Incident Report for Yubico
A year ago, we moved all YubiOTP validation API servers behind one common endpoint, introducing a modernized, cloud-based, YubiOTP validation service to improve reliability and scalability. As a result, customers no longer need to call multiple endpoints; instead, we recommend  implementing Yubico OTP support in applications using an HTTP GET request to

In order to direct YubiCloud clients to the closest location, domain names pointing to the new service are geolocated to the closest endpoint to the requestor. If you have not done so already, we recommend configuring your clients to point to our servers via the domain name.

Refer to this status post from 2019 to ensure you have updated your configurations:

The Yubico legacy client libraries in PHP, C, .NET, Perl, and Java on Github will be archived; they will not be updated to call the new endpoint. Their main benefit was to abstract the calling of multiple YubiCloud endpoints from client applications. This is no longer necessary and actually makes resulting client applications use the backwards-compatible legacy interface for YubiCloud, which is a sub-optimal solution for our customers.
By implementing the one HTTP GET call directly in client applications, customers no longer need to take a dependency on a 3rd party library in their solutions.

How to generate and verify signatures and how to construct an HTTP GET call to verify OTPs and what responses you need to handle is outlined in the Yubico OTP Validation Protocol Version 2.0 that can be found on  
For more recent (and older) updates, please scroll through
Posted Apr 16, 2021 - 06:30 UTC