Here's a bit more thorough version of the comments I made on Twitter. There are a few misunderstandings in this post, which perhaps stem from poor documentation on Yubico’s behalf. The NEO has a few default modes (OTP, U2F) and then programmable modes through a JavaCard interface (e.g. PGP). One of these modes (Yubico OTP), which is what you encountered with the 44 character code, does actually generate unique codes. It's a bit deceiving because the first 12 chars aren’t as they ID your key. The remaining 32 characters are cryptographically signed counters that protect against replay attacks. Yubico have information on how this mode works at https://developers.yubico.com/OTP/OTPs_Explained.html It’s a completely proprietary 2FA method that relies on asking Yubico’s server (or an external server that has a copy of the Yubikey's crypto keys) if a key is valid. You can also use TOTP with a Yubikey but it's a bit tricky because it doesn’t have a clock/battery. TOTP relies on using the current timestamp to generate a code, so you need a helper app to supply current time to the Yubikey. U2F solves these two pain points (plus phishing) by having all the comms built into the browser, but support is very new and scarce. Hopefully it will grow in popularity and eliminate some of this complexity. It’s definitely way more durable than you’d think (I carry my Yubikey on my keys) and it's highly configurable (so the persistent LED + modes you don’t use can be disabled). https://www.yubico.com/products/services-software/personalization-tools/use/ I guess this is why they point to the no-frills U2F only key? Everything is self-configured with U2F so you don't have to worry about any of these different modes/settings/helper apps.