From Yubico

The intention of this page is to provide a list of documents describing how the Yubikey and the validation services work.

After purchasing your Yubikey/s you need to obtain API Key for Signing & Verifying OTP Validation Requests. You use this information, along with your key/s and the client application, to validate your key when it is used.

Most clients applications are programmed to work with Yubico's Web API (soap) interface to validate your key. When you press your key, the client software send your API key and your One Time Password (OTP) to Yubico. Yubico validates the information and returns an approval code. Basic authentication services against Yubico's web IPI service free of charge.

Managing many Yubikeys could be problematic. Yubico provides a YubiKey [Management Service]. This is an online application to manage all YubiKeys with codes generated by Yubico. You can use a "Master" Yubikey with admin rights to retrieve your AES keys, adjust security policies and add, suspend and monitor your YubiKeys. If you have employees with YubiKeys and you need to manage their use you will need this management service. To get started go to the [Management Service Login Page].

Because Yubico provides the source code to the server and client application, it is possible to run your own validation server and key management system. This will require knowing the encryption key in your yubikey. You can request this information from Yubico or you can use the personalization tool to reprogram you key. By re-initializing your YubiKey (either by manually programming a new AES key in the Yubikey or programming the Yubikey for static PW), you will lose ALL abilities to use that particular YubiKey against Yubico online severs - validation server, YubiKey management service, Yubico forum, demo server, OpenID server and so on. Customers are advised to consider using separate YubiKeys for use in Static Password Mode or for development and testing purposes. WARNING! By using the personalization tool you can break your YubiKey! If you program your YubiKey with a new AES key protected with a password, and forget both the AES key and password, there is no way to restore the YubiKey to a usable state. Be careful!

Encryptions and Protocols

Here is a description of the internal cryptographic schema which Yubikey uses.
Here is the description of the Web API (Soap) interface used to validate a Yubikey.

Client Code

Client code to use the Web Service API are available in these languages.

• ABAP Google Code "yubico-abap" Project
• C Google Code "yubico-c-client" Project
• C# (.NET) Google Code "yubico-dot-net-client" Project
• Java Google Code "yubico-java-client" Project
• PHP Google Code "php-yubico" Project Google Code "yubikey-php-webservice-class" Project
• Perl Google Code "yubico-perl-client" Project
• Python Google Code "yubico-python-client" Project
• Ruby Google Code "ruby-yubico" Project

Application Code

Yubico PAM module

The Yubico PAM module enables the Yubikey to be used for authentication in any environment which relies on the Pluggable Authentication Module (PAM) system. Various login applications for GNU/Linux uses the PAM system to authenticate users, there is also PAM support for Solaris and Windows via pGina.

PAM solves other authentication needs as well, among other things login via SSH and MyProxy, and all of these can now authenticate through Yubikey

Google Code "pam-yubico" Project

MediaWiki Yubikey Extension

Authenticate your MediaWiki users using the Yubikey plugin, to reduce spam and bot problems. Google Code "yubikey-mediawiki" Project

Apache Basic Auth mechanism

Using the Apache module mod_authn_yubikey, you can add one and two-factor authentication to your website and the Yubikey authentication is completely independent from the underlying technology that implements your website, which might CGI, JSP or PHP or something else.

The "mod_authn_yubikey" Project

Source to the [Yubikey Management Service]

[Reference]