What is the Google (Yubico) Gnubby security key/token?

2020-12-29

Decorative title image of Google or Yubico Gnubby YubiKey with respective company logos and a FIDO/U2F logo

All product names, logos, and brands used in this post are property of their respective owners.

A unicorn of an MFA token (key) recently came into my possession. The mysterious device is called a “Gnubby.” It is physically a YubiKey 4 nano but with proprietary, Google firmware instead of Yubico firmware. The device is not manageable or configurable with Yubico tools and is purpose configured for only U2F (FIDO Universal 2nd Factor) authentication. I suspect Gnubbies were intended for Google internal use only, but they have made their way onto the public market (primarily eBay).

Diagram comparing the capabilities of the Google Gnubby firware vs. the traditional YubiKey nano firmware

Once a device is factory-configured as a Gnubby (Google firmware), it is always a Gnubby (unless someone knows something I do not). The firmware on Yubico devices cannot be replaced or updated as a matter of security.

The Gnubby can be used as an MFA device with any service that supports WebAuthn, FIDO2, and/or U2F but that is all. It does not offer the swiss army knife of MFA options (OATH-TOTP, static passwords, challenge/response, etc.) like a traditional YubiKey.

Identifying a Gnubby (vs. a YubiKey 4 nano)

Since many versions of the Gnubby are the same form factor as the YubiKey 4 nano - it is difficult to tell them apart based on appearance alone. eBay sellers tend to struggle with this. That said, there are physical and technical indicators that differentiate the Gnubby and YubiKey 4:

  • Early versions of the Gnubby look very different from the YubiKey 4 nano. Thanks to Royce Williams for that detail.

    Picture of early Gnubbies - similar size but different color and form factor from the YubiKey 4 nano

    Image by Google. Retrieved from Will tiny gadgets replace passwords? Google thinks so

  • At least some versions of the Gnubby have an “N” embossed on one of the contacts - the YubiKey 4 nano does not. Thanks to Royce Williams for that detail as well.

    Picture of Gnubby with the same physical form factor as the YubiKey 4 nano, but with an engraved “n” character

  • The Gnubby behaves like a YubiKey 4 nano (lights blink when inserted, touched, etc.) but is not detected by any Yubico tools (YubiKey Personalization Tool, YubiKey Manager, etc.).

    Screenshot of “No YubiKey Inserted” error message in YubiKey Personalization Tool

  • In Device Manager (Windows), the Gnubby appears as a HID-compliant fido device (under Human Interface Devices) but does not appear as any of the following like a traditional YubiKey: Keyboards: HID Keyboard Device, Smart card readers: Microsoft Usbccid Smartcard Reader (WUDF), or Smart cards: Identity Device (NIST SP 800-73 [PIV])

    Side by side comparison of Device Manager highlighting the differences between the Gnubby and a YubiKey 4

  • Microsoft provides USBView in the Windows 10 SDK. This tool lists and queries all USB devices connected to a Windows system and provides detailed device information. In USBView, the Gnubby’s product name is “Yubico Gnubby (gnubby1)”.

    Side by side comparison of USBView highlighting the differences between the Gnubby and a YubiKey 4

Gnubby features and capabilities

The following is a shortened adaptation of Compare YubiKey 4 and NEO, but specific to the Gnubby and YubiKey 4 nano:

Gnubby YubiKey 4 nano
Size 12mm x 13mm x 3.1mm, 1g 12mm x 13mm x 3.1mm, 1g
Static passwords
Yubico OTP
OATH-HOTP
OATH-TOTP
Smart card
OpenPGP
FIDO U2F
FIDO2
USB-A
USB-C
NFC
HID keyboard
CCID smart card
FIDO HID

Closing thoughts

In a way, the Gnubby can be a cheaper albeit unsupported and less-featured alternative to a Google Titan security key. It is certainly not a drop-in replacement for a YubiKey (unless you are only using the FIDO U2F functionality of a YubiKey). Procuring Gnubbies is also hit or miss. I suspect most folks end up with these in error when seeking used YubiKey nano tokens on eBay or other online retailers.