What’s the background of Yubikey?
The YubiKey is a hardware authentication device that supports one-time passwords, public key encryption and authentication, and the Universal 2nd Factor (U2F) protocol, which is an international standard for a smooth authentication experience (see
https://fidoalliance.org). It enables users to securely log into their accounts by emitting onetime passwords or using a FIDO-based public/ private key pair generated by the device.
YubiKey also allows for storing static passwords for use at sites that don’t support one-time passwords. A couple of big-name supporters include Facebook that uses YubiKey for employee credentials, and Google that supports it for both employees and users. Some password managers also support YubiKey.
The Yubikey implements the HMAC-based one-time password algorithm (HOTP) and the time-based one-time password algorithm (TOTP), and identifies itself as a keyboard that delivers the one-time password over the USB HID protocol. The YubiKey NEO and YubiKey 4 include protocols such as OpenPGP card using 2,048-bit RSA . It enables users to sign, encrypt and decrypt messages without revealing the private keys. The fourth-generation Yubikey supports OpenPGP with 4,096-bit RSA keys, and PKCS#11 support for PIV smart cards, a feature that allows for code signing of Docker images.
Yubico did dump all open-source components in the YubiKey 4 with closed-source code. Yubico states that internal and external review of their code is done and its CEO posted a defence of the move at www.yubico.com/2016/05/ secure-hardware-vs-open-source.