.. fingerprints.rst .. _fingerprints: =================== Fingerprints: FIDO2 =================== .. important:: The **Fingerprints** feature is only available for Yubico Authenticator for Desktop and Android and the YubiKey Bio Series. For a complete breakdown of Yubico Authenticator functionality by platform and connection type for each YubiKey model, see the `Yubico Authenticator Functionality table <_static/Yubico-Authenticator-Functionality.pdf>`_. YubiKey Bio Series keys have a biometric sensor that allows you to use a fingerprint to authenticate to registered accounts/services via the :ref:`FIDO2 ` or FIDO U2F protocols. At least one :ref:`fingerprint ` must be enrolled with a key to enable biometric functionality. And before you can enroll a fingerprint, you must first set the the key's :ref:`FIDO2 PIN `. .. note:: See the `YubiKey Bio Series documentation `_ for more information on the key itself. For a list of products, services, and applications that are compatible with the YubiKey Bio and an overview of their unique security key registration processes, see the `Works with YubiKey catalog `_. The Fingerprints feature of Yubico Authenticator allows you to: - :ref:`Enroll up to five (5) fingerprints on a YubiKey Bio Series key `. - :ref:`Rename or delete saved fingerprints `. - :ref:`Create or change the key's FIDO2 PIN `. .. _fingerprints-fido2-pin: Creating and managing the FIDO2 PIN =================================== Before you can :ref:`register and manage fingerprints ` or add :ref:`FIDO2 passkeys ` to a YubiKey Bio Series key, you must create a FIDO2 PIN. This PIN is also used by the YubiKey as a fallback; if the key doesn't recognize your fingerprint during a FIDO2 authentication attempt, the PIN can be used to bypass the fingerprint verification and complete authentication. For YubiKey Bio Series Multi-protocol Edition keys, the FIDO2 application and the PIV application share a PIN. Therefore, performing the "Change PIN" action on the **Passkeys**, **Fingerprints**, or **Certificates** screen modifies the same credential. .. warning:: The YubiKey provides a total of eight (8) attempts to enter the correct current PIN during a PIN change attempt, registration attempt, or authentication attempt. After three (3) incorrect attempts in a row, that key must be removed and reinserted into your device. After 8 incorrect attempts, the FIDO2 application becomes blocked and must be :ref:`reset `. Entering the PIN correctly resets the PIN attempt counter back to 8. The same FIDO2 PIN is used for :ref:`passkeys `; if you have already created a FIDO2 PIN via the **Passkeys** feature, you do not need to create a new one for **Fingerprints**. .. _fingerprints-create-pin: Creating a FIDO2 PIN -------------------- To create a FIDO2 PIN, do the following: #. Plug your YubiKey Bio into your device, click the menu icon in the upper left corner of the app, and select **Fingerprints**. #. Click **Set PIN** under **Manage**. In a narrow app window, click the three dots in the upper right corner of the app to find the **Manage** menu. .. image:: /images/fingerprints-set-pin-2.jpg :width: 700 #. In the **Set PIN** window, enter your new PIN. .. note:: PIN requirements depend on your YubiKey's model, firmware version, and :ref:`PIN complexity ` enforcement. #. Enter the new PIN again to confirm and click **Save**. .. image:: /images/fingerprints-new-pin.jpg :width: 500 Changing the FIDO2 PIN ---------------------- To change the FIDO2 PIN, do the following: #. Plug your YubiKey Bio into your device, click the menu icon in the upper left corner of the app, and select **Fingerprints**. #. Click **Change PIN** under **Manage**. In a narrow app window, click the three dots in the upper right corner of the app to find the **Manage** menu. #. In the **Change PIN** window, enter your current PIN. If you have forgotten your current PIN, the only way to change it is to :ref:`reset ` the FIDO2 application of your YubiKey to factory default settings (which will remove the PIN). Note that this will delete **ALL** fingerprints and :ref:`passkeys ` stored on the YubiKey, and you will no longer be able to access those accounts with that key (we recommend registering at least one :ref:`backup YubiKey ` with each account/service to maintain access). Once reset, you can always re-register your key with those same accounts and services. #. Enter your new PIN. .. note:: PIN requirements depend on your YubiKey's model, firmware version, and :ref:`PIN complexity ` enforcement. #. Enter the new PIN again to confirm and click **Save**. .. image:: /images/fingerprints-change-pin.jpg :width: 500 .. _fingerprints-create-print: Registering and managing fingerprints ===================================== You can enroll up to five (5) fingerprints on a YubiKey Bio Series key. Once your key is registered for passwordless FIDO2 or FIDO U2F authentication with an account/service, you can perform authentication by touching the key with any of the fingers that match an enrolled fingerprint. .. note:: If the key doesn't recognize your fingerprint during a FIDO2 authentication attempt, the FIDO2 PIN can be used to complete the authentication. Enroll a fingerprint -------------------- To enroll a fingerprint, do the following: #. Plug your YubiKey Bio into your device, click the menu icon in the upper left corner of the app, and select **Fingerprints**. #. Enter your FIDO2 PIN and click **Unlock**. If you don't have a PIN yet, :ref:`create one `. .. image:: /images/fingerprints-unlock-2.jpg :width: 700 #. Click **Add fingerprint** under **Setup**. In a narrow app window, click the three dots in the upper right corner of the app to find the **Setup** menu. #. In the **Add fingerprint** window, press a finger against the biometric sensor of your key. When the window prompts you to "keep touching your key", remove your finger and place it back on the sensor. Repeat this until the progress bar reaches 100% completion. Make sure to touch both the sensor and bezel and adjust your finger pressure so that as much of your print is in contact with the sensor as possible; this will improve the quality of the reading. For additional tips on enrolling fingerprints, see the `YubiKey Bio documentation `_. .. image:: /images/add-fingerprint.jpg :width: 500 #. Once the fingerprint is captured successfully, enter a **Name** for the fingerprint and click **Save**. You will now see your new fingerprint listed under **Fingerprints**. If you click cancel, the fingerprint will still be saved, but it will be given a name of the form **Unnamed (ID: XXXX)**. If you made a mistake, you can always :ref:`rename or delete ` the fingerprint. .. image:: /images/save-fingerprint.jpg :width: 500 .. _fingerprints-rename-delete: Rename or delete a fingerprint ------------------------------ To rename or delete an existing fingerprint, do the following: #. Plug your YubiKey Bio into your device, click the menu icon in the upper left corner of the app, and select **Fingerprints**. #. Enter your FIDO2 PIN and click **Unlock**. #. Click on the fingerprint you would like to manage. .. image:: /images/select-fingerprint-2.jpg :width: 700 #. To rename the fingerprint, click **Rename fingerprint** under **Details**. Enter a new **Name** and click **Save**. #. To delete a fingerprint, click **Delete fingerprint** under **Details**. To confirm the operation, click **Delete**. .. image:: /images/rename-delete-fingerprint.jpg :width: 300