Passkeys: FIDO2

Important

The Passkeys feature is only available for Yubico Authenticator for Desktop and Android and FIDO2-certified YubiKeys. This includes YubiKey 5 Series (standard, FIPS, and CSPN), YubiKey Bio Series, and Security Key Series. For a complete breakdown of Yubico Authenticator functionality by platform and connection type for each YubiKey model, see the Yubico Authenticator Functionality table.

Passkeys are credentials that allow you to perform passwordless authentication to accounts or services using the FIDO2 standard. Passkeys are created by relying parties (the sites and services that use them for authentication).

Passkeys can be stored on FIDO2-certified YubiKeys, and Yubico Authenticator helps you manage them. For more information on which services support FIDO2 authentication and an overview of their unique security key registration processes, see the Works with YubiKey catalog.

Non-passkey FIDO2 credentials can also be stored on YubiKeys, but they are not discoverable and cannot be listed and managed on the Passkeys page.

Note

YubiKey Bio Series keys require at least one fingerprint to be enrolled with the key before passkeys can be stored on the device. Fingerprints can be enrolled and managed via Yubico Authenticator.

The Passkeys feature of Yubico Authenticator allows you to:

Creating and managing the FIDO2 PIN

Before you can register a YubiKey for passwordless FIDO2 authentication with an account or service (which means a passkey credential is created, linked to a specific account, and stored on the YubiKey), you must create a FIDO2 PIN.

If you have not created a PIN via Yubico Authenticator prior to your first registration attempt with an account/service, you will be prompted to do so during the registration process. Once the PIN is created, you will have to provide it during each subsequent registration with other accounts and services.

For YubiKey Bio Series Multi-protocol Edition keys, the FIDO2 application and the PIV application share a PIN. Therefore, performing the “Change PIN” action on the Passkeys, Fingerprints, or Certificates screen modifies the same PIN.

Warning

The YubiKey provides a total of eight (8) attempts to enter the correct current PIN during a PIN change attempt or registration attempt. After three (3) incorrect attempts in a row, that key must be removed and reinserted into your device. After 8 incorrect attempts, the FIDO2 application becomes blocked and must be reset. Entering the PIN correctly resets the PIN attempt counter back to 8.

For more information on the FIDO2 PIN, see Yubico’s knowledge base article, Understanding YubiKey PINs.

Creating a FIDO2 PIN

To create a FIDO2 PIN, do the following:

  1. Plug your YubiKey into your device, click the menu icon in the upper left corner of the app, and select Passkeys.

    To connect via NFC on desktop, click the NFC icon in Yubico Authenticator and place your YubiKey on top of a desktop NFC reader. The key must maintain constant contact with the reader throughout the operation.

    To connect via NFC on Android, tap your YubiKey on the back of your device to scan.

  2. Click Set PIN under Manage.

    To find the Manage menu in a narrow app window, click the three dots in the upper right corner of the app.

    _images/passkeys-set-pin-2.jpg
  3. In the Set PIN window, enter your new PIN.

    Note

    PIN requirements depend on your YubiKey’s model, firmware version, and PIN complexity enforcement.

  4. Enter the new PIN again to confirm and click Save. For NFC connections on Android, tap your key to complete the operation.

    _images/fingerprints-new-pin.jpg

Changing the FIDO2 PIN

To change the FIDO2 PIN, do the following:

  1. Plug your YubiKey into your device, click the menu icon in the upper left corner of the app, and select Passkeys.

    To connect via NFC on desktop, click the NFC icon in Yubico Authenticator and place your YubiKey on top of a desktop NFC reader. The key must maintain constant contact with the reader throughout the operation.

    To connect via NFC on Android, tap your YubiKey on the back of your device to scan.

  2. Enter your FIDO2 PIN and click Unlock. For NFC connections on Android, tap your key to complete the operation.

  3. Click Change PIN under Manage.

    To find the Manage menu in a narrow app window, click the three dots in the upper right corner of the app.

  4. In the Change PIN window, enter your current PIN.

    If you have forgotten your current PIN, the only way to change it is to reset the FIDO2 application of your YubiKey to factory default settings (which will remove the PIN). Note that this will delete ALL fingerprints and passkeys stored on the YubiKey, and you will no longer be able to access those accounts with that key (we recommend registering at least one backup YubiKey with each account/service to maintain access). Once reset, you can always re-register your key with those same accounts and services.

  5. Enter your new PIN.

    Note

    PIN requirements depend on your YubiKey’s model, firmware version, and PIN complexity enforcement.

  6. Enter the new PIN again to confirm and click Save. For NFC connections on Android, tap your key to complete the operation.

    _images/fingerprints-change-pin.jpg

Viewing and deleting passkeys

With Yubico Authenticator, you can view all passkeys stored on a YubiKey. Passkeys can only be deleted with the app; you cannot create or modify them with Yubico Authenticator.

Warning

Once a passkey is deleted, you cannot use the YubiKey to log into an account or service for which the passkey was registered. To re-register a YubiKey, you must be able to log into that account/service with an alternate credential (we recommend registering at least one backup YubiKey with each account/service for this reason).

To view and/or delete a passkey stored on your YubiKey, do the following:

  1. Plug your YubiKey into your device, click the menu icon in the upper left corner of the app, and select Passkeys.

    To connect via NFC on desktop, click the NFC icon in Yubico Authenticator and place your YubiKey on top of a desktop NFC reader. The key must maintain constant contact with the reader throughout the operation.

    To connect via NFC on Android, tap and hold your YubiKey on the back of your device to scan. Reading passkeys on a YubiKey is quite slow, and depending on how many are stored on your key, it could take up to several seconds for the NFC sensor to read the passkey information. You must maintain constant contact with the NFC sensor until all passkeys are read.

  2. Enter your FIDO2 PIN and click Unlock. For NFC connections on Android, tap your key to complete the operation. All passkeys stored on your YubiKey will be listed under Passkeys.

    To view properties including RP ID, Display Name, User Name, User ID, and Credential ID for a specific passkey, click on it to open the Details section. To copy any of these properties to the clipboard, double-click on it.

    Note

    Does your YubiKey have so many passkeys that you must scroll down the screen to find the one you’re looking for? If you have a desktop or Android tablet device, you can take advantage of their wider screens by changing the screen layout.

  3. To delete a passkey, click on it to open its Details tab.

    _images/select-passkey-2.jpg
  4. Click Delete passkey under Actions. To confirm the operation, click Delete. For NFC connections on Android, tap your key.

    _images/delete-passkey-2.jpg

Enterprise Attestation

Enterprise Attestation (EA) is a feature available for custom-configured YubiKeys with firmware version 5.7 or later. EA enables Identity Providers (IdPs) to read the serial number (or other unique identifier specific to the organization) during FIDO2 registration.

Note

For more information on Enterprise Attestation, see the YubiKey Technical Manual

The Passkeys screen in Yubico Authenticator allows you to easily check your key’s EA status and enable the feature (if available for your key).

Check status and enable Enterprise Attestation

To check your key’s EA status and enable the feature, do the following:

  1. Plug your YubiKey into your device, click the menu icon in the upper left corner of the app, and select Passkeys.

    To connect via NFC on desktop, click the NFC icon in Yubico Authenticator and place your YubiKey on top of a desktop NFC reader. The key must maintain constant contact with the reader throughout the operation.

    To connect via NFC on Android, tap and hold your YubiKey on the back of your device to scan. Reading passkeys on a YubiKey is quite slow, and depending on how many are stored on your key, it could take up to several seconds for the NFC sensor to read the passkey information. You must maintain constant contact with the NFC sensor until all passkeys are read.

  2. Enter your FIDO2 PIN if prompted and click Unlock. For NFC connections on Android, tap your key to complete the operation.

  3. To check your key’s EA status, find Enterprise Attestation under Manage.

    To find the Manage menu in a narrow app window, click the three dots in the upper right corner of the app.

  4. To enable EA, click on Enterprise Attestation. In the Enable Enterprise Attestation window, select Enable to confirm the operation.

    _images/enterprise-attestation.jpg

Disable Enterprise Attestation

Once Enterprise Attestation is enabled, it can only be disabled by performing a FIDO2 application factory reset. Note that a reset will also remove all fingerprints, passkeys, and non-passkey FIDO2 credentials from your YubiKey.