What is the Google (Yubico) Gnubby security key/token?

Decorative title image of Google or Yubico Gnubby YubiKey with respective company logos and a FIDO/U2F logo

All product names, logos, and brands used in this post are property of their respective owners.

A unicorn of an MFA token (key) recently came into my possession. The mysterious device is called a “Gnubby.” It is physically a YubiKey 4 nano but with proprietary, Google firmware instead of Yubico firmware. The device is not manageable or configurable with Yubico tools and is purpose configured for only U2F (FIDO Universal 2nd Factor) authentication. I suspect Gnubbies were intended for Google internal use only, but they have made their way onto the public market (primarily eBay).

Diagram comparing the capabilities of the Google Gnubby firware vs. the traditional YubiKey nano firmware

Once a device is factory-configured as a Gnubby (Google firmware), it is always a Gnubby (unless someone knows something I do not). The firmware on Yubico devices cannot be replaced or updated as a matter of security.

The Gnubby can be used as an MFA device with any service that supports WebAuthn, FIDO2, and/or U2F but that is all. It does not offer the swiss army knife of MFA options (OATH-TOTP, static passwords, challenge/response, etc.) like a traditional YubiKey.

Identifying a Gnubby (vs. a YubiKey 4 nano)

Since the Gnubby is the same form factor as the YubiKey 4 nano - it is difficult to tell them apart based on appearance alone. eBay sellers tend to struggle with this. That said, there are technical indicators that differentiate the Gnubby and YubiKey 4:

  • The Gnubby behaves like a YubiKey 4 nano (lights blink when inserted, touched, etc.) but is not detected by any Yubico tools (YubiKey Personalization Tool, YubiKey Manager, etc.).

    Screenshot of “No YubiKey Inserted” error message in YubiKey Personalization Tool

  • In Device Manager (Windows), the Gnubby appears as a HID-compliant fido device (under Human Interface Devices) but does not appear as any of the following like a traditional YubiKey: Keyboards: HID Keyboard Device, Smart card readers: Microsoft Usbccid Smartcard Reader (WUDF), or Smart cards: Identity Device (NIST SP 800-73 [PIV])

    Side by side comparison of Device Manager highlighting the differences between the Gnubby and a YubiKey 4

  • Microsoft provides USBView in the Windows 10 SDK. This tool lists and queries all USB devices connected to a Windows system and provides detailed device information. In USBView, the Gnubby’s product name is “Yubico Gnubby (gnubby1)”.

    Side by side comparison of USBView highlighting the differences between the Gnubby and a YubiKey 4

Gnubby features and capabilities

The following is a shortened adaptation of Compare YubiKey 4 and NEO, but specific to the Gnubby and YubiKey 4 nano:

Gnubby YubiKey 4 nano
Size 12mm x 13mm x 3.1mm, 1g 12mm x 13mm x 3.1mm, 1g
Static passwords No Yes
Yubico OTP No Yes
OATH-HOTP No Yes
OATH-TOTP No Yes
Smart card No Yes
OpenPGP No Yes
FIDO U2F Yes Yes
FIDO2 No No
USB-A Yes Yes
USB-C No No
NFC No No
HID keyboard No Yes
CCID smart card No Yes
FIDO HID Yes Yes

Closing thoughts

In a way, the Gnubby can be a cheaper albeit unsupported and less-featured alternative to a Google Titan security key. It is certainly not a drop-in replacement for a YubiKey (unless you are only using the FIDO U2F functionality of a YubiKey). Procuring Gnubbies is also hit or miss. I suspect most folks end up with these in error when seeking used YubiKey nano tokens on eBay or other online retailers.