To take the second part first:>You need a backup password or similar which kinda defeats the point of having the key.
So the main threat models HSMs address are 1) using keys with online systems without remote attackers being able to compromise those keys (and also potentially increasing the difficulty of performing remote hot attacks too), and 2) making it much harder to attackers in unsecure physical locations to get at original keys as well purely from theft.
Having a backup password that is kept in a safe or the like, or an airgapped system(s) in a secure room/building that all HSMs are loaded from, in no way defeats the point. The point of the token is to be able to then go out into the world and make use of those keys in places which aren't secure and on systems that are online and multiple use and thus vastly easier to compromise. The Yubikey (or any of a range of smartcards or heavier duty HSMs) ideally should mean that obtaining the original private keys at least requires physically finding and breaching the generation location (assuming the keys aren't generated on device and simply manually switched upon device breakage), and that even blackbox usage requires both physically obtaining the token and the PIN or other second factor (more sophisticated HSMs may require multiple person involvement as well). This radically shifts the economic costs for attackers.
>Yubikeys make me nervous, what happens when it breaks? or your house burns down.
If using it for on-key generation, presumably with systems that you have at least intermittent physical access to, then breakage merely means doing a manual shuffle of going around and updating certs with a new key. If that's a fairly infrequent and low probability event, there may be no further need to think about it than that. You had to setup the systems in the first place after all. Alternatively if you have keys stored offline in some manner, it's trivial to setup a new token, or to buy multiple tokens and have them all be the same (with a few kept around in a safe maybe) so that having one get destroyed involves no downtime at all, just scheduling to bring it back up to n+whatever at a future time.
FAQs
What do I do if I lose or break my yubikey? A. You will need to submit a work order to IT to replace your yubikey. Your account will be moved into a temporary group so that you can access your applications while waiting to receive the replacement key.
What if I forgot my YubiKey at home? ›
What to do if you don't have backups
- Check for any other alternative means of two-factor authentication, i.e. via email, mobile phone. ...
- If that fails, access the service on any device that may already be logged in. ...
- If you are still locked out of your account, contact support and explain the situation.
Are YubiKeys indestructible? ›
You can use your YubiKey on multiple computers and mobile devices, and one key supports any number of your accounts. YubiKeys are nearly indestructible — just add it to your keychain along with your house and car keys.
What happens if my YubiKey is stolen? ›
So, what happens if you lose your YubiKey? In that case, you can still use your Authenticator app (phew!). While you can't create a backup YubiKey, you can always contact Yubico to get a replacement key.
What is the lifespan of a YubiKey? ›
A Yubikey will essentially last forever, and if you stay clear of the insanity that is Passkeys its Webauthn element can support an infinite number of websites. Portability: I have a smartphone, a work laptop, a home laptop, and a home desktop. My Yubikey has USB and NFC, so it can trivially be used with all of them.
What happens when I touch my YubiKey? ›
If a YubiKey is connected to a host over USB or Lightning, slot activation occurs when the key is touched, and the duration of touch determines which slot is activated. If a YubiKey is scanned by an NFC reader, the slot that is pointed to by the OTP application's NDEF tag will activate.
Does YubiKey work without Internet? ›
The YubiKey is crush-resistant and water-resistant. It requires no battery or cellular network connectivity and its simple touch authentication is four times faster than typing a One Time Password.
Can you disable YubiKey? ›
Click the “Enable/Disable” toggle on the right of the YubiKey to change the status. Click “o*k” on the confirmation message. Each time you click on the toggle, the option will either be enabled or disabled.
Does YubiKey run out of battery? ›
The YubiKey will never run out of batteries (there are none!) You don't need to read a 6 digit number and enter it manually which is prone to error and can be difficult depending on how good your eyesight is (am I getting old? :-))
Which YubiKey is most secure? ›
Best Overall Security Key
The Yubikey Security Key C NFC is our top pick for most people. It features excellent build quality, and its USB-C connector means it works on just about every new device. It also has NFC support, which lets it authenticate on mobile devices that lack a USB port.
OATH-TOTP - the YubiKey 5's OATH application can hold up to 32 OATH-TOTP credentials (AKA authenticator codes). OTP - this application can hold two credentials, can be registered with an unlimited number of services. The OTP application comes with: Yubico OTP.
Can YubiKey go bad? ›
My Yubikey is not functioning correctly
Please note if the lights on the YubiKey appear when you insert the YubiKey into your device. If no lights appear at all, this could be an indication that something is wrong with your key.
Can you unplug YubiKey? ›
The YubiKey identifies as a USB keyboard to your PC, and does not need to be ejected when removed – you can just pull it out!
Can YubiKey be trusted? ›
Stop account Takeovers
YubiKeys are trusted by the world's largest companies and users have experienced 0 account takeovers.
Does YubiKey have a tracker? ›
A Yubikey is an authentication device. You use it to authenticate to a device or server. That device or server could be tracking what you do. However, the Yubikey does nothing to facilitate that other than confirming that the key previously registered against a particular user account has been plugged in.
How do I replace a broken YubiKey? ›
Our product's quality is top of mind for us and if your YubiKey is damaged we ask that you submit a support ticket with the following information. The order number or copy of invoice from when you purchased the YubiKey. A valid shipping address in the event we send a replacement YubiKey to you.
Can YubiKey stop working? ›
Check to see if the YubiKey's LED is lit - if not, the YubiKey may not be receiving power. The issue may be as simple as the YubiKey is inserted upside down for USB-A connectors. Alternatively, the USB port may not be functioning correctly - if that is the case, try on a different USB port or computer.
How many times can a YubiKey be used? ›
A YubiKey supports an unlimited number of accounts with both WebAuthn and U2F protocols. If you're using your hardware key for TOTP, you can only hold 32 accounts.