HACKER Q&A
📣 jadamson

Why does YubiCo need my private key?


Hi HN,

I've been reading up on YubiKeys, which seem to be well-regarded on HN. When doing my own research, I discovered that the default authentication method requires a copy of the private key to be stored on a validation server[1] (YubiCloud, by default). This can be changed to a private validation server, however that would also need to have a copy of the private key in order to work.

My question is: why is this necessary at all? Surely the same functionality could be achieved with public-key cryptography rather than requiring the private key to be uploaded[2] to a validator.

[1] https://docs.yubico.com/yesdk/users-manual/application-otp/yubico-otp.html [2] https://upload.yubico.com/

  👤 cendyne Accepted Answer ✓
An AES key is symmetric. Both parties need it for this cryptographic operation.

The OTP key is separate from other keys that enable WebAuthn.

Also, please don't use Yubikey OTPs. While they can't be brute forced like TOTPs, they can be phished. There are better technologies to implement.

👤 piperswe
I don't know of any services that use Yubico OTP (it's a legacy protocol) - everything's on FIDO2 nowadays
👤 woadwarrior01
I'd recommend using the Yubikey as a GPG smartcard[1]. The private key stays on the Yubikey. I also use it for ssh. But make sure you have a backup key or two, just in case the primary Yubikey gives out. FIDO2 and all other regular Yubikey functionality still works with it.

[1]: https://github.com/drduh/YubiKey-Guide

👤 JamesLeonis
I have a couple of Yubikeys and I can hopefully answer some questions.

1. The Yubikey specific OTP was turned on by default on both of my keys. The particular default is a Yubikey protocol. An alternative OTP is the Challenge-Response HMAC [0] implementation which I use with Keepass.

2. The OTP is not necessary, and most websites use FIDO2/WebAuthn anyways. It would only be "necessary" if the service used that particular Yubikey OTP protocol instead of FIDO. I use the FIDO2 functionality as my preferred 2FA, falling back on the Yubikey app for TOTP keys.

[0]: https://docs.yubico.com/yesdk/users-manual/application-otp/c...

👤 m-p-3
It's only used for Yubi-OTP, which I personally don't know any services using it. Most of the MFA put in place is FIDO2-compliant, which doesn't use this private key and cannot be traced back to a specific Yubikey serial number on the other end.

Factory resetting the key will not reset the Yubi-OTP private key (which is burnt into its memory and never leave the device), but it will however invalidate any FIDO2 credentials (either resident and non-resident) from the key.

The Yubi-OTP private key is also one way of certifying that the Yubikey is genuine.