Not going to lie, I procrastinate A LOT, and one of the ways I do it is spending time on Reddit. One of the subreddits I spend a lot of time on is the r/YubiKey, and in there I see people asking all the time if YubiKeys are unphishable, and the answer is: it depends on which features you are using. So, let’s break down each of the YubiKey’s features and see which ones are unphishable.
Let’s start with the most popular buzzword in the last few years in the identity security space: FIDO2. FIDO2 is a cryptographic based authentication (basically the same technology as PIV or smartcard; you can read more about the difference between FIDO2 and Smartcard authentication here) but without the need for a PKI. This is unphishable because the key never leaves the YubiKey (so the attacker can’t trick the user into giving them the credential, unless someone asks for your key and pin but don’t give them that), and for registered FIDO2 credentials (there are two types of credentials but more on that in another blog), the browser even checks that the request is coming from an approved domain, making it very hard for an attacker to fool the user into signing in.
YubiKey PIV Authentication (or Smartcard Authentication) is only available in YubiKey’s 5 series and, according to the USA Executive order 14028, it is the recommended way to authenticate (learn how to setup PIV authentication in Azure CBA). This has been the way Governments and government contractors have protected their identity for decades, this authentication method uses a cryptographic certificate with the private key protected by a hardware key (in this case the YubiKey), and each time the user authenticates, it signs the request with the YubiKey. Since the key never leaves the YubiKey this is also considered an unphishable method.
The last YubiKey Authentication Method (without counting their app with codes but I guess you know that that one can be phished) is OTP (One Time Passcodes) this method is used as a second factor, and I guess you have activated it by mistake (this is when you touch your YubiKey and it types gibberish) since this is used in addition to a password, an attacker can create a fake site where you enter your password and your YubiKey OTP and use it to authenticate to the service in your behalf making it a phishable credential. While it is not as secure as FIDO2 or PIV, it is still a great way to protect your accounts that do not support FIDO2 authentication (looking at you Bitwarden).
As with many other security questions, the answer is, “It depends,” but it sure is way more secure than not having a YubiKey. Even if you lose your YubiKey your accounts are secure from unauthorized access (and also you look cool plugging in a YubiKey to authenticate, as one intern once told me when I was explaining how we used YubiKeys to protect our infrastructure, “the YubiKey is your VIP card to access corporate resources.”).