Yubico Forum

What should we take as economic life span for Yubikey 4's?

Taken formally it would be the time the manufacturer warrants proper functioning, so 1 year. That would mean that business cases that utilize this, have to replace ALL keys after that 1 year. Somehow that doesn't seem correct.

Any ideas or even better formal statements on economic life span?

Well as a user who has watched several Yubico videos and webcasts or what ever they are. They are solid state, have no moving parts and I have heard them say on more than one occasion that even the very original Yubikeys that were first created have not died en-mass. My own Yubikey with firmware v2.2.2 I have had since 2011 and it still works. Granted, I have not used it every single day for the last several years but I had used it quite a bit for static password and windows login capacities.

It still works as good as the day I bought it, well, for the capabilities it has since it's an older model. I only bought the new Yubikey 4 to experiment with making more use of a Yubikey such as windows login, PGP encryption and signing, Yubico one time passwords and the time based ones you normally use the google authenticator for which I have several programmed into my YK4.

However, I have my PGP key backed up securely and I have added the same secret key challenge-response to my old Yubikey so that I can still loginto windows if my new one were to get hit by a meteor and be destroyed (because I think that is what it would take to break these things...)

EDIT:
Speaking of life span, what is the limit of the counter on Yubikey 4 OTP? Years ago I recall reading somewhere that they rolled around once they reached the limit and essentially were useless because everything would be a replay or what ever because the "new" lower counts had already been seen. How is this handled? If I use my Yubikey 1000 times day, will the built in factory OTP in slot 1 just stop validating at some point?

The Idea of how they handle counters is intresting so let's see.

https://developers.yubico.com/OTP/Speci ... tocol.html

according to spec we have 2 counters.

a session counter (I call it SC for now) which goes up each time you plug this thing in and use it for the first time.
and a session use counter (UC) which goes up each touch but resets when the key loses power.

now we have 8 bit (1 byte) for UC meaning 256 uses on each power cycle maximum until the key either has a problem or just ups the session counter.
problem is we have 16 bit (2 byte) for SC, which means we have just 65536 sessions at maximum until we have a problem.

now if you use the yubikey 8 times a day for yubi-OTP and pull it out each time, we have about 22 and half a year to spend. now if you would do that a hundred times each day (each quarter of an hour) it's over in 1 year and 9 and a half months, although that is far from realistic.

if you happen to use it a thousand times on a day on the same device, you are gonna need 4 sessions (almost 45 years of life) so that's gonna last a while, although I think just using one 4 or even 3 byte (16 million) counter would have been nicer instead of this session/use counter system, as this is dropping a lot of numbers. with 3 bytes as counter and not dropping any numbers for the 1000 tries per day you have almost 46 years.

This observation is purely anecdotal.

I had a pair of earlier Yubikeys ... and purchased a pair of "4s" as soon as they became available in late 2015.

(And FWIW those earlier keys STILL are in-service as backups themselves)

As to "new" 4s ... one is kept in a drawer as a "alternate" ... while my Primary has been on a keyring along w/ nine (9) metal keys ... bouncing around every day in my pants pocket for two years ... along w everything else which tends to end up in pockets (loose change, small hand-tools, etc).

While it's never been thru the washer+dryer; nor has it been left out exposed to the direct sun and weather ...

... it IS still performing daily after a non-stop dose of reasonably-expected "wear-and-tear" over a 2-year period.