YubiKey Security FAQ
The following frequently asked questions (FAQ) answer common questions about YubiKeys security, within the context of using them to provision your Alexa Connect Kit (ACK)-based devices.
- Why do I have to keep my YubiKey secure?
- When a user registers a device with Alexa, Amazon uses the product certificate to verify that your device is authentic. If a YubiKey goes missing, someone else could use it to produce counterfeit devices that contain valid certificates.
- What's a YubiKey PIN and PUK? and how are they used?
- To use your self-managed YubiKeys, you need a unique PIN and PUK. These are used for the following tasks:
- PIN – A unique code that authorizes your use of a YubiKey. The PIN is supplied to you in a text file after you purchase your keys. You can share the PIN with your manufacturing facilities, but you must keep it secure. If you enter an incorrect PIN three times, the YubiKey locks and becomes temporarily unusable.
- PUK – A unique code that unlocks a locked YubiKey. For example, if a YubiKey locks after too many incorrect pin attempts. This code is generated when you program your YubiKey. Keep your PUK secure. Don't share your PUK with anyone else, including your manufacturing facilities.
- What should I do if a YubiKey goes missing?
- If a YubiKey goes missing, contact ACK support immediately and report the YubiKey missing.
- How can I help keep my YubiKeys secure?
- Use the following tips to help keep your YubiKeys safe
- Avoid programming more YubiKeys then required. Only create the number of YubiKeys that you need.
- Create a tracking and auditing system for your YubiKeys. You should implement this process with your manufacturing facility to ensure YubiKeys are stored and used securely. For example, you could log YubiKey use and returns, so that there is clear documentation of when YubiKeys are checked out at the start of each production run day and checked in at the end of each production run day.
- When distributing the YubiKey to your manufacturing facility use secure tracking mechanisms to ensure that the YubiKeys are delivered to the intended recipient. You can also distribute the YubiKey PIN separately, using secure communication with the intended recipient.
- Your manufacturing facility should employ a process to restrict access to your YubiKey PIN. The PIN must be kept securely and separated from the physical YubiKey.
- When you create your own YubiKeys, keep the PUK secure within your organization. Don't share the PUK with your manufacturing facility or any third parties. Instead employ a secure process so your manufacturing facility can return the locked YubiKey to you so that you can unlock them using the PUK you have secured within your organization.