MyPrivateClaw logo
MyPrivateClaw
Private AI Directory
Physical Security 18 min readApr 8· Updated Apr 11, 2026✓ Verified Apr 8, 2026

YubiKey 5C NFC: The Complete Security Guide

Set up two YubiKeys for SSH, GPG, FIDO2 passkeys, and NFC — and never get locked out.

yubikey fido2 ssh gpg passkeys mfa hardware-security

The YubiKey 5C NFC is the most versatile hardware security key available — USB-C for your Mac or Linux machine, NFC for your phone, and support for every modern authentication protocol. This guide covers the complete setup: initial configuration, SSH authentication for your private AI servers, GPG signing for git commits, FIDO2 passkeys for cloud accounts, and NFC use on iOS and Android. Critically, it covers the one rule most guides skip: always register two keys.

THE EDGE — WEEKLY DIGEST

Get more guides like this in your inbox

No spam. Unsubscribe anytime.

Why Two Keys — The Most Important Rule

Before anything else: buy two YubiKey 5C NFCs. Register both everywhere. Store the second key somewhere safe — a fireproof safe, a safety deposit box, or a trusted location that is not your primary workspace. This is not optional. If you lose your only YubiKey and you have enforced hardware MFA on your accounts, you will be locked out. Recovery processes for hardware-key-protected accounts are deliberately difficult (that is the point). Every step in this guide includes instructions for registering your backup key at the same time. Do not skip those steps.

WARNINGRegister both keys at every step. A single YubiKey with no backup is a single point of failure. The second key is not a luxury — it is the safety net that makes strong security practical.

What the YubiKey 5C NFC Supports

The 5C NFC supports every major authentication protocol in a single device: FIDO2/WebAuthn (passkeys and hardware MFA for websites and apps), FIDO U2F (legacy two-factor for older services), OpenPGP (GPG key storage for SSH and git signing), PIV/Smart Card (enterprise certificate-based auth), OATH-TOTP/HOTP (time-based one-time passwords, like Google Authenticator but hardware-backed), Yubico OTP (Yubico's own one-time password protocol), and NFC (tap-to-authenticate on iOS and Android). The USB-C connector works natively with every modern Mac, Linux machine, and Windows PC without an adapter. The key is rated IP68 waterproof, crush-resistant, and has no battery or moving parts.

Step 1: Initial Setup — Change Your PINs First

The YubiKey ships with default PINs that are publicly known. Change them before registering the key anywhere. Install YubiKey Manager (ykman) first — it is the command-line tool for all YubiKey configuration.

# Install YubiKey Manager via Homebrew brew install ykman # Verify the key is detected ykman info # Change the FIDO2 PIN (used for passkeys and FIDO2 SSH) # Default: none (you will be prompted to set one) ykman fido access change-pin # Change the OpenPGP PIN (used for GPG and SSH via GPG agent) # Default PIN: 123456 | Default Admin PIN: 12345678 ykman openpgp access change-pin ykman openpgp access change-admin-pin # Change the PIV PIN (used for smart card / certificate auth) # Default PIN: 123456 | Default PUK: 12345678 ykman piv access change-pin ykman piv access change-puk
TIPUse a PIN that is at least 8 characters and not a simple number sequence. The FIDO2 PIN is entered on your computer keyboard — it does not need to be numeric. A short passphrase works well.

Step 2: Enable Touch Confirmation

Touch confirmation requires a physical tap on the gold disc of the YubiKey before it performs any cryptographic operation. This prevents malware from silently using your key even if it is plugged in. Enable it for all three key slots.

bash
# Require touch for all OpenPGP operations (SSH, GPG signing, encryption)
ykman openpgp keys set-touch AUT on
ykman openpgp keys set-touch SIG on
ykman openpgp keys set-touch ENC on

# Require touch for FIDO2 operations
# (This is enforced by default on YubiKey 5 series — no action needed)

# Verify touch policy is set
ykman openpgp info

FIDO2 is the modern, recommended way to use a YubiKey for SSH. It is simpler than the GPG method and works natively with OpenSSH 8.3+. The private key never leaves the YubiKey — SSH generates a credential ID that references the key stored on the hardware. This section covers macOS, Linux, and Windows.

# macOS requires Homebrew OpenSSH (Apple's built-in lacks FIDO2 middleware) brew install openssh source ~/.profile # or restart your terminal # Generate a FIDO2 SSH key (ed25519-sk = ed25519 on a security key) # -O resident stores the credential on the YubiKey itself # -O verify-required enforces PIN entry on every use ssh-keygen -t ed25519-sk -O resident -O verify-required -C "yubikey-primary" # Repeat for your backup key (plug in the second YubiKey) ssh-keygen -t ed25519-sk -O resident -O verify-required -C "yubikey-backup" # Export the public key to add to servers cat ~/.ssh/id_ed25519_sk.pub
NOTEThe -O resident flag stores the credential on the YubiKey itself, not just on your computer. This means you can use the same SSH key from any machine by running ssh-keygen -K to load the credential from the key.

Step 4: Add Both SSH Keys to Your Servers

Add both the primary and backup YubiKey public keys to every server you want to access. This is the critical step where most people only add one key — and then get locked out when they lose it.

bash
# On your local machine — copy the primary key to the server
ssh-copy-id -i ~/.ssh/id_ed25519_sk.pub user@your-server

# Then manually add the backup key to authorized_keys on the server
# First, get the backup key's public key (plug in the backup YubiKey)
ssh-keygen -K  # loads resident credentials from the inserted key
cat ~/.ssh/id_ed25519_sk.pub  # copy this output

# On the server — add the backup key
echo "<paste-backup-key-here>" >> ~/.ssh/authorized_keys

# Verify both keys are in authorized_keys
cat ~/.ssh/authorized_keys

# Harden the SSH server to require FIDO2 User Verification
# Add this line to /etc/ssh/sshd_config:
# PubkeyAuthOptions verify-required
sudo systemctl restart sshd

Step 5: SSH Authentication via GPG (Alternative Method)

The GPG method is older and more complex than FIDO2, but it is useful if you need GPG key storage on the YubiKey for both SSH and code signing, or if your environment requires OpenPGP. This method stores an OpenPGP key on the YubiKey and uses the GPG agent as an SSH agent.

# Install GPG and pinentry brew install gnupg pinentry-mac # Edit the YubiKey's OpenPGP applet gpg --card-edit # In the gpg> prompt: admin # enable admin commands key-attr # set key type: choose ECC → Curve 25519 for all three keys generate # generate keys directly on the YubiKey (they never touch your disk) quit # Configure GPG agent for SSH support cat >> ~/.gnupg/gpg-agent.conf << 'EOF' enable-ssh-support default-cache-ttl 60 max-cache-ttl 120 pinentry-program /opt/homebrew/bin/pinentry-mac EOF # Add to ~/.zprofile (or ~/.bash_profile) cat >> ~/.zprofile << 'EOF' export GPG_TTY="$(tty)" export SSH_AUTH_SOCK=$(gpgconf --list-dirs agent-ssh-socket) gpgconf --launch gpg-agent EOF source ~/.zprofile # Export the SSH public key ssh-add -L
WARNINGWhen generating keys with gpg --card-edit, the keys are generated directly on the YubiKey and cannot be exported. This is the most secure option but means you cannot clone the key. This is why registering a second YubiKey as a backup is essential — generate a separate GPG key on the backup key and add its SSH public key to all your servers.

Step 6: GPG Signing for Git Commits

Signing git commits with your YubiKey proves that commits attributed to you were actually made by you — not by someone who compromised your GitHub account. GitHub, GitLab, and Gitea all display a 'Verified' badge on signed commits.

bash
# Get your GPG key ID
gpg --list-secret-keys --keyid-format LONG
# Look for: sec>  ed25519/<KEY-ID>
# The > means the private key is on a hardware token (your YubiKey)

# Export your public key and add it to GitHub
gpg --armor --export <KEY-ID>
# Copy the output and paste it into:
# GitHub → Settings → SSH and GPG keys → New GPG key

# Configure git to sign all commits
git config --global user.signingkey <KEY-ID>
git config --global commit.gpgsign true
git config --global gpg.program gpg

# Test: make a commit and verify it is signed
git commit --allow-empty -m "test: verify GPG signing"
git log --show-signature -1

# For the backup YubiKey:
# Generate a separate GPG key on the backup key
# Export its public key and add it to GitHub as a second GPG key
# Both keys will show as Verified on your commits

Step 7: FIDO2 Passkeys for Cloud Accounts

FIDO2 passkeys replace passwords entirely for supported services. When you register a YubiKey as a passkey, the service stores your public key and your YubiKey stores the private key. Login requires physical possession of the key plus your PIN — no password to phish, no SMS code to intercept. Register both keys as passkeys on every critical account.

TIPPriority accounts to protect with YubiKey passkeys: GitHub (your code), Cloudflare (your DNS and CDN), AWS/GCP/Azure (your infrastructure), your domain registrar, and your email provider. These are the accounts that, if compromised, give an attacker access to everything else.

Registering Passkeys on GitHub (Both Keys)

GitHub supports YubiKey passkeys natively. Register both keys in the same session so you never get locked out.

bash
# GitHub passkey registration:
# 1. Go to github.com → Settings → Password and authentication
# 2. Under "Passkeys", click "Add a passkey"
# 3. Insert your primary YubiKey, enter your FIDO2 PIN, touch the key
# 4. Name it "YubiKey Primary"
# 5. Click "Add a passkey" again
# 6. Insert your backup YubiKey, enter its FIDO2 PIN, touch the key
# 7. Name it "YubiKey Backup"

# Verify both keys are registered:
# Settings → Password and authentication → Passkeys
# You should see two entries

Step 8: NFC Use on iPhone and Android

The YubiKey 5C NFC supports tap-to-authenticate on mobile devices. On iPhone, tap the gold disc of the YubiKey to the top of the phone (near the NFC antenna). On Android, tap it to the back of the phone. NFC works with any app or website that supports FIDO2/WebAuthn — including GitHub, Cloudflare, Google, and Microsoft accounts.

NOTEiPhone NFC works without any additional app for FIDO2 authentication in Safari. For OATH-TOTP codes (the 6-digit codes), install the Yubico Authenticator app from the App Store — it reads TOTP seeds stored on the YubiKey via NFC and displays the codes without storing them on your phone.

Step 9: Protecting Your Private AI Infrastructure

For practitioners running private AI infrastructure — local LLM servers, RunPod pods, Ollama instances, or private cloud deployments — the YubiKey adds a critical layer of protection. Use FIDO2 SSH keys (Step 3-4) to authenticate to your Mac mini or Mac Studio AI server. Use GPG signing (Step 6) to verify that automation scripts and deployment configs were authored by you. Use passkeys (Step 7) to protect your RunPod, Cloudflare, and cloud provider accounts. If you are running Hermes Agent or any autonomous AI agent that can execute shell commands, hardware-key-protected SSH is the correct authentication method — it ensures that even if an agent is compromised, it cannot authenticate to new servers without physical key presence.

Common Mistakes and How to Avoid Them

The most common mistake is registering only one key. The second most common is registering the backup key only on some accounts. The third is losing the backup key's PIN. Keep a record of which PIN belongs to which key (the keys have serial numbers — run ykman info to see them). Store the backup key's PIN separately from the key itself.

WARNINGNever store your backup YubiKey in the same location as your primary key. If both are stolen together, you have no backup. A fireproof safe at home or a safety deposit box are both good options for the backup key.

Recovery: What to Do If You Lose a Key

If you lose your primary key: use your backup key immediately. Log into every account and register a new primary key. Order a replacement. If you lose both keys: this is why recovery codes exist. Every service that supports hardware MFA also provides recovery codes at enrollment time. Store these codes in a password manager (Bitwarden, 1Password) or printed and locked in a safe. Recovery codes are the last resort — they are designed to be used exactly once to regain access and re-enroll new keys.

Where to Buy

The YubiKey 5C NFC is available directly from Yubico and on Amazon. Buy two — the cost of a second key (~$55) is trivial compared to the cost of being locked out of your infrastructure. Yubico's website ships from Sweden; Amazon typically ships faster for US buyers.

TIPOnly buy YubiKeys from Yubico directly or from Amazon sold and fulfilled by Amazon. Counterfeit YubiKeys have been found on third-party marketplaces. A counterfeit key could be pre-loaded with compromised firmware.
Read next