YubiKey is a secure method for logging into many websites using a cryptographically secure usb token. It does not require special software, and since it does not generate the same OTP (One Time Password) more than once, nothing is shared among associated sites.
Users can assign one or more YubiKeys to an existing account, and log in using a YubiKey. This offers additional security to the users even over insecure connections.
YubiKeys work as follows: The device registers itself as a USB keyboard so it works with any operating system. When the YubiKey button is clicked, it "types" out an OTP. The OTP is a ModHex encoded string consisting of a unique id and an AES128 encrypted string. The encrypted string contains: A static secret device id, session (number of times the device has been inserted into an active USB port) count. A timestamp (based on an 8Hz clock started from when the device was inserted). A counter of the number of OTPs generated since the device was inserted. A 2 byte pseudo-random number. And a CRC checksum. The ModHex string is sent to the YubiKey authentication servers where it is decrypted and checked that the OTP is valid, that the session is not older than a previous session, that the timestamp is not older than a previous timestamp for this session and that the session use counter is not smaller than a previous OTP for this session.
In 6.x-2.x and 7.x-2.x:
- Site administratior sets the required credentials site wide.
- Ability for users to report their yubikey lost.
- Permissions to Administer Yubikey Module and Administer own Yubikeys
- For additional security, users may also require that their password be entered when logging in with their YubiKey. This prevents a thief who stole your YubiKey from logging in without a password, but increases the complexity of the log in process.