yubicoyubikey

How to tell which application my Yubikey is using?


According to Yubico, the Yubikey 5 supports many different "applications": OTP, OATH, PIV, and FIDO/U2F to name the main ones.

My question is... how do I know which one my Yubikey is using for a given website?

For example, say I register my key to protect my Google account. When I log into Google and it tells me to press the button... is it using OTP? FIDO/U2F? OATH? Magic?

I can't seem to find any information on this, but it seems like an important question because by default it seems like pressing the button is sending keyboard strokes to the computer in the form of a OTP that needs to be authenticated against YubiCloud which I don't necessarily want.


Solution

  • In general, when you are asked to tap your YubiKey in a text field, which then emits a 44-character string "cccc....", you are using OTP. If a modal dialog pops up asking you for a security key (or a passkey), you are using FIDO. Other YubiKey applications are not often seen on web sites. Google in particular uses FIDO these days.