.. fido2.rst

.. _fido2:

===============
Passkeys: FIDO2
===============

.. important:: Yubico Authenticator's FIDO2 functionality is only available for FIDO2-certified YubiKeys. This includes YubiKey 5 Series (standard, FIPS, and CSPN), YubiKey Bio Series, and Security Key Series. For a complete breakdown of Yubico Authenticator functionality by platform and connection type for each YubiKey model, see the `Yubico Authenticator Functionality table <_static/Yubico-Authenticator-Functionality.pdf>`_.

`Passkeys <https://www.yubico.com/resources/glossary/what-is-a-passkey/>`_ are credentials that allow you to perform passwordless authentication to accounts or services using the FIDO2 standard. Passkeys are created by relying parties (the sites and services that use them for authentication). 

Passkeys can be stored on FIDO2-certified YubiKeys, and Yubico Authenticator helps you manage them. For more information on which services support FIDO2 authentication and an overview of their unique security key registration processes, see the `Works with YubiKey catalog <https://www.yubico.com/works-with-yubikey/catalog/?sort=popular>`_.

Non-passkey FIDO2 credentials can also be stored on YubiKeys, but they are not discoverable and cannot be listed and managed on the **Passkeys** page.

The Passkeys feature of Yubico Authenticator allows you to:

- :ref:`View and delete passkeys stored on a YubiKey <fido2-view-delete>`.
- :ref:`Create or change a YubiKey's FIDO2 PIN <fido2-create-pin>`.
- :ref:`Enable Enterprise Attestation (EA) and check a YubiKey's EA status <fido2-EA>`.

.. _fido2-create-pin:

Creating and managing the FIDO2 PIN 
===================================

Before you can register a YubiKey for passwordless FIDO2 authentication with an account or service (which means a passkey credential is created, linked to a specific account, and stored on the YubiKey), you must create a FIDO2 PIN. 

If you have not created a PIN via Yubico Authenticator prior to your first registration attempt with an account/service, you will be prompted to do so during the registration process. Once the PIN is created, you will have to provide it during each subsequent registration with other accounts and services. 

For YubiKey Bio Series Multi-protocol Edition keys, the FIDO2 application and the PIV application share a PIN. Therefore, performing the "Change PIN" action on the **Passkeys**, **Fingerprints**, or **Certificates** screen modifies the same PIN.

.. warning:: The YubiKey provides a total of eight (8) attempts to enter the correct current PIN during a PIN change attempt or registration attempt. After three (3) incorrect attempts in a row, that key must be removed and reinserted into your device. After 8 incorrect attempts, the FIDO2 application becomes blocked and must be :ref:`reset <reset>`. Entering the PIN correctly resets the PIN attempt counter back to 8.

For more information on the FIDO2 PIN, see Yubico's knowledge base article, `Understanding YubiKey PINs <https://support.yubico.com/hc/en-us/articles/4402836718866-Understanding-YubiKey-PINs>`_.

Creating a FIDO2 PIN on desktop and Android
-------------------------------------------

To create a FIDO2 PIN on desktop and Android devices, do the following:

#. Plug your YubiKey into your device, click the menu icon in the upper left corner of the app, and select **Passkeys**. 

   To connect via NFC on desktop, click the NFC icon in Yubico Authenticator and place your YubiKey on top of a desktop NFC reader. The key must maintain constant contact with the reader throughout the operation.

   To connect via NFC on Android, tap your YubiKey on the back of your device to scan. 

#. Click **Set PIN** under **Manage**.

   To find the **Manage** menu in a narrow app window, click the three dots in the upper right corner of the app. 

   .. image:: /images/passkeys-set-pin-2.jpg
      :width: 700

#. In the **Set PIN** window, enter your new PIN.

   .. note:: PIN requirements depend on your YubiKey's model, firmware version, and :ref:`PIN complexity <settings-home-pin-complexity>` enforcement.

#. Enter the new PIN again to confirm and click **Save**. For NFC connections on Android, tap your key to complete the operation.

   .. image:: /images/fingerprints-new-pin.jpg
      :width: 500

.. _fido2-create-pin-ios:

Creating a FIDO2 PIN on iOS/iPadOS
----------------------------------

To create a FIDO2 PIN on iOS/iPadOS devices, do the following:

#. Plug your YubiKey into your device.

   To connect via NFC on iOS, swipe down on the screen and tap your YubiKey on the back of your device to scan. 

   .. note:: Lightning is currently the only supported *physical* connection type for iOS and iPadOS devices. NFC wireless connections are supported on iOS but not on iPadOS. For a complete breakdown of Yubico Authenticator functionality by platform and connection type for each YubiKey model, see the `Yubico Authenticator Functionality table <_static/Yubico-Authenticator-Functionality.pdf>`_.

#. Click the three dots in the upper right corner of the app and select **Configuration**. Select **Manage PIN** under the **FIDO** section.

   .. image:: /images/passkeys-set-pin-ios.jpg
      :width: 400

#. In the **FIDO PIN** window, click **Set PIN**. Enter your new PIN.

   .. note:: PIN requirements depend on your YubiKey's model, firmware version, and :ref:`PIN complexity <settings-home-pin-complexity>` enforcement.

#. Enter the new PIN again to confirm and click **Set**. For NFC connections on iOS, scan your key when prompted to complete the operation.

   .. image:: /images/new-fido-pin-ios.jpg
      :width: 400

.. _fido2-change-pin:

Changing the FIDO2 PIN on desktop and Android
---------------------------------------------

To change the FIDO2 PIN on desktop and Android devices, do the following:

#. Plug your YubiKey into your device, click the menu icon in the upper left corner of the app, and select **Passkeys**. 

   To connect via NFC on desktop, click the NFC icon in Yubico Authenticator and place your YubiKey on top of a desktop NFC reader. The key must maintain constant contact with the reader throughout the operation.

   To connect via NFC on Android, tap your YubiKey on the back of your device to scan. 

#. Enter your FIDO2 PIN and click **Unlock**. For NFC connections on Android, tap your key to complete the operation.

#. Click **Change PIN** under **Manage**. 

   To find the **Manage** menu in a narrow app window, click the three dots in the upper right corner of the app. 

#. In the **Change PIN** window, enter your current PIN. 

   If you have forgotten your current PIN, the only way to change it is to :ref:`reset <reset>` the FIDO2 application of your YubiKey to factory default settings (which will remove the PIN). Note that this will delete **ALL** :ref:`fingerprints <fingerprints>` and passkeys stored on the YubiKey, and you will no longer be able to access those accounts with that key (we recommend registering at least one :ref:`backup YubiKey <tips>` with each account/service to maintain access). Once reset, you can always re-register your key with those same accounts and services.

#. Enter your new PIN.

   .. note:: PIN requirements depend on your YubiKey's model, firmware version, and :ref:`PIN complexity <settings-home-pin-complexity>` enforcement.

#. Enter the new PIN again to confirm and click **Save**. For NFC connections on Android, tap your key to complete the operation.

    .. image:: /images/fingerprints-change-pin.jpg
       :width: 500

.. _fido2-change-pin-ios:

Changing the FIDO2 PIN on iOS/iPadOS
------------------------------------

To change a FIDO2 PIN on iOS/iPadOS devices, do the following:

#. Plug your YubiKey into your device.

   To connect via NFC on iOS, swipe down on the screen and tap your YubiKey on the back of your device to scan. 

   .. note:: Lightning is currently the only supported *physical* connection type for iOS and iPadOS devices. NFC wireless connections are supported on iOS but not on iPadOS. For a complete breakdown of Yubico Authenticator functionality by platform and connection type for each YubiKey model, see the `Yubico Authenticator Functionality table <_static/Yubico-Authenticator-Functionality.pdf>`_.

#. Click the three dots in the upper right corner of the app and select **Configuration**. Select **Manage PIN** under the **FIDO** section.

#. In the **FIDO PIN** window, click **Change PIN**. Enter your current PIN followed by your new PIN.

   .. note:: PIN requirements depend on your YubiKey's model, firmware version, and :ref:`PIN complexity <settings-home-pin-complexity>` enforcement.

#. Enter the new PIN again to confirm and click **Set**. For NFC connections on iOS, scan your key when prompted to complete the operation.

.. _fido2-view-delete:

Viewing and deleting passkeys
=============================

.. note:: Passkeys can be managed on Yubico Authenticator for Desktop and Android only. 

With Yubico Authenticator, you can view all passkeys stored on a YubiKey. Passkeys can only be deleted with the app; you cannot create or modify them with Yubico Authenticator.

.. warning:: Once a passkey is deleted, you cannot use the YubiKey to log into an account or service for which the passkey was registered. To re-register a YubiKey, you must be able to log into that account/service with an alternate credential (we recommend registering at least one :ref:`backup YubiKey <tips>` with each account/service for this reason). 

To view and/or delete a passkey stored on your YubiKey, do the following:

#. Plug your YubiKey into your device, click the menu icon in the upper left corner of the app, and select **Passkeys**. 

   To connect via NFC on desktop, click the NFC icon in Yubico Authenticator and place your YubiKey on top of a desktop NFC reader. The key must maintain constant contact with the reader throughout the operation.

   To connect via NFC on Android, tap and hold your YubiKey on the back of your device to scan. Reading passkeys on a YubiKey is quite slow, and depending on how many are stored on your key, it could take up to several seconds for the NFC sensor to read the passkey information. You must maintain constant contact with the NFC sensor until all passkeys are read.

#. Enter your FIDO2 PIN and click **Unlock**. For NFC connections on Android, tap your key to complete the operation. All passkeys stored on your YubiKey will be listed under **Passkeys**.

   To view properties including RP ID, Display Name, User Name, User ID, and Credential ID for a specific passkey, click on it to open the **Details** section. To copy any of these properties to the clipboard, double-click on it.

   .. note:: Does your YubiKey have so many passkeys that you must scroll down the screen to find the one you're looking for? If you have a desktop or Android tablet device, you can take advantage of their wider screens by changing the :ref:`screen layout <tips-layouts>`.

#. To delete a passkey, click on it to open its **Details** tab. 

    .. image:: /images/select-passkey-2.jpg
       :width: 700

#. Click **Delete passkey** under **Actions**. To confirm the operation, click **Delete**. For NFC connections on Android, tap your key.

   .. image:: /images/delete-passkey-2.jpg
      :width: 300

.. _fido2-EA:

Enterprise Attestation 
======================

.. note:: Enterprise Attestation can be managed on Yubico Authenticator for Desktop and Android only. 

Enterprise Attestation (EA) is a feature available for custom-configured YubiKeys with firmware version 5.7 or later. EA enables Identity Providers (IdPs) to read the serial number (or other unique identifier specific to the organization) during FIDO2 registration. For more information on Enterprise Attestation, see the `YubiKey Technical Manual <https://docs.yubico.com/hardware/yubikey/yk-tech-manual/5.7-firmware-specifics.html#ea-label>`_

The **Passkeys** screen in Yubico Authenticator allows you to easily check your key's EA status and enable the feature (if available for your key). 

Check status and enable Enterprise Attestation
----------------------------------------------

To check your key's EA status and enable the feature, do the following:

#. Plug your YubiKey into your device, click the menu icon in the upper left corner of the app, and select **Passkeys**. 

   To connect via NFC on desktop, click the NFC icon in Yubico Authenticator and place your YubiKey on top of a desktop NFC reader. The key must maintain constant contact with the reader throughout the operation.

   To connect via NFC on Android, tap and hold your YubiKey on the back of your device to scan. Reading passkeys on a YubiKey is quite slow, and depending on how many are stored on your key, it could take up to several seconds for the NFC sensor to read the passkey information. You must maintain constant contact with the NFC sensor until all passkeys are read.

#. Enter your FIDO2 PIN if prompted and click **Unlock**. For NFC connections on Android, tap your key to complete the operation.

#. To check your key's EA status, find **Enterprise Attestation** under **Manage**. 

   To find the **Manage** menu in a narrow app window, click the three dots in the upper right corner of the app. 

#. To enable EA, click on **Enterprise Attestation**. In the **Enable Enterprise Attestation** window, select **Enable** to confirm the operation. 

   .. image:: /images/enterprise-attestation.jpg
      :width: 700

Disable Enterprise Attestation 
------------------------------

Once Enterprise Attestation is enabled, it can only be disabled by performing a FIDO2 application factory :ref:`reset <reset>`. Note that a reset will also remove all fingerprints, passkeys, and non-passkey FIDO2 credentials from your YubiKey. 

.. _fido-2-icons:

Custom icons 
============

.. include:: includes/includes-custom-icons.rst