All product names, logos, and brands used in this post are property of their respective owners.
A unicorn of an MFA token (key) recently came into my possession. The mysterious device is called a “Gnubby.” It is physically a YubiKey 4 nano but with proprietary, Google firmware instead of Yubico firmware. The device is not manageable or configurable with Yubico tools and is purpose configured for only U2F (FIDO Universal 2nd Factor) authentication. I suspect Gnubbies were intended for Google internal use only, but they have made their way onto the public market (primarily eBay).
Once a device is factory-configured as a Gnubby (Google firmware), it is always a Gnubby (unless someone knows something I do not). The firmware on Yubico devices cannot be replaced or updated as a matter of security.
The Gnubby can be used as an MFA device with any service that supports WebAuthn, FIDO2, and/or U2F but that is all. It does not offer the swiss army knife of MFA options (OATH-TOTP, static passwords, challenge/response, etc.) like a traditional YubiKey.
Identifying a Gnubby (vs. a YubiKey 4 nano)
Since many versions of the Gnubby are the same form factor as the YubiKey 4 nano - it is difficult to tell them apart based on appearance alone. eBay sellers tend to struggle with this. That said, there are physical and technical indicators that differentiate the Gnubby and YubiKey 4:
Early versions of the Gnubby look very different from the YubiKey 4 nano. Thanks to Royce Williams for that detail.
Image by Google. Retrieved from Will tiny gadgets replace passwords? Google thinks so
At least some versions of the Gnubby have an “N” embossed on one of the contacts - the YubiKey 4 nano does not. Thanks to Royce Williams for that detail as well.
The Gnubby behaves like a YubiKey 4 nano (lights blink when inserted, touched, etc.) but is not detected by any Yubico tools (YubiKey Personalization Tool, YubiKey Manager, etc.).
In Device Manager (Windows), the Gnubby appears as a HID-compliant fido device (under Human Interface Devices) but does not appear as any of the following like a traditional YubiKey: Keyboards: HID Keyboard Device, Smart card readers: Microsoft Usbccid Smartcard Reader (WUDF), or Smart cards: Identity Device (NIST SP 800-73 [PIV])
Microsoft provides USBView in the Windows 10 SDK. This tool lists and queries all USB devices connected to a Windows system and provides detailed device information. In USBView, the Gnubby’s product name is “Yubico Gnubby (gnubby1)”.
Gnubby features and capabilities
The following is a shortened adaptation of Compare YubiKey 4 and NEO, but specific to the Gnubby and YubiKey 4 nano:
|Gnubby||YubiKey 4 nano|
|Size||12mm x 13mm x 3.1mm, 1g||12mm x 13mm x 3.1mm, 1g|
|CCID smart card|
In a way, the Gnubby can be a cheaper albeit unsupported and less-featured alternative to a Google Titan security key. It is certainly not a drop-in replacement for a YubiKey (unless you are only using the FIDO U2F functionality of a YubiKey). Procuring Gnubbies is also hit or miss. I suspect most folks end up with these in error when seeking used YubiKey nano tokens on eBay or other online retailers.