Back to archive Reading progress

YubiKey Terms: Device-Bound Credentials, OATH, PIV, and OTP Explained

YubiKey feels confusing because it is not one feature. It is a small hardware device that can support several authentication systems.

“Device-bound credential,” “OATH seed,” “PIV certificate,” and “OTP seed” are not four names for the same thing. They are different layers.

To understand a YubiKey, first ask what kind of authentication the website or system expects.

Device-bound credentials: FIDO/WebAuthn passkeys

This is the most important category for many ordinary users.

FIDO2/WebAuthn creates a unique public-private key pair for each website or app. The public key is stored by the service. The private key stays on the YubiKey or device and is not exported.

At sign-in, the site sends a challenge. The YubiKey signs it with the private key, and the server verifies it with the public key. The server never needs your private key, and there is no reusable password-style secret to steal.

This is the model used by many services that support security keys or passkeys, including Google, Microsoft, and GitHub.

OATH: hardware one-time codes

OATH is a different system.

Yubico documentation explains that YubiKeys support OATH standards for generating one-time passwords. TOTP is time-based and often refreshes every 30 seconds. HOTP is counter-based and advances after use.

This is like putting authenticator-app secrets into a hardware key. The advantage is that the credential lives on the YubiKey and can move with it between devices.

OATH codes are usually a second factor. They should not carry the whole account by themselves.

PIV: enterprise smart-card certificates

PIV is more common in enterprise and professional environments.

It lets a YubiKey act as a smart card that stores X.509 certificates for Windows, macOS, internal enterprise systems, signing, and identity verification.

Most personal users will not use PIV daily. Company IT, developers, and certificate-based login workflows are more likely to need it.

Yubico OTP: older, but still seen

Yubico OTP is one of the older YubiKey modes. Press the key and it outputs a long one-time string that Yubico or a company server verifies.

It is not the same as a 6-digit OATH-TOTP code, and it is not the same as a WebAuthn passkey.

How to choose

  1. If the service supports passkeys or security keys, prefer FIDO/WebAuthn.
  2. If it only supports 6-digit authenticator codes, use OATH-TOTP.
  3. If your company requires smart-card or certificate login, use PIV.
  4. If an older system specifically requires Yubico OTP, use the OTP slot.

The value of a YubiKey is not merely “one more code.” It moves login away from copyable secrets and toward hardware-bound credentials.

This article corrects terminology boundaries using Yubico Passkeys and OATH overview documentation. It is general digital security education.

Contents