering a numeric code before the device will respond to authentication requests.

YubiKey Authentication Protocols and Standards

YubiKeys support a range of authentication standards designed to eliminate passwords, resist phishing, and improve login security. Here’s a breakdown of the key protocols they support:

• FIDO2 & WebAuthn (Passwordless Authentication). FIDO2 is the leading standard for passwordless login. When paired with a FIDO2-compatible service, a YubiKey generates a unique credential tied to that specific domain — rendering phishing attacks ineffective. No passwords needed; just the physical key and user presence. Supported by Google, Microsoft, Facebook, GitHub, and more.
  
  

• FIDO U2F (Universal 2nd Factor). U2F enhances password-based logins with a physical second factor. After entering your password, you tap the YubiKey to confirm. It checks the site’s identity, blocking phishing attempts. U2F works natively in modern browsers without extra drivers and remains widely supported.
  
  

• OATH (TOTP/HOTP One-Time Passwords). The YubiKey can store up to 32 OATH credentials, functioning like a hardware-based authenticator app. TOTP codes refresh every 30 seconds; HOTP codes are generated manually. Access is via the Yubico Authenticator app, offering secure storage beyond what mobile apps can provide.
  
  

• PIV Smart Card Functionality. YubiKeys support Personal Identity Verification (PIV) for enterprise-grade smart card login. The device stores X.509 certificates for network authentication, email signing, and encryption. Compatible with Windows domain logins and macOS FileVault encryption.
  
  

• OpenPGP Support. The YubiKey acts as a secure hardware token for OpenPGP operations — signing, encryption, and authentication. Keys can be generated or imported directly onto the device. The private key never leaves the hardware, offering secure email and code signing.
  
  

• Yubico OTP & Static Passwords. Yubico OTP generates 44-character one-time passwords using a built-in secret and counter, verified by Yubico servers. Static password mode allows storing a fixed password for systems without modern authentication options. Both modes emulate keyboard input.
  
  

• Challenge-Response Authentication. In this mode, the host sends a challenge, and the YubiKey responds using HMAC-SHA1 with a stored secret. It’s ideal for offline use cases like disk encryption and password manager access (e.g., KeePassXC), where only the key can unlock the data.

YubiKey Models and Series Comparison

Best YubiKey Alternatives for Enterprise Use

Hardware security keys are often compared only by whether they support FIDO2. In enterprise deployments, that is not sufficient. The practical differences are usually in (1) how well the key fits workstation-centric workflows (shared PCs, fast lock/unlock), (2) whether it supports hybrid environments where passwordless is introduced gradually while legacy password/OTP systems remain, and (3) whether the vendor covers PKI/smart-card scenarios in addition to FIDO2.

1. Hideez Keys — FIDO2, fast lock/unlock, and password management

Hideez Key is positioned not only as a FIDO security key, but as part of a workstation access workflow that includes unlock and automatic lock based on proximity. For shared workstation environments, the value is that security is not limited to the login event: the session can be locked automatically when the user leaves the workstation area, reducing exposure from unattended sessions. 

A second key advantage is support for hybrid deployments: passwordless authentication where possible, while still allowing access to legacy systems that rely on password-based login and OTP. Hideez markets this as combining passwordless authentication with password/OTP usage for legacy systems within the same user experience (for example, password management and OTP functionality alongside modern authentication).

2. Thales SafeNet eToken Fusion — combined FIDO2 + PKI token 

Thales positions eToken Fusion as a single device that combines FIDO authentication and PKI use cases. This class of token is typically relevant for enterprises that need both FIDO2/WebAuthn for phishing-resistant access to web-based services and certificate-based authentication (often PIV-compatible workflows) for Windows logon, VPN, signing, and other PKI-driven controls.

eToken Fusion is often evaluated as an alternative when organizations prioritize Thales’ IAM ecosystem alignment and procurement/compliance requirements, while still needing both FIDO and PKI in one token.

3. Token2 — FIDO2-first device with OTP support 

Token2 sells FIDO2 security keys and also offers models that combine FIDO2/U2F with TOTP functionality. This is commonly used when an organization wants to roll out phishing-resistant authentication broadly but must still support a subset of applications that require OTP. Token2’s product categories and individual SKUs describe these combined capabilities.

Token2 is often considered when cost and availability are important and when combined FIDO2 + TOTP models can reduce friction in transitional environments. The key requirement is to standardize on specific SKUs and firmware versions to avoid support variance.

In practice, the “right” security key choice is less about the brand name and more about how well it fits your full authentication landscape: modern FIDO2-first apps, legacy systems that still require passwords and OTP, and workstation access patterns that drive real operational risk. 

If you want to evaluate these capabilities as a single, coherent system, the Hideez Workforce Identity system  is designed to support that approach: it provides passwordless authentication while also enabling controlled password and OTP-based access for legacy environments, integrates with FIDO2-certified keys (including YubiKey, Thales, Token2, and others), and supports mobile authentication through the Hideez app. 

It also extends beyond web and application access by enabling proximity-based access to computers — supporting fast unlock and secure, automatic lock for shared workstations. To see how these workflows look in your specific environment, book a demo and review the full set of our capabilities end-to-end.

Written by:

Yaroslava Vasylenko

Chief Marketing Officer, Hideez