Like FIDO U2F, the FIDO2 standard offers the same high level of security, as it is based on public key cryptography. In addition to providing phishing-resistant two-factor authentication, the FIDO2 application on the YubiKey allows for the storage of discoverable credentials. (Fingerprint templates are not discoverable credentials.) Keys in the YubiKey Bio Series can hold up to 25 discoverable credentials. To manage them, see Credential Management.
The FIDO2 PIN is necessary for:
- Enrolling fingerprints
- Managing enrolled fingerprints
- Fallback after failure to match fingerprint with template.
The FIDO2 PIN must be between 4 and 128 characters in length (for more information, see https://support.yubico.com/hc/en-us/articles/4402836718866-Understanding-YubiKey-PINs)
There is no PIN set by default
Once a FIDO2 PIN is set, it can be changed but it cannot be removed other than by resetting the FIDO2 application.
If the FIDO2 PIN is entered incorrectly 3 times in a row, the key will need to be reinserted before it will accept additional PIN entry attempts (reinserting “reboots” the key).
To see the number of retries remaining, use YubiKey Manager and navigate to Applications > FIDO2.
If the PIN is entered incorrectly a total of 8 times in a row (3+3+2), the FIDO2 application will be locked, and FIDO2 authentication will not be possible.
To restore the FIDO2 functionality, the FIDO2 application must be reset.
Resetting the FIDO2 application will also reset the U2F application. No site you have registered the YubiKey with using U2F will work until the YubiKey is re-registered with that site.
The discoverable credentials can be used for passwordless authentication, or they can be used for two-factor authentication. In both scenarios the credentials can be protected by the FIDO2 PIN and in the case of a YubiKey Bio, biometrics can be used in lieu of the PIN provided that fingerprints have been enrolled and that the key is not in biometrics blocked state.