YubiKey Bio and FIDO2

The YubiKey Bio Series - FIDO Edition supports all FIDO2 scenarios supported by the YubiKey 5 Series and the Security Key Series. It can be used in both passwordless and second factor authentication scenarios. In both scenarios the fingerprint is used in lieu of the PIN, similar to the way biometrics is used on a smartphone. However, there are some scenarios in which the PIN is required. The PIN is required when enrolling or otherwise managing fingerprints, just as it is on a smartphone. However, the only opportunity to input the PIN is after 3 unsuccessful attempts at matching a fingerprint with an enrolled finger.

Discoverable Credentials

Like FIDO U2F, the FIDO2 standard offers the same high level of security, as it is based on public key cryptography. In addition to providing phishing-resistant two-factor authentication, the FIDO2 application on the YubiKey allows for the storage of discoverable credentials. (Fingerprint templates are not discoverable credentials.) Keys in the YubiKey Bio Series can hold up to 25 discoverable credentials. To manage them, see Credential Management.

FIDO2 PIN

The FIDO2 PIN is necessary for:

  • Enrolling fingerprints
  • Managing enrolled fingerprints
  • Fallback after failure to match fingerprint with template.

The FIDO2 PIN must be between 4 and 128 characters in length (for more information, see https://support.yubico.com/hc/en-us/articles/4402836718866-Understanding-YubiKey-PINs)

  • There is no PIN set by default

  • Once a FIDO2 PIN is set, it can be changed but it cannot be removed other than by resetting the FIDO2 application.

  • If the FIDO2 PIN is entered incorrectly 3 times in a row, the key will need to be reinserted before it will accept additional PIN entry attempts (reinserting “reboots” the key).

  • To see the number of retries remaining, use YubiKey Manager and navigate to Applications > FIDO2.

  • If the PIN is entered incorrectly a total of 8 times in a row (3+3+2), the FIDO2 application will be locked, and FIDO2 authentication will not be possible.

  • To restore the FIDO2 functionality, the FIDO2 application must be reset.

    Note

    Resetting the FIDO2 application will also reset the U2F application. No site you have registered the YubiKey with using U2F will work until the YubiKey is re-registered with that site.

FIDO2 Credentials

The discoverable credentials can be used for passwordless authentication, or they can be used for two-factor authentication. In both scenarios the credentials can be protected by the FIDO2 PIN and in the case of a YubiKey Bio, biometrics can be used in lieu of the PIN provided that fingerprints have been enrolled and that the key is not in biometrics blocked state.

User Verification

The YubiKey Bio implements always-on user verification, or alwaysUV.

The user verification requirement asks for proof that the user logging in is the same user as the one who set the PIN, enrolled fingerprints, and registered the key with the app or service (Relying Party, or RP). For more information about user verification, see User Presence vs User Verification.

When userVerification is discouraged, the user experience is not optimal unless the platform has implemented CTAP 2.1. See Multifactor Authentication (MFA).

Credential Management

If you decide to discontinue using a site or service, you can delete its discoverable credential. This frees up space on the YubiKey Bio, which can contain up to 25 such credentials.

To view the discoverable credentials on your YubiKey and delete them selectively, use the Yubico Authenticator for Desktop version 5.1.0 and above.

For more information on credentials in general, and in particular on managing them, see Enhancements to FIDO 2 Support for details.

For more developer-oriented information on this, see Discoverable Credentials / Resident Keys on Yubico’s developer site.

Supported Extensions

The YubiKey Bio supports only the AppID extension (appid) as defined by the W3C Web Authentication API specification. This extension allows U2F credentials registered using the legacy FIDO JavaScript APIs to be used with WebAuthn. In practice, that means that if you register a YubiKey Bio on a website when it used U2F and that website later upgrades to FIDO2, previously registered U2F credentials will continue to work.

Note

Developers: For AAGUID values, see YubiKey Hardware FIDO2 AAGUIDs.


To get in touch with Yubico Support, click here.