Using Windows to Enroll Fingerprints
These are the instructions for setting a PIN on a YubiKey Bio and enrolling fingerprints on it using the Sign-in options on a Windows 10 or Windows 11 system.
A YubiKey Bio is a FIDO2 hardware authenticator. Both Windows and Mac have built-in FIDO2 authenticators - i.e., software authenticators that in this case are also platform authenticators. The prompts in both Windows and Mac might assume you will be using their own authenticators. Therefore it is quite easy to register their authenticators with a site or service by mistake, without realizing that you are not registering your YubiKey. Read the prompts carefully to avoid this. And remember that the PIN is associated with the authenticator, not the site or service.
To get to the popup (prompt) for the YubiKey, you might need to cancel out of the pop-up for the built-in authenticator.
Although there are two FIDO applications on the YubiKey Bio, namely FIDO2 and U2F, it is the FIDO2 PIN that is required as fallback for both. The PIN is not associated with any site. When the fingerprint does not work and the key falls back to the PIN, it is the key that needs the PIN for authentication to all sites, including U2F sites (even though U2F has no concept of PIN). With fallback to PIN, it is easy if the user is authenticating to a WebAuthn/FIDO2 site, because the browser/client app can prompt for the PIN. Otherwise the user must unblock biometrics by using either:
- The YubiKey Bio start page
- Yubico Authenticator for Desktop.
For information on the YubiKey Bio’s sensor and tips on working with fingerprints see Tips. For detailed information on FIDO2 PINs and their requirements, see Understanding YubiKey PINs.
On Windows 10, click Enroll using Windows on the YubiKey Bio setup page <https://www.yubico.com/setup/yubikey-bio-series/>`_.
On Windows 11, click Enroll using Windows on the YubiKey Bio setup page <https://www.yubico.com/setup/yubikey-bio-series/>`_. Then go to Step 3 below.
On Windows 10, in the expanded Security Key field, click Manage.
On both Windows 10 and Windows 11, follow the Windows setup directions. Insert the YubiKey Bio into your computer’s USB port and set a PIN for your YubiKey Bio if the key does not already have a PIN. In the Security Key PIN field, click Add. Enter a security key PIN and click OK.
To enroll your fingerprint, in the Security Key Fingerprint field, click Set up and follow the prompts.
Touch the YubiKey Bio sensor while the green LED is still flashing, making sure to touch the ring-bezel as well.
Vary the way you touch each time to include more of the fingerprint. If the fingerprint you enroll is smaller than the sensor, apply some pressure to help ensure a good image capture.
Continue lifting and re-applying the same finger until you see the All set! message.
Perform this step up to five times for a total number of 5 enrolled fingerprints.
To get in touch with Yubico Support, click here.