.. yk5-apps-fido.rst
.. _apps-fido-label:
=======
FIDO
=======
This section describes YubiKey integration with Fast Identity Online (FIDO): FIDO2, Web Authentication (WebAuthn), and FIDO Universal 2nd Factor (U2F).
.. _fido-two-label:
FIDO2
======
For an overview of the FIDO2 features that became available with the 5.7.x firmware, see :ref:`5.7-fw-specs`.
The `FIDO2 `_ standard offers the same high level of security as FIDO U2F, since it is based on public key cryptography. In addition to providing phishing-resistant two-factor authentication, the FIDO2 application on the YubiKey allows for the storage of resident credentials, also called discoverable credentials. As these credentials can accommodate the username and other data, this enables truly passwordless authentication on sites and applications that support the WebAuthn protocol. YubiKeys in the 5 Series can hold up to 25 resident keys.
.. _fido2-pins-label:
FIDO2 PINs and Fingerprint Templates
-------------------------------------
PINs and fingerprint templates, collectively referred to as “User Verification” or UV for short, are one of the enhancements from U2F included in FIDO2. FIDO2 UV enables single device Multi-Factor Authentication (MFA). It enables people to use a single device (the YubiKey) to provide two authentication factors: something they have - the YubiKey, and something they know (a PIN) or a unique physical attribute (a biometric fingerprint template on the YubiKey Bio).
FIDO2 credentials on a YubiKey cannot be accessed without either the PIN or on the YubiKey Bio, the fingerprint. There are no backdoors to bypass the UV protections. This is the main reason that Yubico recommends registering a minimum of two YubiKeys on each web site you use, to ensure you continue to have access to that site if you lose access to the first YubiKey. If the fingerprint sensor on the YubiKey Bio is damaged, the PIN is the only method available to use the credentials on the device.
Because the PIN or fingerprint is only used to authenticate with the YubiKey, and the protection against brute-force attacks (a maximum of eight incorrect PIN attempts before the YubiKey FIDO2 application locks), there is no security benefit to regularly changing the PIN unless there is reason to believe it has been compromised. Changing the FIDO2 PIN will not invalidate any credentials on the YubiKey. However, previous values for the PIN are not stored within the YubiKey, so if the current PIN is forgotten, an older PIN will not be recognized.
.. _yk5-locking-fido-credentials-label:
Locking FIDO2 Credentials
-------------------------
.. Note:: By default, no PIN is set.
The resident credentials can be left unlocked and used for strong single-factor authentication, or they can be protected by a PIN for two-factor authentication. This is achieved by performing UV at the time of authentication.
The rule of thumb for PIN length is between 4 and 63 alphanumeric characters, but the actual minimum PIN length varies depending on the firmware version, whether or not the YubiKey is a FIPS key, and whether :ref:`pin-complexity` is added or not.
.. table:: **Minimum PIN Length**
:class: longtable
+---------------------------------------------------------+--+
|YubiKey prior to 5.7 |4 |
+---------------------------------------------------------+--+
|YubiKey FIPS prior to 5.7 |6 |
+---------------------------------------------------------+--+
|YubiKey 5.7 and later without PIN complexity |4 |
+---------------------------------------------------------+--+
|YubiKey 5.7 and later with PIN complexity |6 |
+---------------------------------------------------------+--+
On the YubiKey Bio Multi-protocol Edition, the PIN is shared between the PIV and FIDO2 applets. :ref:`PIN length requirements ` depend on firmware version and YubiKey application status.
The special (developer-focused) requirements for the PIN are described in `The FIDO2 PIN `_.
To change the minimum PIN length, see `Increasing the minimum PIN length `_.
* To re-attempt to enter the PIN after you have entered an incorrect PIN three times in succession, power-cycle the FIDO2 application.
* Once a FIDO2 PIN is set, it can be changed but removal of a FIDO2 PIN requires a FIDO2 reset.
* If the PIN is entered incorrectly eight times in succession, the FIDO2 application locks and FIDO2 authentication is no longer possible. To unlock the FIDO2 application, a FIDO2 reset is required.
.. Note:: Resetting the FIDO2 application also resets the U2F application. This means the YubiKey must be re-registered not only with all the FIDO2 sites, but also with all the U2F sites.
.. Note:: The YubiKey 5 supports FIDO2 credential management. This enables selectively deleting resident keys. See our article `YubiKey 5.2 enhancements to FIDO 2 Support `_ for details.
Discoverable Credentials: Passkeys
-----------------------------------
Another new feature added in FIDO2 is discoverable credentials. Formerly referred to as resident keys, discoverable credentials are credentials which contain information about the site or service the credential belongs to, including the address and account username. These credentials can be more convenient for web sites that support them, because they allow secure login without requiring users to enter a username.
Not all web sites or service providers offer support for discoverable credentials, and there is no information stored on the YubiKey for any credential for a website or service provider that does not use a discoverable credential.
FIDO2 Connector Support
-----------------------
FIDO2 support is available to Apple devices via the USB-C or Lightning® connectors of the YubiKey 5Ci. FIDO2/WebAuthn can be achieved over USB-C using any of the following options:
* ``ASWebAuthenticationSession``
* ``SFSafariViewController``
* Redirect to Safari browser
YubiKey 5Ci
~~~~~~~~~~~~
Like the USB interface, the YubiKey 5Ci's Lightning® interface also uses a variety of channels for communication between the YubiKey and iOS.
The YubiKey 5Ci presents itself as an Apple iOS peripheral. It is able to interact with:
* Any iOS app using the Yubico YubiKey iOS SDK.
* Any app input data field through the touch-triggered OTP.
* Any WebAuthn-compliant application (starting in iOS 13). This includes the Safari browser.
When connecting the YubiKey 5Ci through Lightning®, the **interfaces enabled** setting is common to both USB-C and Lightning®. Enabling or disabling an interface applies to both connections.
.. Note:: **Developers**: Enabling apps within iOS to use advanced protocols that send and receive information from the YubiKey 5Ci requires that you:
* Use the Yubico iOS SDK. See `Yubico iOS SDK `_
* Register the app with Yubico. See `Register HYour App `_.
The USB and iProduct strings that are displayed when connecting through Lightning® or USB are specific to the connection type. They are described in our Support article `YubiKey USB ID Values `_.
iPad and iPad Pro
~~~~~~~~~~~~~~~~~~~
For users of keys in the YubiKey 5 Series, because the iPad Pro does not have a Lightning port, support depends on what you want to do. All those aspects are covered by the second part of our Support article `Getting Started with iOS `_.
From the developer perspective, support for the iPad Pro has some limitations. Consult `Security Key Compatibility `_ for detailed instructions on working around those limitations.
.. Note:: To see which U2F/FIDO2 security keys currently work with iOS/iPadOS 13.3+ devices using the Safari browser in combination with apps using ``SFSafariViewController`` or ``ASWebAuthenticationSession``, see `Supporting FIDO2 Security Keys on iOS or iPadOS `_.
Default Values
--------------
PIN: None set.
AAGUID Values
-------------
An AAGUID (Authenticator Attestation GUID) is a 128-bit identifier indicating the type of the authenticator. The `FIDO2 specification `_ states that an AAGUID must be provided during attestation.
New AAGUIDs are issued for new YubiKey products that support FIDO2, or when existing YubiKey products have FIDO2 features added or removed.
For the complete list of AAGUIDs, see our the article on our Support site, `YubiKey hardware FIDO2 AAGUIDs `_.
Supported Extensions
--------------------
The YubiKey 5 Series supports the AppID extension (``appid``) as defined by the `W3C Web Authentication API specification `_. This extension allows U2F credentials registered using the legacy FIDO JavaScript APIs to be used with WebAuthn. That means if you register a YubiKey in the 5 Series on a website that used U2F at that time and later upgrades to FIDO2, your U2F credentials continue to work on that website.
.. table:: **FIDO2 Extensions Available per Firmware Version**
:class: longtable
+---------------------------+-------+-------+-------+-------+-------+-------+-------+-------+
| Extension and feature | Firmware Versions |
+ +-------+-------+-------+-------+-------+-------+-------+-------+
| | 5.7.x | 5.6.x | 5.5.x | 5.4.x | 5.3.x | 5.2.x | 5.1.x | 5.0.x |
+===========================+=======+=======+=======+=======+=======+=======+=======+=======+
| ECC P256 Credentials | yes | yes | yes | yes | yes | yes | yes | yes |
+---------------------------+-------+-------+-------+-------+-------+-------+-------+-------+
| EdDSA/Ed25519 Credentials | yes | yes | yes | yes | yes | yes | | |
+---------------------------+-------+-------+-------+-------+-------+-------+-------+-------+
| ECC P384 Credentials | yes | yes | | | | | | |
+---------------------------+-------+-------+-------+-------+-------+-------+-------+-------+
|| Credential Protection | yes | yes | yes | yes | yes | yes | | |
|| extension | | | | | | | | |
+---------------------------+-------+-------+-------+-------+-------+-------+-------+-------+
| HMAC-Secret extension | yes | yes | yes | yes | yes | yes | | |
+---------------------------+-------+-------+-------+-------+-------+-------+-------+-------+
| Credential Management | yes | yes | yes | yes | yes | yes | | |
+---------------------------+-------+-------+-------+-------+-------+-------+-------+-------+
| PIN Protocol v2 | yes | yes | yes | yes | | | | |
+---------------------------+-------+-------+-------+-------+-------+-------+-------+-------+
| Credential Blob | yes | yes | yes | | | | | |
+---------------------------+-------+-------+-------+-------+-------+-------+-------+-------+
| Authenticator Large Blob | 4kB | 1kB | 1kB | | | | | |
+---------------------------+-------+-------+-------+-------+-------+-------+-------+-------+
| alwaysUV | yes | yes | yes | | | | | |
+---------------------------+-------+-------+-------+-------+-------+-------+-------+-------+
| Force PIN Change | yes | yes | yes | | | | | |
+---------------------------+-------+-------+-------+-------+-------+-------+-------+-------+
| Minimum PIN Length | yes | yes | yes | | | | | |
+---------------------------+-------+-------+-------+-------+-------+-------+-------+-------+
| Biometric Enrollment | yes | yes | yes | | | | | |
+---------------------------+-------+-------+-------+-------+-------+-------+-------+-------+
| Built-in UV (fingerprint) | yes | yes | yes | | | | | |
+---------------------------+-------+-------+-------+-------+-------+-------+-------+-------+
|| Make Credential UV | yes | yes | yes | | | | | |
|| Not Required | | | | | | | | |
+---------------------------+-------+-------+-------+-------+-------+-------+-------+-------+
| Enterprise Attestation | yes | yes | | | | | | |
+---------------------------+-------+-------+-------+-------+-------+-------+-------+-------+
.. _ea-label:
Enterprise Attestation with FIDO 2
-----------------------------------
YubiHSM Auth Enterprise Attestation is supported by YubiKey firmware version 5.4.3 and above.
Enterprise Attestation (EA) enables pre-defined Relying Parties (RPs), such as Identity Providers (IdPs), to read the YubiKey serial number (or other unique identifier specific to the organization) on custom-programmed keys during FIDO2 registration.
This satisfies a variety of asset tracking requirements, and can aid in account recovery by allowing an end user to prove they have a specific FIDO2 device. In addition to support from the RP and/or Identity Provider (IdP), EA requires platform support in the form of CTAP 2.1 capabilities. See :ref:`ea-pf-rp` and :ref:`ctap-2.1`.
EA's ability to identify individual authenticators as opposed to just the type of authenticator changes the privacy model of the FIDO protocol. This makes the FIDO credential behave more like a certificate. However, the model is changed only by RPs defined by the customer at the time of order (utilizing EA vendor mode) or by supported platforms (utilizing EA platform mode).
Typical Use-Cases
~~~~~~~~~~~~~~~~~~~
* Tracking of individual authenticators on registration ensures that only authenticators issued by the organization are used. This resolves a common compliance requirement that previously could only be met by using policies or custom AAGUIDs.
* If the organization knows what serial number a user was issued but does not see it registered or did not register it on the user's behalf, the organization can take appropriate steps to help the end user register their authenticator. This helps organizations roll out phishing-resistant MFA.
* Tie the FIDO credential to a PIV certificate by matching serial numbers (or other device-specific information) between the FIDO EA and the PIV Attestation certificate.
* Identify individual authenticators in troubleshooting scenarios. When a key is lost or broken, a user can be guided by an IT admin who knows what authenticator holds what credential. The admin can advise which key is being used and which should be de-activated. The serial number of a back-up authenticator can be identified, too.
Developers seeking more information can refer to `Enterprise Attestation on developers.yubico.com `_.
Enterprise Attestation Platform/RP Support
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
At present, few RPs support this feature; however, there is platform support for it in Chrome and some Chromium-based browsers. Windows 11 is required on Windows platforms.
CMS vendor support for EA is currently a little sparse; however, that is rapidly changing.
.. _min-pin:
Minimum PIN Length
--------------------
The Minimum PIN Length Extension ``(minPINLengthExtension)`` enables RPs to enforce PIN length requirements, for example in regulated environments.
The RPs pre-defined by the organization or end user are able to query the ``minPINLength`` of the authenticator.
Once set, the PIN length cannot be shortened until the authenticator is reset. The minimum PIN length is configurable only by platforms, or by communicating with the YubiKey directly, and can only be read by IdPs or RPs via an allowed list configured on the YubiKey.
This extension resolves compliance requirements for organizations that require certain PIN lengths. Before 5.7, this was only possible through FIPS (YubiKey 5 FIPS Series with firmware version 5.4.3 has a minimum PIN length of 6), or custom configuration in which there were no checks the RP could perform unless the authenticator had a custom AAGUID.
With *Security Key Series* and *YubiKey Series 5 Enhanced PIN*, this feature is set to 6 by default.
Minimum PIN Length Platform/RP Support
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
No current RP supports this feature, however there is platform support for it in Chrome and some Chromium-based browsers. **Windows 11 is required on Windows platforms**.
.. _force-pin:
Force PIN Change
------------------
``Force PIN Change`` enables vendors or IT admins to prompt end-users to change their FIDO2 PIN upon next use. This is valuable in a pre-registration/enroll-on-behalf of scenario where the organization does not want their end users' PINs to be known. End-users are prompted to set their own PINs (can be combined with ``minPINLength``).
This feature also minimizes the number of help-desk calls due to forgotten PINs because end-users can set PINs that are meaningful to them.
.. Note:: A PIN is not a password; it is local to the authenticator.
Force PIN Change Platform Support
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
``Force PIN change`` only requires support on the platform, and can only be set by communicating with the YubiKey directly. Chrome and some Chromium-based browsers support it on macOS and Linux while other browsers support it on Windows. **Windows 11 is required on Windows platforms**.
There is no need for explicit RP support, the ``force PIN change`` flag is set on the client/platform side, which is where it will trigger the flow.
.. _alwaysuv:
Always Require User Verification
----------------------------------
Always Require User Verification (UV), ``alwaysuv``, was introduced to prompt users for user verification with each use (authentication and registration), which provides consistency in behavior between different platforms and RPs. End-users are often confused because the setting ``uv=preferred/discouraged`` behaves differently depending on whether the user is on a macOS or a Windows machine.
An organization might want to enable it so that users always enter their PIN, ensuring they are less likely to forget it.
**YubiKey Bio Series** - Always Require User Verification (UV) is enabled by default. It always asks for biometrics and never User Presence (UP) only in a second factor flow when UV is not required.
If Always Require User Verification (UV) is not enabled, an end user might touch the fingerprint sensor with an unenrolled finger and successfully authenticate by only performing User Presence (UP). The user might mistakenly thinking they “bypassed the biometrics” or that the biometric sensor was faulty and the key allowed an unenrolled finger to authenticate.
**YubiKey Series 5 Enhanced PIN** - This feature is enabled by default. This feature can be disabled but reverts to enabled if the YubiKey is reset.
Always User Verification Platform/RP Support
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
This setting is internal to the authenticator and requires no specific platform or RP support.
AlwaysUV and FIDO2
~~~~~~~~~~~~~~~~~~~
If you disable FIDO2 and leave AlwaysUV enabled, U2F fails.
To prevent U2F failing:
#. Disable AlwaysUV first.
#. Then disable FIDO2.
To correct U2F failure, if you disabled FIDO2 and did not disable AlwaysUV first:
#. Enable FIDO2.
#. Disable AlwaysUV.
#. Disable FIDO2.
.. _blob-label:
Blob Storage
--------------
There are two blob storage options available on the YubiKey 5.7 and later. Both Credential Blobs and Large Blobs require support on the platform as well as from the RP.
Credential Blob
~~~~~~~~~~~~~~~~~
Credential Blobs, ``credBlob``, are 32 bytes of unencrypted storage per credential that can be set during registration and retrieved during authentication for discoverable credentials. This feature allows for a small amount of data to be associated with a discoverable credential during ``makeCredential``. The blob is opaque to the authenticator. This enables IdPs to include a small amount of information such as a certificate thumbprint to aid in authentication scenarios. PII can be stored in this field if it is used with ``credProtect``.
There are many use cases, as the ``credBlob`` extension enables storage of arbitrary data; however, it can:
* Be used as HPKP-like public key hash to identify for example kerberos certificates to trust when using a given credential ("on prem AD").
* Provide information about the issuance of the specific credential.
Large Blob
~~~~~~~~~~~~
Large blob, ``authenticatorLargeBlob``, storage is of compressed, shared storage on the authenticator. 4096 bytes on firmware 5.7.0 and later, and 1024 bytes on firmware 5.5.x and 5.6.x. It is managed by the platform, and is always encrypted with the Large Blob Key - a per-credential symmetric encryption key that is used by the platform to read the contents of the large blob. Large blobs can be used for storing authentication certificates or other artifacts linked to the private FIDO2 key stored on an authenticator.
The large blob feature allows for a “large” amount of data to be added to a discoverable credential upon creation. The typical use case is a public SSH key.
Creating an SSH key using a discoverable FIDO2 credential enables the authenticator to be hardware-bound and to perform SSH authentications using a key stored in the FIDO2 applet.
With the addition of large blob the user can take the authenticator to a new machine and does not need to copy the public part to the new client machine.
Any other data can be associated with the key, such as linkage to a PIV certificate or details on the creation of the credential.
The ``largeBlobKey`` is required to decrypt the data in the Large Blob.
Calculating the RPID hash
-------------------------
The FIDO2 protocol uses the RPID (Relying Party ID) as an identifier for the RP (Relying Party) that an authenticator authenticates against. To calculate the PRID hash of an URL, apply the SHA-256 algorithms over the RPID. For example, the RPID ``yubico.com`` has the RPID hash of ``378209b72defcba91dcbf854edb4daa648828a2cbd180afc77a74434655a1c7d``. This can be calculated by running ``echo -n "yubico.com" | openssl dgst -sha256``, which returns the result ``SHA2-256(stdin)= 378209b72defcba91dcbf854edb4daa648828a2cbd180afc77a74434655a1c7d``.
Developers seeking more information can refer to `The W3C's WebAuthn specification `_.
Tools for Managing the FIDO2 Application
----------------------------------------
Each operating system has different software available to manage the YubiKey, with different capabilities. Note that the same YubiKey can be configured using any or all of the tools listed.
Yubico Authenticator for Windows, MacOS and Linux
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
:Platforms: Windows, MacOS, Linux
:Capabilities: Set or change the PIN, manage fingerprint templates, manage discoverable credentials, reset the YubiKey
:Works with: All YubiKeys that support FIDO2
Yubico Authenticator enables users to manage all aspects of the FIDO2 application, and can do all the things that are outlined in this document for managing the YubiKey, including adding fingerprint templates to the YubiKey Bio. Yubico Authenticator requires administrative privileges for several operations on Windows, so for non-administrative users on Windows, the built-in Windows Security Key tools may be a better option.
See :ref:`discover-credentials-authenticator-label`. Download `Yubico Authenticator `_ for Windows, MacOS or Linux.
ykman CLI for Windows, MacOS and Linux
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Install the most recent version of the `ykman `_, because the YubiKey Manager GUI includes an older version of the ykman CLI.
:Platforms: Windows, MacOS, Linux
:Capabilities: Set or change the PIN, reset the YubiKey, manage discoverable credentials (ykman CLI only)
:Works with: All YubiKeys that support FIDO2.
For Windows, MacOS, Linux, download the `Yubico Authenticator `_ with its intuitive and easy-to-use graphical interface, the `ykman `_, a lightweight software package installable on many OS, or the `YubiKey Manager GUI `_, though it is not as robust as the other tools.
These are general purpose utilities that is able to configure many of the applications on the YubiKey in addition to FIDO2. They require administrative privileges to configure FIDO2, or detect FIDO2-only devices like the Security Key series or the YubiKey Bio on Windows, so for non-administrative users, the built in Windows Security Key tools may be a better option.
Chrome on MacOS, Linux and ChromeOS
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
:Platforms: MacOS, Linux, ChromeOS
:Capabilities: Set or change the FIDO2 PIN, manage fingerprint templates, manage discoverable credentials, reset the YubiKey
:Works with: All YubiKeys that support FIDO2.
Chrome has built-in support for managing FIDO2 devices, and will allow for managing security keys on the non-mobile based platforms where it is available. These capabilities are not available on Windows installations of Chrome.
Built-in Security Key Management on Windows
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
:Platforms: Supported versions of Windows 10 or 11, and Windows Server
:Capabilities: Set or change the PIN, Manage fingerprint templates, Reset the YubiKey
:Works with: All YubiKeys that support FIDO2.
Windows has supported security keys for many versions, and all the most recent releases of all supported Windows Desktop and Server support FIDO2, and make that support available to web browsers running on the platform. Windows includes built-in tools for setting and changing the PIN on FIDO2 devices like the YubiKey, as well as resetting the YubiKey. Search for “Set up Security Key” in the Start menu to find Windows built-in FIDO2 management tools. This method of interacting with the security key does not require administrative rights.
Managing Discoverable Credentials
----------------------------------
Any YubiKey with firmware 5.2.1 and higher supports viewing and deleting individual discoverable credentials (also known as *Passkeys*) that are stored on the YubiKey. A PIN must be configured, and entered each time you want to view discoverable credentials. Deleting a discoverable credential is a permanent action, and can not be undone. It is recommended to ensure that you have access to an account by other means (such as a different YubiKey) before deleting a discoverable credential for a specific account.
.. _discover-credentials-authenticator-label:
Managing Discoverable Credentials with Yubico Authenticator
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
1. Download and install `Yubico Authenticator `_ for Windows, MacOS or Linux. The iOS and Android versions of Yubico Authenticator do not support resetting the FIDO2 application of the YubiKey.
2. Insert your YubiKey or Security Key in a USB port on your computer.
3. Open Yubico Authenticator.
4. Click the menu icon (three vertical bars) in the upper left hand corner and select **WebAuthn**.
* Windows 10 or 11 users, if prompted, enter administrator consent.
Due to underlying OS mechanics, when using Windows 10 or 11, applications that manage FIDO2 devices need to be run as administrator in order to access FIDO2 options and/or to detect the Security Key Series keys.
* Enter a PIN at the prompt, if a PIN is set on the device.
Any discoverable credentials on the device are listed. Most discoverable credentials provide a way to identify the account. The URL that the credential is used for is always visible.
5. Locate the credential you want to delete, and click on the elipses (…) icon to the right of the credential.
The Username and URL of the credential is listed again.
6. Click the **Delete Passkey** button under the credential. To cancel the deletion, click the **X Close** button.
7. Confirm deletion by clicking the **delete** button. This permanently deletes the credential.
Managing Discoverable Credentials with Google Chrome on MacOS or Linux
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.. Note::
Chrome for Windows does not support managing individual FIDO2 credentials due to Windows operating system restrictions.
To list and delete credentials:
1. Open the Chrome Settings menu. Click the 3 vertical dots.
Alternatively, navigate to chrome://settings/securityKeys and skip to step 5.
2. Select **Privacy & Security** from the settings navigation on the left hand side.
3. Scroll down and select **Security**.
4. Scroll down and select **Manage security keys**.
5. Select **Sign-in data**.
6. Enter your YubiKey's PIN and click **Continue**.
7. Located the credential you want to delete and click the trash can icon next to it.
8. Confirm deletion by clicking the **delete** button. This permanently deletes the credential.
Resetting the FIDO2 Application
--------------------------------
.. Note:: Device Support: This article applies to Yubico devices that support the FIDO2 protocol, like the YubiKey 5 Series, YubiKey 5 FIPS Series, and Security Key Series, but not to the FIDO U2F Security Key, which cannot be reset. Also note that FIDO2 reset performed over a Lightning connection is only supported for devices with firmware 5.7.4 and higher.
If the FIDO2 PIN has been forgotten, and the fingerprint sensor on the YubiKey Bio is not working, the key will need to be reset. Resetting the key will remove the PIN, but it will also destroy all the U2F and FIDO2 credentials on the YubiKey, whether they are discoverable or not. Entering the PIN incorrectly 8 times will also cause the FIDO2 application to lock.
Before Resetting the FIDO2 Application
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Once the FIDO2 application on the YubiKey has been reset, there is no way to recover the previously stored credentials or PIN. Resetting the FIDO2 application will effectively unregister your key from any accounts it was registered with using FIDO U2F or FIDO2. We therefore recommend following the steps below, prior to resetting.
Determine which accounts will be affected by a reset (see below). Log in to each of those accounts, unregister the key to be reset, and then double-check that you are still able to log in and modify the account's 2FA settings (without the key that is to be reset). This process is easier if you have more than one key registered with your accounts, which we recommend.
Determining which accounts may be affected
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
To determine which of your accounts may be affected by a FIDO reset:
1. Search for each service your YubiKey is registered with in the Works With YubiKey Catalog.
2. Under each service's listing, check the security protocol support section for FIDO2/WebAuthn, Universal 2nd Factor (U2F), or similar. Services that indicate support for these may be affected by a FIDO2 reset.
For instance, Google's listing in the WWYKC has both of these listed, indicating it would be affected by a reset.
Services that only list Yubico OTP, OATH-TOTP, etc., and do not include any of the aforementioned protocols should not be affected.
The YubiKey will return to its initial state without a FIDO2 PIN. We recommend using the Yubico Authenticator app or built-in OS support on a desktop OS to set the PIN prior to using the YubiKey again.
Resetting the FIDO2 Application
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
1. Download and install `YubiKey Manager GUI `_.
Alternatively, use either the `Yubico Authenticator `_ with its intuitive and easy-to-use graphical interface or the `ykman `_, a lightweight software package installable on many OS.
2. Insert your YubiKey or Security Key into an available USB port on your computer.
3. Open YubiKey Manager.
.. Note:: When using Windows 10 or 11, applications that manage FIDO2 devices need to be run as administrator in order to access FIDO2 options and/or to detect the Security Key Series keys.
4. Navigate to Applications > FIDO2.
5. Click "Reset FIDO" > "YES".
6. Follow the prompts to remove, re-insert, and touch your key.
Resetting the FIDO2 Application Using Yubico Authenticator
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
If a PIN has been set, Yubico Authenticator requires that PIN in order to reset the FIDO2 application.
.. Note:: When using Windows 10 or 11, applications that manage FIDO2 devices need to be run as administrator in order to access FIDO2 options and/or to detect the Security Key Series keys. If you are using Windows and do not have administrative access, consider using the built-in security key management features of Windows.
1. Download and install `Yubico Authenticator `_ for Windows, MacOS or Linux. The iOS and Android versions of Yubico Authenticator do not support resetting the FIDO2 application of the YubiKey.
2. Insert your YubiKey or Security Key into an available USB port on your computer.
3. Open Yubico Authenticator.
4. In the upper left hand corner, click on the menu icon (three vertical bars) and then select "WebAuthn".
5. You will be prompted for a PIN if a PIN is set on the device; however, if a PIN has not been set, entering the PIN is not required for a reset.
6. In the upper right hand corner of the Authenticator, click on the icon for the device you are using, and select “Reset FIDO”.
7. Follow the on-screen instructions.
Resetting the FIDO2 Application Using Windows Built-in Security Key Management
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Windows 10 and 11 provide built-in tools to manage FIDO2 devices.
1. Open the Start menu and select “Set up security key”.
Alternatively, open Windows Settings and navigate to “Accounts” > “Sign-in options” > “Security Key”.
2. Click the “Manage” button.
3. When prompted, touch your security key.
4. Click “Reset security key”, and follow the on-screen prompts.
Resetting the FIDO2 Application Using Google Chrome on MacOS or Linux
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Chrome for Windows does not support resetting the FIDO2 application because of Windows OS restrictions.
1. Open the Chrome Settings menu by clicking on the 3 vertical dots on the upper right of the browser, next to the URL field.
Alternatively, navigate to chrome://settings/securityKeys and skip to step 5.
2. Select “Privacy & Security” from the settings navigation on the left hand side.
3. Scroll down and select “Security”.
4. Scroll down and select “Manage security keys”.
5. Click “Reset your security key”, and follow the on-screen prompts.
Setting or Changing the FIDO2 PIN
----------------------------------
For a general description of the FIDO2 PIN, see :ref:`fido2-pins-label`.
Note that the FIDO2 PIN is independent from the PIV PIN, and may be set to a different value, or not set at all. Changing the FIDO2 PIN will not change the PIV PIN, and vice-versa.
.. Note:: This does not apply to the YubiKey Bio Multi-protocol Edition where the two PINs are shared between the applications.
Setting or Changing the FIDO2 PIN on Windows
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
When using Windows 10 or 11, applications that manage FIDO2 devices need to be run as administrator in order to access FIDO2 options and/or to detect the Security Key Series keys If you are using Windows and do not have administrative access, consider using the built-in security key management features of Windows.
1. Download and install `YubiKey Manager GUI `_.
Alternatively, use either the `Yubico Authenticator `_ with its intuitive and easy-to-use graphical interface or the `ykman `_, a lightweight software package installable on many OS.
2. Insert your YubiKey or Security Key into an available USB port on your computer.
3. Open YubiKey Manager.
4. Navigate to Applications > FIDO2.
5. Click “Set PIN” or “Change PIN”.
6. Follow the prompts to set or change the PIN.
Setting or Changing the FIDO2 PIN Using Yubico Authenticator
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
When using Windows 10 or 11, applications that manage FIDO2 devices need to be run as administrator in order to access FIDO2 options and/or to detect the Security Key Series keys. If you are using Windows and do not have administrative access, consider using the built-in security key management features of Windows.
The iOS and Android versions of Yubico Authenticator do not support setting the FIDO2 PIN.
1. Download and install `Yubico Authenticator `_ for Windows, MacOS or Linux.
2. Insert your YubiKey or Security Key into an available USB port on your computer.
3. Open Yubico Authenticator.
4. In the upper left hand corner, click on the menu icon (three vertical bars) and select "WebAuthn".
5. You will be prompted for a PIN if a PIN is set on the device. In the upper right hand corner, click on the icon representing your device, and select “Set PIN” or “Change PIN”, depending on whether your device already has a PIN configured.
Setting or Changing the FIDO2 PIN Using Windows Built-in Security Key Management
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Windows 10 and 11 provide built in tools to manage FIDO2 devices without needing administrative access.
1. Open the start menu and search for “Set up security key”.
Alternatively, open Windows Settings and navigate to “Accounts” -> “Sign-in options” -> “Security Key”
2. Click on the “Manage” button.
3. Touch your security key as prompted
4. Under “Security key PIN”, Click on “Add” or “Change”, and follow the on-screen prompts.
Setting or Changing the FIDO2 PIN Using Google Chrome on MacOS or Linux
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Chrome for Windows does not support setting or changing the FIDO2 PIN because of Windows OS restrictions.
1. Open the Chrome Settings menu by clicking on the 3 vertical dots.
Alternatively, navigate to chrome://settings/securityKeys and skip to step 5.
2. Select “Privacy & Security” from the settings navigation on the left hand side.
3. Scroll down and select “Security”.
4. Scroll down and select “Manage security keys”.
5. Click on “Create a PIN”, and follow the on-screen prompts to set or change the FIDO2 PIN.
Enrolling Fingerprints on the YubiKey Bio
-------------------------------------------
Videos demonstrating how to enroll fingerprints in the YubiKey Bio can be found at `Set up your YubiKey `_. Click the *enroll your fingerprint* link.
.. _yk5-fido2-u2f-label:
FIDO U2F
========
`FIDO U2F `_ is an open standard that provides strong, phishing-resistant two-factor authentication for web services using public key cryptography. U2F does not require any special drivers or configuration to use, just a compatible web browser. The U2F application on the YubiKey can be associated with an unlimited number of U2F sites.