A YubiKey device generates a different password for every authentication attempt, and that OTP is sent to a validation service to ensure that it is genuine and has not been used in an earlier authentication attempt.


It is possible to use the OTP as the only proof of identity, but you should combine it with a static password as a form of two-factor authentication.

YubiKey authentication requires:

  • Server configuration and the addition of this capability to a user entry
  • Configuration of a client ID and API key to use when communicating with the validation service

    The API key is a shared secret between the YubiKey validation service and the client that is interacting with it and is used when generating digital signatures so that both the server and the YubiKey validation service can ensure that the peer server is genuine.

All server and user entry configuration details are available in the Security Guide.