Yubico Forum

Hey there!

In your opinion, which is the best solution, Yubikey vs Google Authenticator?


I'm currently using Yubikey but I might start using google authenticator instead.

With Google Authenticator, all your secrets are held on your phone, protected only by the device's encryption (if you enable it) and Android's isolation of application storage from other applications (if not rooted). Anyone getting hold of your unlocked phone can access your credentials.

With the Yubikey, the secrets are held on a specialist security device and cannot be read out at all. If you have an Android device that works with your Yubikey Neo using NFC, it is really no more difficult to use the Yubikey system than Google Authenticator.

I'm also not sure if the keys in Google Authenticator will be transferred to a new phone when you upgrade. The credentials on the yubikey will be available on any phone which can run the yubico authenticator app.

Worst case, the secret used by the Google Authenticator app can be manually transferred to a new phone if necessary.



Not quite true. My Galaxy Note 3 runs the Yubico Authenticator app but is unable to read either of my NEOs via NFC.

Ok, fair enough, I am assuming that the device is NFC compatible and works with the ykneo.

[My emphasis]

One doesn't need to read the contents of a yubikey. The fact that the OTPs are not time-based makes it easier to "hack" than google-authenticator. All you've to do is get someone's yubikey, mail yourself some OTPs and then use them. Of-course once an OTP is used, all the past OTPs will be useless but still.

I find Google-Authenticator in an encrypted password protected device much more secure than yubikey. I created this thread to be proved otherwise, as I might be starting to think that I made the wrong choice by going with Yubikey.

Thank you all for posting on this thread btw.

Yubico Authenticator supports both event-based (HOTP) and time-based (TOTP) credentials, as does Google Authenticator, so this isn't really a differentiator as long as you have a good password on your YubiOATH app.

Adding to darco's answer, the majority of services online use TOTP, so you cannot generate OTPs in advance unless you have access to the secret and know the time you want the OTP for (typically a 30 second window, with the server making some allowance for entry time and clock skew).

I have credentials for Google, Microsoft, Dropbox, Facebook, Tumblr and github on my Yubikey Neo. All are TOTP credentials.


The only event-based credentials I have are those I use with the Yubikey's 'touch button' capabilities: Yubico OTP (which I don't use much) and Symantec VIP (which I use with PayPal). I also have event based hardware OTP setups from two UK banks - HSBC uses a self-contained PIN protected token and Nationwide use a small device that works with the Chip Authentication Program feature on their cards.

My Galaxy Note 3 works fine with my Neo, though I'm running a different country version to you and therefore different firmware (mine is BTU - United Kingdom unbranded). I will undoubtedly have different apps loaded to you. It's possible you have an app that is interfering with Yubico Authenticator and/or Yubiclip's use of NFC.


I'm therefore able to generate OTPs using the Authenticator app on my phone over NFC, or by using the Authenticator app on my laptop with the Neo in a USB slot.

My take on this question is the following:

Google Authenticator is a piece of software that uses well know algorithms to generate on screen displayed codes (smartphones, tablets, pc).
In this scenario you have to trust your phone's hard-drive (tablet, pc, etc..) to store the secrets. These devices are often Internet connected.

The Yubikey stores the secrets into the secure element. It is not an Internet connected device. The same well known algorithms are later on used to spit out the codes exactly as the Google Authenticator does onto the smartphone, tablets etc. However the secrets never leave the Yubike's secure element

The Yubikey applet can be password protected.
The Google Authenticator doesn't (on iOS, however it could be easily added ), it just prevents the average Joe to pick up the phone, start the App and steal couple of codes.

The real question here is 'do you trust storing secrets on the "designed storage" for your device app or you rather store them onto an offline device's secure element?'

What do you think? I am happy to see great conversations about security coming up on this community!