A YubiKey is a small hardware device made by Yubico that provides strong two-factor authentication and prevents account takeovers. It acts as a physical USB security key that generates one-time passwords and cryptographic keys to authenticate a user and grant access to accounts and services.

YubiKeys are extremely secure as the secret cryptographic keys never leave the device. This makes them resistant to phishing, man-in-the-middle attacks, and malware. They are much more secure than relying solely on passwords or one-time codes sent over SMS or email.

Auth0 is a popular identity and access management platform that provides features like authentication, authorization, single sign-on (SSO), and user management. It allows developers to integrate authentication and authorization into their applications easily.

Integrating YubiKeys with Auth0 adds an extra layer of security to user accounts by requiring possession of the physical key in addition to the username and password to log in.

Overview of YubiKeys

YubiKeys are hardware authentication devices manufactured by the Swedish company Yubico. They provide two-factor (2FA) or multifactor authentication (MFA) by requiring the physical possession of the YubiKey in addition to another authentication factor like a password or biometric.

Key Features of YubiKeys

Small USB device: Easy to carry on a keychain.
Does not require batteries or charging.
Multiple protocols are supported, including FIDO U2F, FIDO2, OTP, OpenPGP, and OATH-HOTP.
Cryptographic operations are done within a secure element chip.
Resistant to man-in-the-middle, phishing, and malware attacks.
Hardware-backed random number generator for strong keys/passwords.
Variety of form factors: USB-A, USB-C, NFC, Lightning.
Configurable via desktop apps and command line tools.
Durable and water-resistant.

YubiKeys provides cryptographic authentication using public key cryptography. Each YubiKey contains a unique secret key that is generated on the device during manufacturing. This key cannot be copied or extracted. The secret key is used to cryptographically generate secure assertions that are verified by the online service to authenticate the user.

Key Use Cases of YubiKeys

Two-Factor Authentication (2FA): YubiKeys provides a simple way to add a second factor to any login or authentication flow in addition to username/password. This prevents account takeovers via stolen credentials.
Multifactor Authentication (MFA): YubiKeys can be combined with other factors, such as biometrics and mobile push notifications, to create a strong MFA.
Password-Less Authentication: The cryptographic protocols used by YubiKeys allow password-less, passwordless logins based on the possession of the hardware key.
Desktop Login: YubiKeys can replace passwords for logging into Windows, Mac, Linux, and other operating systems.
Securing Infrastructure Access: DevOps teams can require YubiKeys to access servers, VPNs, SSH connections, etc.
Code Signing: Developers can sign git commits and code using the private key stored on the YubiKey.
PGP Encryption: Private keys for email and disk encryption can be stored on a YubiKey for improved security.
Cryptocurrency Wallets: YubiKeys protect against the theft of coins from crypto wallets.

Popular YubiKey Models Are

YubiKey 5 Series: The latest generation supporting FIDO2/WebAuthn, FIDO U2F, OTP, OATH-HOTP, OpenPGP, and CCID Smartcard protocols. Available with USB-A, USB-C, NFC, or Lightning connectors.
YubiKey 5C NFC: Supports NFC connections for tap-and-go authentication with mobile devices.
YubiKey 5Ci: Mini key with integrated USB-C connector. Ideal for portable and mobile use.
YubiKey 5 NFC: Large size with dual USB-A and NFC capabilities.
YubiKey 5C: USB-C version of YubiKey 5 series.
YubiKey NEO: This older model focused on NFC mobile authentication.

Yubico also offers the YubiKey FIPS series, which is certified for Federal Information Processing Standard FIPS 140-2 Level 2 security.

Overview of Auth0

Auth0 is a widely used identity management platform that makes it easy for developers to add authentication and authorization services to applications.

Some key features of Auth0 include:

User login with username/password, social providers, or enterprise credentials
Single sign-on (SSO) across multiple apps and APIs
User management with dashboards, APIs, and metadata storage
Support for social login with Google, Facebook, Twitter, etc.
Enterprise directory integration with Active Directory, LDAP, etc.
Multifactor authentication (MFA) uses one-time codes, biometrics, etc.
Customizable login pages and user experience
OAuth2/OIDC support for securing APIs
Client libraries for quick integration with web/mobile apps
Analytics on users, logins, errors, etc.

With Auth0, developers don’t have to worry about managing user identities, handling passwords, implementing SSO, or building custom login and MFA infrastructure.

Auth0 sits between your app and your user identity data stores like LDAP or databases. It secures access to app features and APIs based on user identity and permissions set in Auth0.

How Auth0 Works

The user tries to access a protected app feature or API.
The app redirects the user to Auth0 for authentication.
Auth0 verifies user identity using configured login options.
If the login succeeds, Auth0 generates a JWT access token for the user.
The user’s app uses the access token to call protected APIs and features.
APIs validate the access token before responding with data.

This means your app relies on Auth0 to handle user authentication and authorization rather than implementing your solution.

Benefits of Integrating YubiKeys with Auth0

Integrating YubiKeys with Auth0 provides the following security benefits:

Stronger Authentication: YubiKeys raise the authentication strength from something you know (password) to something you have (the physical key). This protects against password database leaks.
Phishing Resistant: Even if users are tricked into entering their credentials on a fake login page, the phishing site will not be able to authenticate without the YubiKey.
Malware Resistant: Malware or viruses cannot steal credentials from a YubiKey because the secrets never leave the device.
Convenient 2FA: YubiKeys provides a simple tap-to-authenticate method for 2FA rather than using SMS or TOTP codes.
Reduces Account Lockouts: 2FA with YubiKeys can prevent attackers from brute forcing passwords and triggering account lockouts.
No Training Required: YubiKeys are easy for users. Compared to approaches like OTP codes, no training is needed.
Standard Protocols: YubiKeys works with standard protocols like FIDO2, WebAuthn, and FIDO U2F. No proprietary software is needed.
Passwordless Flows: Advanced flows completely eliminate passwords by relying on YubiKey tap for primary authentication.

Implementing passwordless authentication with YubiKeys can reduce reliance on passwords and enhance security against many common attack vectors.

Best Ways to Integrate YubiKeys with Auth0

There are two primary ways YubiKeys can integrate with Auth0 to enable strong 2FA:

1. Through WebAuthn/FIDO2

WebAuthn is the web standard for passwordless authentication using public key cryptography. It is implemented in all modern web browsers.

YubiKeys can register a public/private key pair with Auth0 through WebAuthn. The private key remains securely stored inside the YubiKey hardware.

To authenticate, users insert their YubiKey and tap when prompted. The YubiKey signs an authentication challenge from Auth0 using the private key. Auth0 verifies the signature using the public key to authenticate the user.

This method has the following benefits:

Implemented natively in web browsers: no plugins or extensions needed.
Leverages asymmetric cryptography for strong security.
Allows passwordless or password + YubiKey authentication.
Standardized protocol with wide industry support.

To enable WebAuthn with YubiKeys in Auth0, you can configure it as an additional authentication factor (2FA) method or as a primary method to replace password login.

2. Through FIDO U2F

FIDO U2F is an earlier open standard that YubiKeys also supports for 2FA. It uses a public/private key approach similar to WebAuthn.

The main difference is that U2F relies on browser extensions or mobile apps to interact with the YubiKey, while WebAuthn is implemented natively.

To use U2F, users must install an extension like the FIDO U2F Security Key or download the Android/iOS mobile app. The YubiKey taps communicate via this extension or app during authentication.

Compared to WebAuthn, U2F has some disadvantages:

Requires users to install extensions or apps.
It only works for 2FA, not passwordless authentication.
Proprietary implementation: not built into browsers.
Limited to desktop and mobile browsers only.

However, U2F still provides excellent phishing-resistant 2FA using YubiKeys and is widely compatible with services that don’t yet support WebAuthn.

In Auth0, you can activate and enforce FIDO U2F authentication through the dashboard. Users must register their keys and then verify their identities by tapping on login.

Now, let’s walk through the setup process for integrating YubiKeys with Auth0…

Step-by-Step Guide to Configure YubiKeys with Auth0

Here is a step-by-step guide to setting up YubiKeys as a 2FA method in Auth0 for your users:

1. Get compatible YubiKeys

First, acquire YubiKeys that are compatible with Auth0.

Any YubiKey 5 series or later device will work. This includes the YubiKey 5C, 5C NFC, 5 NFC, and 5Ci.

Make sure your YubiKeys support one of FIDO2/WebAuthn or FIDO U2F. These enable integration with Auth0.

2. Create or configure your Auth0 tenant

If you don’t already have one, sign up and set up an Auth0 account. This will be your Auth0 tenant.

In your Auth0 dashboard, make sure you have a registered app for your users to authenticate with.

Configure social, database, enterprise, and passwordless connections for users to authenticate with.

In your application settings, enable Allowed Origins, Allowed Logout URLs, and Allowed Web Origins. This configures URLs where Auth0 can redirect back to your app.

3. Enable multifactor authentication in Auth0

In your Auth0 MFA settings, switch the Multifactor Auth toggle to ON.

In the sections below, enable and configure FIDO2 WebAuthn and FIDO U2F based on which protocol(s) your YubiKeys support.

For example, to enable WebAuthn:

Click on the FIDO2 WebAuthn tab.
Toggle Use FIDO2 WebAuthn to ON.
Configure supported browsers and platforms.
Customize user experience messages.
Click SAVE to turn on WebAuthn.

Repeat a similar process to enable FIDO U2F as an MFA method as well.

You can also customize enforcement rules, allowing certain users to bypass MFA.

4. Configure rules for enforcing MFA

Create rules to enforce when users have to perform YubiKey authentication using your desired protocol after login.

For example, you can create a rule to require WebAuthn authentication for:

All users logged in from new devices.
Users with sensitive permissions like admins.
Certain connections, such as social logins.
Logins from high-risk countries.

Example rule to enforce WebAuthn for admins:

function (user, context, callback) {
  if (user.app_metadata.roles.includes('admin')) {
   context.multifactor = { 
      provider: 'webauthn', //enforce WebAuthn
       allowRememberBrowser: false //require MFA every time
    };
  }
  callback(null, user, context);
}

The context.multifactor property triggers the additional authentication step.

5. Push YubiKey registration and setup

You’ll need to instruct your users to register their YubiKeys with Auth0 for authentication.

For WebAuthn, users can register by scanning their key when prompted after enabling the first rule requiring a security key.

Provide user documentation explaining how to tap the YubiKey when the registration and login verification prompts appear.

Consider requiring registration of YubiKeys as part of your onboarding process for higher security.

6. Test end-to-end authentication flows

Configure your app to redirect to Auth0 login and make protected API calls.

Test authentication flows with your YubiKey across desktop and mobile to ensure the device is tapping properly when prompted.

Debug any issues with registration or MFA verification. You may need to adjust your Auth0 rules and resolve errors like unsupported browsers.

Now, your Auth0 tenant and application should have YubiKey-secured logins!

Best Practices for Using YubiKeys with Auth0

Here are some best practices to follow when integrating YubiKeys with Auth0 for authentication:

Educate Users: Provide documentation, training, and support to help users understand how to use their YubiKeys.
Require Registration: Make YubiKey registration mandatory for all users to force enrollment.
Use FIDO2/Webauthn First: Prefer WebAuthn over U2F for a better user experience. Offer U2F as a fallback.
Enforce Narrowly: Only require YubiKeys in scenarios where you need the highest security (admin access, sensitive actions, etc.)
Consider Passwords: Retain password login in addition to YubiKeys for maximum flexibility.
Support TOTP Fallback: Allow Time-based Time Password (TOTP) apps as a backup MFA method if users lose their key.
Allow Remember Devices: Enable the Auth0 setting to limit prompts to new devices only for better UX.
Implement Auditing: Audit authentication events and YubiKey registrations in your SIEM or log analysis tools.
Utilize Customization: Use Auth0 extensibility to build custom management pages, rules, hooks, etc.
Assess Other Features: Consider adopting single sign-on, breached password detection, and other Auth0 features.

Final Thoughts

Integrating YubiKey hardware security keys into the Auth0 authentication flow provides a robust defense against account takeovers and credentials-based attacks.

YubiKeys offers phishing-resistant, tap-to-authenticate MFA that interoperates easily with the Auth0 platform using standard protocols like WebAuthn and FIDO U2F.

By following the steps outlined in this guide, you can configure your Auth0 tenant, enable the desired MFA methods, develop custom rules, and deploy YubiKey-based 2FA to your users.

Educate and support your users on properly registering and using their YubiKeys across login scenarios. Apply security best practices regarding enforcement rules and auditing.

With smart YubiKey adoption, Auth0 can become the unbreakable core of your organization’s identity and access management strategy.

FAQs About YubiKey

What types of YubiKey devices work with Auth0?

Auth0 supports the YubiKey 5 Series (5, 5C, 5Ci, 5C NFC, 5 NFC) and YubiKey NEO devices. Ensure your YubiKeys support FIDO2/WebAuthn and FIDO U2F protocols.

Can YubiKeys be used to log in to Auth0 with a passwordless login?

Yes, through WebAuthn, you can use YubiKeys as the sole factor for logging in passwordlessly. Auth0 also supports passwordless email magic links.

Does Auth0 support NFC authentication with YubiKeys?

Yes, Auth0 supports tap-and-go authentication via NFC with compatible YubiKeys, including the YubiKey 5C NFC.

What happens if a user loses their YubiKey device?

You can use a rule to allow a fallback to OTP codes if a YubiKey is lost. Users must then register a new security key.

Is there a limit to the number of YubiKeys per user?

There is no limit. Users can register multiple YubiKeys to their Auth0 account for backup.

How are stolen YubiKeys revoked in Auth0?

Users can remotely revoke lost YubiKeys by deleting them in their MFA setting page in the Auth0 dashboard.

Can Auth0 lockout users after X fails YubiKey authentication attempts?

Yes, you can create an Auth0 rule to lockout accounts after a number of failed MFA prompts using the failed Multi Factor Attempts counter.

Does using YubiKeys impact login performance?

Login times are slightly affected, but with optimizations like allowRememberBrowser, the impact is typically under 500 additional milliseconds.

How are YubiKeys secured against tampering or hardware attacks?

YubiKeys uses various defenses like encrypted memory, key wrapping, and anti-tampering coatings to protect against physical attacks.

Can inserting a YubiKey infect the computer with malware?

This is not possible as YubiKeys only allows read-only outbound data transfer. They cannot execute code or write data to a host computer.

Does Auth0 work with the blue FIDO U2F Security Keys?

Yes, Auth0 supports hardware security keys like those from Google, Feitian, HyperFIDO, and other major brands compatible with FIDO standards.

How does Auth0 help meet compliance requirements for MFA?

Auth0’s integrations with proven hardware keys like YubiKeys help satisfy MFA mandates in regulations like PCI DSS, GDPR, HIPAA, and state privacy laws.

What YubiKey configurations are needed to work with Auth0?

YubiKeys typically work out of the box. Depending on your flows, you may need to enable OTP or switch smart card mode off.

Priya Mervana

Verified Web Security Experts

Priya Mervana is working at SSLInsights.com as a web security expert with over 10 years of experience writing about encryption, SSL certificates, and online privacy. She aims to make complex security topics easily understandable for everyday internet users.

What is a YubiKey: How to Set it up with Auth0?

Getting Started with YubiKey