Fingerprints: FIDO2

Important

The Fingerprints feature is only available for Yubico Authenticator for Desktop and Android and the YubiKey Bio Series. For a complete breakdown of Yubico Authenticator functionality by platform and connection type for each YubiKey model, see the Yubico Authenticator Functionality table.

YubiKey Bio Series keys have a biometric sensor that allows you to use a fingerprint to authenticate to registered accounts/services via the FIDO2 or FIDO U2F protocols. At least one fingerprint must be enrolled with the key before passkeys can be stored on the device.

Note

See the YubiKey Bio Series documentation for more information on the key itself. For a list of products, services, and applications that are compatible with the YubiKey Bio and an overview of their unique security key registration processes, see the Works with YubiKey catalog.

The Fingerprints feature of Yubico Authenticator allows you to:

Creating and managing the FIDO2 PIN

Before you can register and manage fingerprints with a YubiKey Bio Series key, you must create a FIDO2 PIN. This PIN is also used by the YubiKey as a fallback; if the key doesn’t recognize your fingerprint during a FIDO2 authentication attempt, the PIN can be used to bypass the fingerprint verification and complete authentication.

For YubiKey Bio Series Multi-protocol Edition keys, the FIDO2 application and the PIV application share a PIN. Therefore, performing the “Change PIN” action on the Passkeys, Fingerprints, or Certificates screen modifies the same credential.

Warning

The YubiKey provides a total of eight (8) attempts to enter the correct current PIN during a PIN change attempt, registration attempt, or authentication attempt. After three (3) incorrect attempts in a row, that key must be removed and reinserted into your device. After 8 incorrect attempts, the FIDO2 application becomes blocked and must be reset. Entering the PIN correctly resets the PIN attempt counter back to 8.

The same FIDO2 PIN is used for passkeys; if you have already created a FIDO2 PIN via the Passkeys feature, you do not need to create a new one for Fingerprints.

Creating a FIDO2 PIN

To create a FIDO2 PIN, do the following:

  1. Plug your YubiKey Bio into your device, click the menu icon in the upper left corner of the app, and select Fingerprints.

  2. Click Set PIN under Manage.

    In a narrow app window, click the three dots in the upper right corner of the app to find the Manage menu.

    _images/fingerprints-set-pin-2.jpg
  3. In the Set PIN window, enter your new PIN.

    Note

    PIN requirements depend on your YubiKey’s model, firmware version, and PIN complexity enforcement.

  4. Enter the new PIN again to confirm and click Save.

    _images/fingerprints-new-pin.jpg

Changing the FIDO2 PIN

To change the FIDO2 PIN, do the following:

  1. Plug your YubiKey Bio into your device, click the menu icon in the upper left corner of the app, and select Fingerprints.

  2. Click Change PIN under Manage.

    In a narrow app window, click the three dots in the upper right corner of the app to find the Manage menu.

  3. In the Change PIN window, enter your current PIN.

    If you have forgotten your current PIN, the only way to change it is to reset the FIDO2 application of your YubiKey to factory default settings (which will remove the PIN). Note that this will delete ALL fingerprints and passkeys stored on the YubiKey, and you will no longer be able to access those accounts with that key (we recommend registering at least one backup YubiKey with each account/service to maintain access). Once reset, you can always re-register your key with those same accounts and services.

  4. Enter your new PIN.

    Note

    PIN requirements depend on your YubiKey’s model, firmware version, and PIN complexity enforcement.

  5. Enter the new PIN again to confirm and click Save.

    _images/fingerprints-change-pin.jpg

Registering and managing fingerprints

You can enroll up to five (5) fingerprints on a YubiKey Bio Series key. Once your key is registered for passwordless FIDO2 or FIDO U2F authentication with an account/service, you can perform authentication by touching the key with any of the fingers that match an enrolled fingerprint.

Note

If the key doesn’t recognize your fingerprint during a FIDO2 authentication attempt, the FIDO2 PIN can be used to complete the authentication.

Enroll a fingerprint

To enroll a fingerprint, do the following:

  1. Plug your YubiKey Bio into your device, click the menu icon in the upper left corner of the app, and select Fingerprints.

  2. Enter your FIDO2 PIN and click Unlock. If you don’t have a PIN yet, create one.

    _images/fingerprints-unlock-2.jpg
  3. Click Add fingerprint under Setup.

    In a narrow app window, click the three dots in the upper right corner of the app to find the Setup menu.

  4. In the Add fingerprint window, press a finger against the biometric sensor of your key. When the window prompts you to “keep touching your key”, remove your finger and place it back on the sensor. Repeat this until the progress bar reaches 100% completion.

    Make sure to touch both the sensor and bezel and adjust your finger pressure so that as much of your print is in contact with the sensor as possible; this will improve the quality of the reading. For additional tips on enrolling fingerprints, see the YubiKey Bio documentation.

    _images/add-fingerprint.jpg
  5. Once the fingerprint is captured successfully, enter a Name for the fingerprint and click Save. You will now see your new fingerprint listed under Fingerprints.

    If you click cancel, the fingerprint will still be saved, but it will be given a name of the form Unnamed (ID: XXXX). If you made a mistake, you can always rename or delete the fingerprint.

    _images/save-fingerprint.jpg

Rename or delete a fingerprint

To rename or delete an existing fingerprint, do the following:

  1. Plug your YubiKey Bio into your device, click the menu icon in the upper left corner of the app, and select Fingerprints.

  2. Enter your FIDO2 PIN and click Unlock.

  3. Click on the fingerprint you would like to manage.

    _images/select-fingerprint-2.jpg
  4. To rename the fingerprint, click Rename fingerprint under Details. Enter a new Name and click Save.

  5. To delete a fingerprint, click Delete fingerprint under Details. To confirm the operation, click Delete.

    _images/rename-delete-fingerprint.jpg