YubiKey NEO

From Jeremy Bryan Smith
Revision as of 06:02, 28 May 2025 by Jeremy (talk | contribs) (Created page with " '''YubiKey NEO''' <span style="font-size:90%;">(2012–2018, USB-A + NFC hardware authenticator by Yubico)</span> == Overview == The YubiKey NEO is a multi-protocol hardware token combining USB-A and NFC interfaces. It supports both HID (keyboard) and CCID (smart-card) modes and MIFARE Classic 1 k. == Supported Applications == * '''One-Time Passwords (OTP)''' ** Two independent OTP slots, each programmable as: *** Yubico OTP (ModHex, 32 chars) *** HMAC-SHA1 Challe...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

YubiKey NEO (2012–2018, USB-A + NFC hardware authenticator by Yubico)

Overview

The YubiKey NEO is a multi-protocol hardware token combining USB-A and NFC interfaces. It supports both HID (keyboard) and CCID (smart-card) modes and MIFARE Classic 1 k.

Supported Applications

  • One-Time Passwords (OTP)
    • Two independent OTP slots, each programmable as:
      • Yubico OTP (ModHex, 32 chars)
      • HMAC-SHA1 Challenge-Response
      • Static Password
      • OATH-HOTP (counter-based)
    • Delivered over USB HID or NFC (configurable NDEF URL)
  • FIDO U2F
    • Unlimited per-site credentials
    • USB HID or NFC for universal second-factor flows
  • OATH (HOTP & TOTP)
    • Stores up to 28 OATH credentials
    • Accessed in CCID smart-card mode via Yubico Authenticator
  • PIV Smart Card (CCID)
    • Certificate-based login, SSH, code-signing
    • RSA 1024 and RSA 2048 key support
  • OpenPGP Card (CCID)
    • OpenPGP Smart Card v2.0 for GnuPG
    • RSA 1024 and RSA 2048 key support

Physical & Interface

  • Connector: USB-A (USB 2.0)
  • NFC: Contactless NDEF + MIFARE Classic 1 k
  • Dimensions: 18 × 45 × 3.3 mm
  • Weight: 3 g

Limitations (vs. Later YubiKeys)

  • No FIDO2/WebAuthn (CTAP2) support
  • Smart-card key size capped at RSA 2048 bits
  • USB-A only (no USB-C)
  • No FIDO2 resident (client-side) credentials or passwordless flows
  • OATH-HOTP/TOTP only via CCID (no direct OTP keystroke)

Comparison with Other Models

Feature YubiKey NEO YubiKey 4 YubiKey 5 NFC
NFC Yes No Yes
FIDO U2F Yes Yes Yes
FIDO2/WebAuthn (CTAP2) No No Yes
OTP (Yubico/OATH-HOTP) Yes (slots + CCID) Yes Yes
Smart Card (PIV/OpenPGP) Yes (≤ 2048 bit) Yes (≤ 4096 bit) Yes (≤ 4096 bit)
USB Port USB-A USB-A / USB-C (4C) USB-A & USB-C
Resident Credentials No No Yes

Support

Setup

Basic setup for use as OTP:

Install ykman: 

jeremy@computer $ sudo snap install ykman

Generate an OTP, along with a private ID and key: 

jeremy@computer $ ykman otp yubiotp 1 --serial-public-id --generate-private-id --generate-key 

Using YubiKey serial as public ID: vvccccsfudhp
Using a randomly generated private ID: 7e5a8b0c664f
Using a randomly generated secret key: 735c8a8b7e8f7c980d6ac716fe8sff34
Program a YubiOTP credential in slot 1? [y/N]: y

Now go to this URL and enter the results to register it: https://upload.yubico.com/

Now you can press the button on the YubiKey in different programs and websites to use it as an OTP.

Retrieved from "https://wiki.jeremybryansmith.com/index.php?title=YubiKey_NEO&oldid=470"