YubiKey Overview

YubiKey is the certifying authority that issues trusted product certificates to your Alexa Connect Kit (ACK)-based devices.

When you provision your ACK modules on your manufacturing line, you must use a YubiKey Hardware Security Module (HSM) to authenticate the ACK Module Utility provisioning commands. For example, you must plug a YubiKey into your ACK module debugging port before running the Module Utility provison command.

After your device receives its trusted product certificate, it can be registered with Alexa and the ACK services.

YubiKey management process

When working with ACK-based devices, choose one of the two YubiKey management processes:

  • YubiKeys provided by Amazon – Contact Amazon to supply YubiKeys for each of your virtual products.
  • Self-managed YubiKeys – Purchase YubiKeys from a YubiKey vendor of your choice and program them yourself, for each of your virtual products.

YubiKeys provided by Amazon

Amazon programs the product certificates on your YubiKeys and ships them to you. You must work with Amazon directly for initial or subsequent programming. When you want to update or replace your YubiKeys, you must contact Amazon.

For example, if a YubiKey locks during a manufacturing run, you have to contact Amazon to unlock it. Depending on the severity of the problem, this could block your manufacturing line or reduce your production capacity until it's replaced.

Self-managed YubiKeys

You manage the lifecycle of your YubiKeys, including any initial or subsequent programming. Your YubiKeys are shipped to you with the appropriate attestation certificates preinstalled.

You can then distribute the YubiKeys to your manufacturing facilities to mass produce your ACK-based products. As a result, you don't have to contact Amazon to update or replace your YubiKeys if a problem occurs.

To use your self-managed YubiKeys, you use a unique PIN and PUK for the following tasks:

  • PIN – A unique code that authorizes your use of a YubiKey. The PIN is supplied to you in a text file after you purchase your keys. You can share the PIN with your manufacturing facilities, but you must keep it secure. If you enter an incorrect PIN three times, the YubiKey locks and becomes temporarily unusable.
  • PUK – A unique code that unlocks a locked YubiKey, such as when a YubiKey locks after too many incorrect pin attempts. This code is generated when you program your YubiKey. Keep your PUK secure. Don't share your PUK with anyone else, including your manufacturing facilities.

Provision ACK modules with a YubiKey

For more details about how to provision ACK modules with YubiKeys, see Tutorials: Module Provisioning.