Which FIDO2 Keys Are Compatible with Delta?

Compatible devices, recommendations, and common errors

FIDO2 keys for Delta are the most reliable way to secure access to the combat situational awareness system of the Armed Forces of Ukraine. Delta uses multi-factor authentication (MFA), and a physical security key based on the FIDO2 standard is the most phishing-resistant method. This guide will help you choose a compatible key and prepare it for use.

You can have several FIDO2 keys. You can configure them on all personal devices where you use Delta. I recommend having a primary and a backup key.

A brief overview of FIDO2

The FIDO Alliance (Fast Identity Online) is an international association that develops standards for secure authentication. The alliance includes more than 250 members: Microsoft, Google, Apple, Amazon, Mastercard, VISA, PayPal, and others. That is why security keys are often simply called “FIDO keys” in the professional environment. The FIDO2 standard is recommended by NIST (the U.S. National Institute of Standards and Technology) and CISA (the U.S. Cybersecurity and Infrastructure Security Agency) as the only MFA method resistant to phishing.

How does the FIDO2 security standard work?

During registration in Delta, your key generates a cryptographic key pair tied to delta.mil.gov.ua:

• Private key — stored in a secure element chip inside the USB key itself. It cannot physically be read, even by the owner, and never leaves the key.
• Public key — transmitted to the Delta server during registration.

Why is this more secure than SMS / Google Authenticator? FIDO2 is cryptographically bound to the domain (delta.mil.gov.ua). If you land on a phishing website, the key will automatically refuse to sign because the domain does not match the original. Unlike SMS codes or TOTP apps, there is no shared secret that can be intercepted. In practice, this means that hostile phishing campaigns and fake Delta login pages immediately become useless — the key simply will not work on a foreign domain.

General recommendations

You can have several physical FIDO2 keys. I recommend registering both a primary and a backup key in Delta, so that you do not lose access in case the primary one is lost or damaged.

Compatible physical FIDO2 keys for Delta

Delta supports any hardware key with FIDO2/WebAuthn support. The widest compatibility is provided by the line of keys from Yubico.

YubiKey — the main lineup

What is the difference between Security Key and the YubiKey 5 series

Both lines are made by Yubico, both support FIDO2/WebAuthn, and both work equally reliably with Delta. The difference is in the set of additional protocols.

Security Key (Series) — the basic line. It supports only FIDO2 and FIDO U2F. This is enough to log in to Delta, Google, Microsoft, Facebook, Binance, and other services that work with the WebAuthn standard. This is the cheapest and simplest option if you need the key specifically for two-factor authentication.

YubiKey 5 (Series) — the extended line. In addition to FIDO2 and U2F, it adds:

• PIV (Smart Card) — for logging in to corporate systems, signing documents, and disk encryption (BitLocker, FileVault).
• OpenPGP — for signing and encrypting email, and for GPG commits in Git.
• OATH-TOTP/HOTP — one-time passwords (like in Google Authenticator), which are stored on the key rather than on the phone.
• Yubico OTP, Challenge-Response, Static Password — additional methods for specific scenarios.

What does NOT work with Delta

• YubiKeys with firmware below 5.7 — in September 2024, researchers from NinjaLab discovered a cryptographic vulnerability in the Infineon chips used in the YubiKey 5 series. The vulnerability theoretically allows the key to be cloned, but it requires physical access to the device, specialized equipment, and a significant amount of time. I recommend buying keys with firmware above 5.7. All keys on our website have exactly that firmware.
• Old keys with FIDO U2F only (without FIDO2/WebAuthn support) — Delta requires FIDO2 specifically. This applies to first-generation YubiKey U2F, Google Titan v1, and similar keys. Almost all modern keys support both standards.
• Outdated Bluetooth keys without WebAuthn CTAP2.

Preparing the key: setting up a PIN code

Before registering the key in Delta, you need to set a PIN code on it. The method depends on the platform.

On a computer (Windows, Linux, macOS)

On the desktop, no separate software is needed. When you use a new key in a browser (Chrome, Edge, Firefox) for the first time, the system will automatically prompt you to create a PIN. Just follow the browser’s instructions.

If you want to change the PIN or reset the key manually, install the Yubico Authenticator app (available for Windows, macOS, Linux) and go to Configuration → Manage PIN.

On Android

Same as on desktop: the PIN is set the first time the key is used in Chrome. Connect the key to your phone via USB-C (or a USB OTG adapter) and the browser will prompt you to create a PIN.

On iPhone / iPad (via Yubico Authenticator)

On iOS, you need to set the PIN in advance through the Yubico Authenticator app, because Safari and Chrome on iPhone do not always correctly initiate PIN creation when the key is first used.

1. Install Yubico Authenticator from the App Store.

2. Open the app, tap the “three dots” in the upper right corner, and go to “Configuration”.

3. Go to “Manage PIN”.

4. When the message appears on the screen, hold the key against the iPhone’s NFC module and keep it there until the “Ready to scan” notification disappears (usually 1–2 seconds).

5. Come up with a PIN code for the key and confirm it by tapping “Set”.

6. Hold the key against NFC again to write the PIN to the key.

The PIN code is set. Close Yubico Authenticator.

Registering the key in Delta

It contains step-by-step guides for all platforms: Windows, Linux, macOS, Android, and iOS. The instructions are maintained by the Delta team and always correspond to the current version of the system.

IMPORTANT:

• Setting up and using the key does not require force. Do not bend the key, do not wash it, and do not press the button with excessive force.
• During registration, the key must remain connected at all times. Do not unplug it until the process is successfully completed.
• I recommend using the Chrome browser on all platforms. Safari has limited support for external FIDO2 keys.
• On iPhone/iPad, key registration only works via NFC. Even on the latest versions of iOS, pairing does not work via USB-C/Lightning.
• Give each key a clear name, for example “YubiKey primary” or “YubiKey backup”.

Logging in with the key

After registering the key, logging in to Delta takes just a few seconds. The process is essentially the same on all platforms: enter your username and password, plug in the key, enter the PIN, and touch the button on the key.

Step-by-step instructions with screenshots for each platform are available in the official Delta guide.

Common errors and how to fix them

The key is not recognized

• Try a different USB port. Plug the key directly into the computer rather than through a USB hub or extension cable.
• Check the browser: Chrome or Edge is recommended. Firefox may require additional configuration (in the address bar, type about:config, find security.webauthn, and make sure the parameters are enabled).
• Update the USB drivers on the PC. Windows 7/8 may require additional software. On Windows 10/11, everything is usually pulled in automatically.
• On macOS: go to System Settings → Privacy & Security → make sure access to USB devices is not blocked.
• If you are using a USB-A → USB-C adapter (or vice versa), make sure it supports data transfer and not only charging.

The browser does not show the key dialog

• Make sure you are using an HTTPS connection (delta.mil.gov.ua always works over HTTPS).
• Close other tabs or programs that may be using the key at the same time (for example, Yubico Authenticator).
• Try restarting the browser or opening Delta in incognito mode.
• Check whether a browser extension (antivirus, VPN plugin, etc.) is blocking WebAuthn.

The PIN code is not accepted

• Make sure you are entering the PIN for the key, not the password for your account or phone.
• If you have not yet set a PIN on the key, the system will prompt you to create one on first use.
• After 8 unsuccessful PIN attempts, the key gets blocked. To unblock it, you need to perform a factory reset via Yubico Authenticator (note: all accounts registered on the key will be deleted).

The key works on the computer but not on the phone

• For USB-C: make sure your phone supports USB OTG (most modern Android devices do).
• For NFC: enable NFC in your phone’s settings and place the key against the correct area (usually the center or upper part of the back panel). Hold the key still for 2–3 seconds.
• On iPhone, NFC works only with iPhone 7 and newer models.

Physical security of the key

• Do not leave the key plugged into your laptop while transporting it. It may break or get lost.
• Do not bend the key, do not wash it, and do not press the button too hard. The YubiKey has an IP68 protection rating, but constant mechanical impact shortens its lifespan.
• Store it in a secure place, separately from the device it is bound to.

If the key is lost or damaged

• If you have registered a backup key, use it to log in.
• If you have backup recovery codes, use them.
• If you have neither the key nor the codes, contact your unit administrator or Delta support.
• That is exactly why I recommend always having two registered keys and storing the backup codes separately.

Conclusion

A FIDO2 key is the most reliable way to protect your Delta account. Unlike SMS codes or authenticator apps, a physical key cannot be intercepted remotely, and the cryptographic binding to the delta.mil.gov.ua domain automatically blocks phishing attacks.

The key works without an internet connection, without a battery, and without a mobile carrier. All you need is a device with a USB port or NFC. With a single key, you can protect not only Delta but also your email, social networks, and any other services that support the FIDO standard.

What to do right now:

1. Choose a key model from the table of compatible devices.
2. Buy two keys — a primary and a backup (if needed).
3. Set a PIN code (on iOS — through Yubico Authenticator, on other platforms — on first use in the browser).
4. Register both keys in Delta following the official instructions.
5. Save your backup codes in a secure place.

I hope the guide was clear. If you have any additional questions about using YubiKey keys, you can always reach out to our technical support.