Passkeys: FIDO2

Important

The Passkeys feature is only available for Yubico Authenticator for Desktop and Android and FIDO2-certified YubiKeys. This includes YubiKey 5 Series (standard, FIPS, and CSPN), YubiKey Bio Series, and Security Key Series.

Passkeys are credentials that allow you to perform passwordless authentication to accounts or services using the FIDO2 standard. Passkeys are created by relying parties (the sites and services that use them for authentication).

Passkeys can be stored on FIDO2-certified YubiKeys, and Yubico Authenticator helps you manage them. For more information on which services support FIDO2 authentication and an overview of their unique security key registration processes, see the Works with YubiKey catalog.

Non-passkey FIDO2 credentials can also be stored on YubiKeys, but they are not discoverable and cannot be listed and managed on the Passkeys page.

Note

YubiKey Bio Series keys require at least one fingerprint to be enrolled with the key before passkeys can be stored on the device. Fingerprints can be enrolled and managed via Yubico Authenticator.

The Passkeys feature of Yubico Authenticator allows you to:

Creating and managing the FIDO2 PIN

Before you can register a YubiKey for passwordless FIDO2 authentication with an account or service (which means a passkey credential is created, linked to a specific account, and stored on the YubiKey), you must create a FIDO2 PIN.

If you have not created a PIN via Yubico Authenticator prior to your first registration attempt with an account/service, you will be prompted to do so during the registration process. Once the PIN is created, you will have to provide it during each subsequent registration with other accounts and services.

Warning

The YubiKey provides a total of eight (8) attempts to enter the correct current PIN during a PIN change attempt or registration attempt. After three (3) incorrect attempts in a row, that key must be removed and reinserted into your device. After 8 incorrect attempts, the FIDO2 application becomes blocked and must be reset. Entering the PIN correctly resets the PIN attempt counter back to 8.

For more information on the FIDO2 PIN, see Yubico’s knowledge base article, Understanding YubiKey PINs.

Creating a FIDO2 PIN

To create a FIDO2 PIN, do the following:

  1. Plug your YubiKey into your device, click the menu icon in the upper left corner of the app, and select Passkeys.

    To connect via NFC on desktop, click the NFC icon in Yubico Authenticator and place your YubiKey on top of a desktop NFC reader. The key must maintain constant contact with the reader throughout the operation.

    To connect via NFC on Android, tap your YubiKey on the back of your device to scan.

  2. Click Set PIN under Manage.

    To find the Manage menu in a narrow app window, click the three dots in the upper right corner of the app.

    _images/passkeys-set-pin-2.jpg
  3. In the Set PIN window, enter your new PIN.

  4. Enter the new PIN again to confirm and click Save. For NFC connections on Android, tap your key to complete the operation.

    _images/fingerprints-new-pin.jpg

Changing the FIDO2 PIN

To change the FIDO2 PIN, do the following:

  1. Plug your YubiKey into your device, click the menu icon in the upper left corner of the app, and select Passkeys.

    To connect via NFC on desktop, click the NFC icon in Yubico Authenticator and place your YubiKey on top of a desktop NFC reader. The key must maintain constant contact with the reader throughout the operation.

    To connect via NFC on Android, tap your YubiKey on the back of your device to scan.

  2. Enter your FIDO2 PIN and click Unlock. For NFC connections on Android, tap your key to complete the operation.

  3. Click Change PIN under Manage.

    To find the Manage menu in a narrow app window, click the three dots in the upper right corner of the app.

  4. In the Change PIN window, enter your current PIN.

    If you have forgotten your current PIN, the only way to change it is to reset the FIDO2 application of your YubiKey to factory default settings (which will remove the PIN). Note that this will delete ALL fingerprints and passkeys stored on the YubiKey, and you will no longer be able to access those accounts with that key (we recommend registering at least one backup YubiKey with each account/service to maintain access). Once reset, you can always re-register your key with those same accounts and services.

  5. Enter your new PIN.

  6. Enter the new PIN again to confirm and click Save. For NFC connections on Android, tap your key to complete the operation.

    _images/fingerprints-change-pin.jpg

Viewing and deleting passkeys

With Yubico Authenticator, you can view all passkeys stored on a YubiKey. Passkeys can only be deleted with the app; you cannot create or modify them with Yubico Authenticator.

Warning

Once a passkey is deleted, you cannot use the YubiKey to log into an account or service for which the passkey was registered. To re-register a YubiKey, you must be able to log into that account/service with an alternate credential (we recommend registering at least one backup YubiKey with each account/service for this reason).

To view and/or delete a passkey stored on your YubiKey, do the following:

  1. Plug your YubiKey into your device, click the menu icon in the upper left corner of the app, and select Passkeys.

    To connect via NFC on desktop, click the NFC icon in Yubico Authenticator and place your YubiKey on top of a desktop NFC reader. The key must maintain constant contact with the reader throughout the operation.

    To connect via NFC on Android, tap and hold your YubiKey on the back of your device to scan. Reading passkeys on a YubiKey is quite slow, and depending on how many are stored on your key, it could take up to several seconds for the NFC sensor to read the passkey information. You must maintain constant contact with the NFC sensor until all passkeys are read.

  2. Enter your FIDO2 PIN and click Unlock. For NFC connections on Android, tap your key to complete the operation. All passkeys stored on your YubiKey will be listed under Passkeys.

    To view properties including RP ID, Display Name, User Name, User ID, and Credential ID for a specific passkey, click on it to open the Details section. To copy any of these properties to the clipboard, double-click on it.

  3. To delete a passkey, click on it to open its Details tab.

    _images/select-passkey-2.jpg
  4. Click Delete passkey under Actions. To confirm the operation, click Delete. For NFC connections on Android, tap your key.

    _images/delete-passkey-2.jpg