Yubico is the company behind the YubiKey, a hardware security key that authenticates users through a physical device rather than a password or phone-based factor. YubiKeys work by generating cryptographic responses on-device, with private keys that never leave the hardware. No battery, no network connection, no software required on the client side - users plug in or tap to authenticate.

Authsignal is certified in the Works With YubiKey program, supporting YubiKey authentication via FIDO2/WebAuthn and one-time password (OTP). Because Authsignal is a FIDO2/WebAuthn compliant server, any FIDO2-capable YubiKey can be registered and used as a passwordless authenticator or as a phishing-resistant second factor within Authsignal's challenge flows. Combined with Authsignal's no-code rules engine, teams can enforce YubiKey authentication on specific actions - high-value transactions, admin access, account recovery - without rebuilding their auth stack.

‍

Compatible YubiKey models:

Authsignal supports the following YubiKeys via FIDO2/WebAuthn and OTP:

Security Key Series: Security Key NFC, Security Key C NFC

YubiKey 5 Series: YubiKey 5 NFC, YubiKey 5 Nano, YubiKey 5C, YubiKey 5C NFC, YubiKey 5C Nano, YubiKey 5Ci

YubiKey 5 FIPS Series: YubiKey 5 NFC FIPS, YubiKey 5 Nano FIPS, YubiKey 5C FIPS, YubiKey 5C NFC FIPS, YubiKey 5C Nano FIPS, YubiKey 5Ci FIPS

YubiKey Bio Series: YubiKey Bio - FIDO Edition, YubiKey Bio C - FIDO Edition

‍

Who this integration is for:

• Organisations in regulated industries requiring phishing-resistant MFA at NIST AAL2 or AAL3
• Enterprise teams managing shared workstations or environments where phone-based auth is impractical
• Security-conscious teams wanting to enforce hardware-backed authentication for privileged or admin users
• Any team already distributing YubiKeys that wants to plug them into Authsignal's challenge flows

‍

Key benefits:

• Phishing-resistant by design - FIDO2/WebAuthn authentication is bound to the registered origin, making credential theft and phishing attacks ineffective regardless of how the user is targeted
• No software or battery required - Users insert or tap their YubiKey to authenticate. Nothing to install, nothing to charge
• Multi-protocol support - The YubiKey 5 Series supports FIDO2/WebAuthn, FIDO U2F, OTP, PIV smart card, and OpenPGP on a single key, allowing the same hardware to cover multiple authentication contexts
• FIPS-validated options - The YubiKey 5 FIPS Series meets FIPS 140-2 validation requirements, suitable for government and highly regulated environments needing AAL3 compliance
• Works with Authsignal's rules engine - Use Authsignal's no-code rules to require YubiKey authentication at specific trigger points — high-risk transactions, privilege escalation, or user-defined step-up flows

Prerequisites:

• An Authsignal account with WebAuthn/security keys enabled as an authenticator
• A compatible YubiKey (any model listed above)
• A browser and operating system with FIDO2/WebAuthn support (Chrome, Firefox, Safari, Edge on current Windows, macOS, Linux, or Android)

‍

How it works:

Authsignal treats YubiKey authentication through its standard WebAuthn/passkeys authenticator. There is no separate YubiKey-specific configuration in the Authsignal Portal - once WebAuthn is enabled, users can register any FIDO2-capable security key, including a YubiKey, during the enrollment flow.

‍

Setup steps:

1. Log in to the Authsignal Portal
2. Navigate to Authenticators and ensure Security keys (WebAuthn) is enabled
3. Users enroll their YubiKey through the standard WebAuthn registration flow - insert the key, tap when prompted, and the credential is stored

‍

Further reading:

• Yubico Works With YubiKey listing for Authsignal
• Authsignal WebAuthn / passkeys documentation
• Yubico developer documentation