How the YubiKey Bio Works

For the full technical explanation of this from a developer perspective, start with the Yubico’s WebAuthn Developer Guide.

Note

In the following, “credentials” will be referenced repeatedly. There are different kinds of credentials. To pursue all the distinctions, consult the FIDO2 page on the Fido Alliance web site.

Enrollment

Before you can start using the YubiKey Bio with services and applications, you need to first set a FIDO2 PIN and then enroll at least one fingerprint. The YubiKey Bio needs to have the PIN as a fallback in case it cannot recognize your fingerprint.

Although there are two FIDO applications on the YubiKey Bio, namely FIDO2 and U2F, it is the FIDO2 PIN that is required as fallback for both. The PIN is not associated with any site. When the fingerprint does not work and the key falls back to the PIN, it is the key that needs the PIN for authentication to all sites, including U2F sites (even though U2F has no concept of PIN). With fallback to PIN, it is easy if the user is authenticating to a WebAuthn/FIDO2 site, because the browser/client app can prompt for the PIN. Otherwise the user must unblock biometrics by using either:

The “working” of the fingerprint is described in the following. For information on how and why the fingerprint might not “work”, see Tips.

Risk Mitigation

To mitigate the risk of being shut out of your account or service, it is always advised to register a second YubiKey. For more information, see https://www.yubico.com/spare/.

Fingerprints and Templates

An enrolled fingerprint is stored on the YubiKey Bio not as an image, but in the form of a template, similar to a one-way hash. It is not possible to recreate an image of a fingerprint from a template, nor does the template ever leave the YubiKey.

After enrollment, each time you apply your fingertip to the fingerprint sensor, the key tries to match the fingerprint against the template stored on the key.

Parties Involved in Registration and Authentication

Closely related to Requirements: Platform and Browser Compatibility, registering and authenticating with a YubiKey Bio to an app or a service that supports WebAuthn or U2F involves several parties:

  • The user (with their fingerprints and knowledge of the PIN)
  • The YubiKey Bio
  • The FIDO2 application or the U2F application on the YubiKey Bio
  • The FIDO2/WebAuthn or U2F-supporting browser or client
  • The service or app

All these work together. For example, if your YubiKey does not work as expected, you might be using a browser or an app that does not support FIDO2 security keys.

Registration

Registration of a YubiKey Bio with a site, service, or application is the same as for other YubiKeys.

Authentication

Depending on the protocol supported by the site or service, there are several possible user experiences (scenarios). These are described below.

User Experiences

The user experience with the YubiKey Bio is dictated by a combination of the site or service that the user is authenticating against and the browser or client. Different service and client combinations will yield different results. The user experiences are determined by the different options for developers implementing FIDO2 with the WebAuthn and CTAP protocols. Please note that the following descriptions of user scenarios are only high-level overviews. The experiences will change every time the various forms of support change.

Passwordless

This scenario provides the best user experience by enabling a passwordless flow backed by strong authentication. To achieve it, discoverable credentials must be used. When the user authenticates to the site or service,

  1. The client or browser prompts the user to insert the YubiKey.
  2. The client makes a request to the YubiKey to see if any credentials on the key have been registered for use with this site or service.
  3. If the right credentials are found, the client or browser prompts the user to apply their fingertip to the YubiKey Bio’s sensor.
    • If the fingerprint match is successful, the appropriate response is sent to the client or browser to complete authentication.
    • If the fingerprint match is unsuccessful three times in a row, the client or the browser prompts instead for the PIN. After correctly inputting the PIN, the user is then prompted to touch the key to prove presence (as opposed to verifying identity). In this situation, the YubiKey Bio behaves like any other key in the YubiKey 5 Series.

Multifactor Authentication (MFA)

When a user authenticates to the site or service,

  1. The client or browser prompts the user to insert their username and password. These are what the server uses to identify the user and determine whether they have registered.
  2. If username and password match the server’s records, the site or service prompts the user for an additional form of identification to prove their identity. This is called multifactor authentication.
  3. The user proves their identity to the key either by providing a fingerprint that the key can match to its template, or by entering the PIN.
    • If the fingerprint match is successful, the appropriate response is sent to the client or browser to complete authentication.
    • If the key is unsuccessful at matching fingerprint to template three times in a row, the YubiKey Bio goes into the biometrics blocked state, signaling this by slow constant flashing of the amber LED. The client or the browser prompts instead for the PIN and for the user to touch the key (checking for user presence). In this situation, the YubiKey Bio behaves like any other key in the YubiKey 5 Series.

U2F

This scenario only works well if the fingerprint match is successful and the user flow is the same as the multifactor flow. If the fingerprint match is unsuccessful, any prompts from the site or service are unlikely to be clear and unambiguous. The user would likely end by having to unblock the YubiKey, which can be done by visiting the YubiKey Bio start page or by using the Yubico Authenticator for Desktop.

Locking/Blocking

Fingerprint:If the YubiKey cannot match fingerprint to template three times in a row, fingerprint recognition is blocked. The YubiKey Bio falls back to PIN.
PIN:If you enter the wrong PIN eight times in a row, the YubiKey FIDO2 application will be locked, which means it cannot communicate with you or with any site or service. It indicates the blocked state by flashing its amber LED slowly and continuously. In order to restore this functionality, the FIDO2 application must be reset. For more details, see FIDO2 PIN.
Unblock:Unblock the YubiKey Bio’s biometric function (its ability to read fingerprints) by going to the unblocking FAQ on the YubiKey Bio start page. Otherwise you can use any of the other methods given in Tools.
Reset:You can also reset it, but doing so erases all the discoverable credentials on it, setting it back to factory defaults. See Resetting Your YubiKey Bio with the Yubico Authenticator for Desktop.

Managing Credentials

If you decide to discontinue using a site or service, you can delete its discoverable credential. This frees up space on the YubiKey Bio, which can contain up to 25 such credentials.

To view the discoverable credentials on your YubiKey and delete them selectively, use the Yubico Authenticator for Desktop version 5.1.0 and above.

For more information on credentials in general, and in particular on managing them, see Enhancements to FIDO 2 Support for details.

For more developer-oriented information on this, see Discoverable Credentials / Resident Keys on Yubico’s developer site.


To get in touch with Yubico Support, click here.