Access every device.
Never see a credential.
A single YubiKey touch is the only credential a NOC engineer ever handles. Innovexus takes that one phishing-resistant authentication and turns it into the front door to your entire network โ with the actual device passwords locked inside an AES-256 vault that the user never sees and that rotates on its own.
The Flow
Four layers. One key. Zero passwords in your hands.
From the moment you touch your YubiKey to the moment you're connected to a device, every step is designed to keep credentials out of your environment โ and out of the reach of attackers.
Authenticate
Touch your YubiKey to sign into Innovexus
Discover
See only the devices your role permits
Broker
Vault fetches credentials you never see
Connect
Secure session opens, credentials stay hidden
One touch replaces every password you ever typed.
When a NOC engineer navigates to the Innovexus login page, they enter their username โ resolved against either the local user database inside Innovexus or a federated directory via AD/LDAP โ and touch the YubiKey plugged into their laptop. Behind the scenes, the browser issues a cryptographic challenge that includes the exact origin of the page. The YubiKey signs the challenge with a private key that never leaves its secure element โ a physical chip inside the key that is not addressable by software.
There is no email to type, no code to enter, no push notification to approve, no SMS to intercept. If the origin is wrong by a single character, the key refuses to sign. Phishing stops at the cryptographic layer.
YUBICO
Hardware Key
Username
jmartinez
What the attacker sees
"Phishing page loaded, but the key refused to sign."
Core Router
Cisco ISR 4451 ยท 10.0.0.1
Edge Firewall
Palo Alto PA-850 ยท 10.0.0.2
Dist Switch
Juniper EX4300 ยท 10.0.0.3
Finance VLAN Switch
Restricted
Exec WiFi Controller
Restricted
You see what your role allows. Nothing more.
Once authenticated, the dashboard presents the inventory of network devices this user is permitted to manage. A NetOps Engineer sees the routers, switches, firewalls, and load balancers in their scope. The HR database router? The executive WiFi controller? Not on the list. Not discoverable. Not reachable.
RBAC is enforced at the API layer, not in the UI โ so even an engineer who inspects the network traffic from the dashboard cannot surface devices outside their permissions. The server simply never returns them.
The credentials never touch your hands.
When you click Connect on a device, nothing happens in your browser except a request going out. The Innovexus server receives the request, checks your permissions, and fetches the device's actual credentials from an AES-256-GCM encrypted vault. The vault is keyed by an HSM-backed master key that the application servers cannot read directly.
Credentials are used for the duration of your session and are never rendered to your browser, written to your terminal history, or included in any log the user can read. And every 24 hours, the platform rotates them automatically โ generating a fresh credential, pushing it to the device, confirming acceptance, and atomically updating the vault.
Automated Rotation
Every 24 hours by default. Rotation is triggered by the platform, confirmed by the device, and updated atomically in the vault. Failed rotations raise alerts rather than silently drifting.
Credential Vault
AES-256-GCM
Previous credential
Active credential
Rotated every 24 hours ยท User never sees either value
$ innovexus connect core-router-01
> Authorizing session...
> Resolving credentials from vault...
> Establishing SSH session...
> Connected to Core-Router-01 (10.0.0.1)
core-router-01# โ
Credentials
โขโขโขโขโขโขโขโขโขโขโขโขโขโขโขโข
You operate the device. You just never own the password.
The session opens in seconds. A fully interactive terminal, a live NetConf channel, a CLI prompt โ whatever the device expects. You run commands, push configs, inspect state, and troubleshoot exactly as you would through any jump host. The difference is that the credential in use was pulled from the vault by the platform, inserted into the protocol stream by the server, and will be forgotten the moment your session ends.
Meanwhile, the device itself is configured with an ACL that only accepts inbound connections from the Innovexus server's IP range. Even if a credential were somehow exposed, it would be unusable from any other origin. Zero-trust at the session layer, zero-knowledge at the human layer.
Why a YubiKey, Not a TOTP App
The keystone of the entire chain.
Every guarantee on this page โ the vaulted credentials, the rotating passwords, the zero-trust ACLs โ all of it relies on one thing being unphishable: the initial login. That's the job a YubiKey does that nothing else can.
Origin-bound cryptography
The YubiKey signs challenges that include the exact origin of the site. Phishing pages cannot reproduce that origin, so the key refuses to authenticate to them โ no user decision, no override.
Secure element, not software
Private keys are generated and stored inside a tamper-resistant hardware chip. No malware, no process dump, no memory inspection can extract them. They exist only on the physical device you hold.
Phish-proof by design
SMS, TOTP, and push notifications can all be relayed through an attacker-in-the-middle. A hardware key cannot. The origin check breaks the replay attack at the cryptographic layer.
Zero network dependency
No cloud service, no cellular signal, no battery. The key signs locally and works in air-gapped environments, during outages, and inside restricted networks where software MFA fails.
The YubiKey At Each Layer
Phase 1 โ Authenticate
The YubiKey IS the first factor. A compromised password is worthless without a physical touch on the key.
Phase 2 โ Discover
The session token issued after YubiKey auth is bound to your identity. Every RBAC check traces back to that hardware-validated login.
Phase 3 โ Broker
The vault will only release credentials for sessions authenticated at AAL3. A software authenticator does not qualify โ a YubiKey does.
Phase 4 โ Connect
Every command you run inside a device session is attributable to a hardware-backed identity in the audit trail. No shared accounts, no ambiguity.
Hardware Catalog
Choose the right YubiKey for your environment.
Every key supports the same core protocols โ FIDO2/WebAuthn, FIDO U2F, Yubico OTP, OATH-TOTP, OATH-HOTP, Smart card (PIV), and OpenPGP. The FIPS series adds NIST 140-2 validation for federal and regulated workloads.
Standard YubiKey 5 Series
For most teamsYubico YubiKey 5 NFC
$75USB-A + NFC ยท FIDO Certified
Multi-Factor Authentication (MFA) Security Key and passkey. Connect via USB-A or NFC. FIDO Certified.
Yubico YubiKey 5C NFC
$75USB-C + NFC ยท FIDO Certified
Multi-Factor Authentication (MFA) Security Key and passkey. Connect via USB-C or NFC. FIDO Certified.
YubiKey 5 FIPS Series
NIST 140-2 validatedNIST Certification ยท FIPS 140-2 Validated
The YubiKey 5 FIPS Series is validated under FIPS 140-2 at Overall Level 2 with Physical Security Level 3 โ the certification federal agencies, CJIS-regulated organizations, CMMC-compliant defense contractors, and FedRAMP-authorized cloud providers require for hardware-based authenticators.
FIPS 140-2 Level 2
Cryptographic module validation
Physical Security L3
Tamper-evidence and response
NIST 800-63B AAL3
Highest authenticator assurance
Yubico YubiKey 5 NFC FIPS
$110FIPS 140-2 validated Multi-Factor Authentication key. Connect via USB-A or NFC. For government and regulated organizations.
Yubico YubiKey 5C NFC FIPS
$110FIPS 140-2 validated Multi-Factor Authentication key. Connect via USB-C or NFC. For government and regulated organizations.
Yubico YubiKey 5C FIPS
$120FIPS 140-2 validated Multi-Factor Authentication key. USB-C connector, no NFC. Rugged keychain form factor.
Yubico YubiKey 5 Nano FIPS
$120FIPS 140-2 validated nano-form-factor key designed to stay in your USB-A port for permanent, always-on hardware authentication.
Yubico YubiKey 5C Nano FIPS
$120FIPS 140-2 validated nano-form-factor key designed to stay in your USB-C port for permanent, always-on hardware authentication.
Nano form factor
The "nano" keys are designed to stay seated in your USB port permanently, delivering always-on hardware authentication without a keychain to lose.
Versatile compatibility
Works with Google, Microsoft, identity providers, password managers, and hundreds of other services across Windows, macOS, Chrome OS, Linux, Chrome, and Edge.
Multi-protocol
FIDO2/WebAuthn (hardware-bound passkey), FIDO U2F, Yubico OTP, OATH-TOTP, OATH-HOTP, Smart card (PIV), and OpenPGP โ all on one physical key.
Durable and reliable
Resistant to tampering, water, and crushing. No batteries, no network dependency. Securely manufactured in the USA and Sweden.
Ready to operate without handling a single credential?
Start a 5-day free trial or go directly to checkout. Hardware keys can be added to any subscription at purchase time.