The YubiKey 5C NFC is the most versatile hardware security key available — USB-C for your Mac or Linux machine, NFC for your phone, and support for every modern authentication protocol. This guide covers the complete setup: initial configuration, SSH authentication for your private AI servers, GPG signing for git commits, FIDO2 passkeys for cloud accounts, and NFC use on iOS and Android. Critically, it covers the one rule most guides skip: always register two keys.
Get more guides like this in your inbox
No spam. Unsubscribe anytime.
Why Two Keys — The Most Important Rule
Before anything else: buy two YubiKey 5C NFCs. Register both everywhere. Store the second key somewhere safe — a fireproof safe, a safety deposit box, or a trusted location that is not your primary workspace. This is not optional. If you lose your only YubiKey and you have enforced hardware MFA on your accounts, you will be locked out. Recovery processes for hardware-key-protected accounts are deliberately difficult (that is the point). Every step in this guide includes instructions for registering your backup key at the same time. Do not skip those steps.
What the YubiKey 5C NFC Supports
The 5C NFC supports every major authentication protocol in a single device: FIDO2/WebAuthn (passkeys and hardware MFA for websites and apps), FIDO U2F (legacy two-factor for older services), OpenPGP (GPG key storage for SSH and git signing), PIV/Smart Card (enterprise certificate-based auth), OATH-TOTP/HOTP (time-based one-time passwords, like Google Authenticator but hardware-backed), Yubico OTP (Yubico's own one-time password protocol), and NFC (tap-to-authenticate on iOS and Android). The USB-C connector works natively with every modern Mac, Linux machine, and Windows PC without an adapter. The key is rated IP68 waterproof, crush-resistant, and has no battery or moving parts.
Step 1: Initial Setup — Change Your PINs First
The YubiKey ships with default PINs that are publicly known. Change them before registering the key anywhere. Install YubiKey Manager (ykman) first — it is the command-line tool for all YubiKey configuration.
# Install YubiKey Manager via Homebrew
brew install ykman
# Verify the key is detected
ykman info
# Change the FIDO2 PIN (used for passkeys and FIDO2 SSH)
# Default: none (you will be prompted to set one)
ykman fido access change-pin
# Change the OpenPGP PIN (used for GPG and SSH via GPG agent)
# Default PIN: 123456 | Default Admin PIN: 12345678
ykman openpgp access change-pin
ykman openpgp access change-admin-pin
# Change the PIV PIN (used for smart card / certificate auth)
# Default PIN: 123456 | Default PUK: 12345678
ykman piv access change-pin
ykman piv access change-pukStep 2: Enable Touch Confirmation
Touch confirmation requires a physical tap on the gold disc of the YubiKey before it performs any cryptographic operation. This prevents malware from silently using your key even if it is plugged in. Enable it for all three key slots.
# Require touch for all OpenPGP operations (SSH, GPG signing, encryption)
ykman openpgp keys set-touch AUT on
ykman openpgp keys set-touch SIG on
ykman openpgp keys set-touch ENC on
# Require touch for FIDO2 operations
# (This is enforced by default on YubiKey 5 series — no action needed)
# Verify touch policy is set
ykman openpgp infoStep 3: SSH Authentication with FIDO2 (Recommended Method)
FIDO2 is the modern, recommended way to use a YubiKey for SSH. It is simpler than the GPG method and works natively with OpenSSH 8.3+. The private key never leaves the YubiKey — SSH generates a credential ID that references the key stored on the hardware. This section covers macOS, Linux, and Windows.
# macOS requires Homebrew OpenSSH (Apple's built-in lacks FIDO2 middleware)
brew install openssh
source ~/.profile # or restart your terminal
# Generate a FIDO2 SSH key (ed25519-sk = ed25519 on a security key)
# -O resident stores the credential on the YubiKey itself
# -O verify-required enforces PIN entry on every use
ssh-keygen -t ed25519-sk -O resident -O verify-required -C "yubikey-primary"
# Repeat for your backup key (plug in the second YubiKey)
ssh-keygen -t ed25519-sk -O resident -O verify-required -C "yubikey-backup"
# Export the public key to add to servers
cat ~/.ssh/id_ed25519_sk.pubStep 4: Add Both SSH Keys to Your Servers
Add both the primary and backup YubiKey public keys to every server you want to access. This is the critical step where most people only add one key — and then get locked out when they lose it.
# On your local machine — copy the primary key to the server
ssh-copy-id -i ~/.ssh/id_ed25519_sk.pub user@your-server
# Then manually add the backup key to authorized_keys on the server
# First, get the backup key's public key (plug in the backup YubiKey)
ssh-keygen -K # loads resident credentials from the inserted key
cat ~/.ssh/id_ed25519_sk.pub # copy this output
# On the server — add the backup key
echo "<paste-backup-key-here>" >> ~/.ssh/authorized_keys
# Verify both keys are in authorized_keys
cat ~/.ssh/authorized_keys
# Harden the SSH server to require FIDO2 User Verification
# Add this line to /etc/ssh/sshd_config:
# PubkeyAuthOptions verify-required
sudo systemctl restart sshdStep 5: SSH Authentication via GPG (Alternative Method)
The GPG method is older and more complex than FIDO2, but it is useful if you need GPG key storage on the YubiKey for both SSH and code signing, or if your environment requires OpenPGP. This method stores an OpenPGP key on the YubiKey and uses the GPG agent as an SSH agent.
# Install GPG and pinentry
brew install gnupg pinentry-mac
# Edit the YubiKey's OpenPGP applet
gpg --card-edit
# In the gpg> prompt:
admin # enable admin commands
key-attr # set key type: choose ECC → Curve 25519 for all three keys
generate # generate keys directly on the YubiKey (they never touch your disk)
quit
# Configure GPG agent for SSH support
cat >> ~/.gnupg/gpg-agent.conf << 'EOF'
enable-ssh-support
default-cache-ttl 60
max-cache-ttl 120
pinentry-program /opt/homebrew/bin/pinentry-mac
EOF
# Add to ~/.zprofile (or ~/.bash_profile)
cat >> ~/.zprofile << 'EOF'
export GPG_TTY="$(tty)"
export SSH_AUTH_SOCK=$(gpgconf --list-dirs agent-ssh-socket)
gpgconf --launch gpg-agent
EOF
source ~/.zprofile
# Export the SSH public key
ssh-add -LStep 6: GPG Signing for Git Commits
Signing git commits with your YubiKey proves that commits attributed to you were actually made by you — not by someone who compromised your GitHub account. GitHub, GitLab, and Gitea all display a 'Verified' badge on signed commits.
# Get your GPG key ID
gpg --list-secret-keys --keyid-format LONG
# Look for: sec> ed25519/<KEY-ID>
# The > means the private key is on a hardware token (your YubiKey)
# Export your public key and add it to GitHub
gpg --armor --export <KEY-ID>
# Copy the output and paste it into:
# GitHub → Settings → SSH and GPG keys → New GPG key
# Configure git to sign all commits
git config --global user.signingkey <KEY-ID>
git config --global commit.gpgsign true
git config --global gpg.program gpg
# Test: make a commit and verify it is signed
git commit --allow-empty -m "test: verify GPG signing"
git log --show-signature -1
# For the backup YubiKey:
# Generate a separate GPG key on the backup key
# Export its public key and add it to GitHub as a second GPG key
# Both keys will show as Verified on your commitsStep 7: FIDO2 Passkeys for Cloud Accounts
FIDO2 passkeys replace passwords entirely for supported services. When you register a YubiKey as a passkey, the service stores your public key and your YubiKey stores the private key. Login requires physical possession of the key plus your PIN — no password to phish, no SMS code to intercept. Register both keys as passkeys on every critical account.
Registering Passkeys on GitHub (Both Keys)
GitHub supports YubiKey passkeys natively. Register both keys in the same session so you never get locked out.
# GitHub passkey registration:
# 1. Go to github.com → Settings → Password and authentication
# 2. Under "Passkeys", click "Add a passkey"
# 3. Insert your primary YubiKey, enter your FIDO2 PIN, touch the key
# 4. Name it "YubiKey Primary"
# 5. Click "Add a passkey" again
# 6. Insert your backup YubiKey, enter its FIDO2 PIN, touch the key
# 7. Name it "YubiKey Backup"
# Verify both keys are registered:
# Settings → Password and authentication → Passkeys
# You should see two entriesStep 8: NFC Use on iPhone and Android
The YubiKey 5C NFC supports tap-to-authenticate on mobile devices. On iPhone, tap the gold disc of the YubiKey to the top of the phone (near the NFC antenna). On Android, tap it to the back of the phone. NFC works with any app or website that supports FIDO2/WebAuthn — including GitHub, Cloudflare, Google, and Microsoft accounts.
Step 9: Protecting Your Private AI Infrastructure
For practitioners running private AI infrastructure — local LLM servers, RunPod pods, Ollama instances, or private cloud deployments — the YubiKey adds a critical layer of protection. Use FIDO2 SSH keys (Step 3-4) to authenticate to your Mac mini or Mac Studio AI server. Use GPG signing (Step 6) to verify that automation scripts and deployment configs were authored by you. Use passkeys (Step 7) to protect your RunPod, Cloudflare, and cloud provider accounts. If you are running Hermes Agent or any autonomous AI agent that can execute shell commands, hardware-key-protected SSH is the correct authentication method — it ensures that even if an agent is compromised, it cannot authenticate to new servers without physical key presence.
Common Mistakes and How to Avoid Them
The most common mistake is registering only one key. The second most common is registering the backup key only on some accounts. The third is losing the backup key's PIN. Keep a record of which PIN belongs to which key (the keys have serial numbers — run ykman info to see them). Store the backup key's PIN separately from the key itself.
Recovery: What to Do If You Lose a Key
If you lose your primary key: use your backup key immediately. Log into every account and register a new primary key. Order a replacement. If you lose both keys: this is why recovery codes exist. Every service that supports hardware MFA also provides recovery codes at enrollment time. Store these codes in a password manager (Bitwarden, 1Password) or printed and locked in a safe. Recovery codes are the last resort — they are designed to be used exactly once to regain access and re-enroll new keys.
Where to Buy
The YubiKey 5C NFC is available directly from Yubico and on Amazon. Buy two — the cost of a second key (~$55) is trivial compared to the cost of being locked out of your infrastructure. Yubico's website ships from Sweden; Amazon typically ships faster for US buyers.