Hey everyone! I have some YubiKeys left over from my last job, and I want to learn how to use them for personal projects and for work-related tasks, like logging into AWS. My ultimate goal is to advocate for the adoption of security keys in my workplace, especially for those in high-privilege positions. However, I'm feeling overwhelmed with the different documentation available for YubiKeys, U2F, FIDO standards, and WebAuthn. Could someone guide me on where to start? I'm looking for a reading list that can help me: 1. Understand the basics, 2. Learn about the roles of hardware tokens and how they interact, and 3. Get familiar with the relevant standards for integrating them into our security systems like SSO. Any help would be appreciated!
4 Answers
Here's a helpful write-up on security key options: https://blog.k9.io/p/key9-the-2025-security-key-shootout. Generally, for most businesses, a USB A YubiKey is the easiest to work with. They also have great support for setup. For FIDO resources, check the FIDO Alliance website (https://fidoalliance.org/) to learn more about passkeys and certification levels. Just remember, the implementation can vary based on the system—you’ll likely be Googling things like 'using YubiKey for Windows login' or similar, as there isn’t a one-size-fits-all guide.
Just to clarify, passkeys are secure only as long as the host isn’t compromised. Hardware tokens like YubiKeys are separate devices, making them harder to hack. For starting out, dive into the documentation—it covers the tech deeply. If reading isn't your thing, consider services that can help with implementation. They’ll smooth the adoption process a lot. You can see what’s known to work with YubiKeys here: https://www.yubico.com/works-with-yubikey/catalog/?sort=popular.
It seems like you’re mixing layers with FIDO, U2F, and WebAuthn; they’re all standards related to how information is used with security keys. Think of it like the difference between HTTPS and TCP. WebAuthn is what browsers use to talk to the keys. The nice thing is that the domain is part of the authentication, so you can't get phished easily. Check out this site for some good diagrams: https://curity.io/resources/learn/webauthn-overview/.
I've been using YubiKeys for two-factor authentication on sites like Google and Microsoft, but I'm no expert. Just a heads up, YubiKeys can be pretty pricey and you might run into format issues with USB-A, USB-C, NFC versions. I wonder if passkeys are starting to take over some of the uses for YubiKeys—they seem a lot more convenient! Interested in hearing what others think.
Yeah, passkeys are super convenient! You can store them on a FIDO2 key or a TPM, which makes things smoother.
Exactly! You can store passkeys on a YubiKey, and they require physical interaction plus a PIN for use.