
Biometric YubiKey - JoachimS
https://www.yubico.com/2019/11/yubico-reveals-first-biometric-yubikey-at-microsoft-ignite/
======
phillipseamore
1) This is an upgrade to the touch sensitive button that's on all YubiKeys
today. The reason you have to touch the key is so that if an attacker gains
access to your computer with an attached Yubikey, they will not be able to use
it (it requires physical presence). Now that touch sensitive button becomes a
fingerprint reader, so it can't be activated by just anyone.

2) The computer/OS doesn't have to support anything for this added feature.

~~~
steve19
A fingerprint is only going to stop a very opportunistic attacker. Someone who
already has your desktop and app password and physical access to your desktop
can probably get a fingerprint off a glass, cup or something else.

I don't think this product is as useful as it seems at first glance. Using
stronger passwords is probably just as safe.

But I am no tptacek so I may be completely wrong :)

~~~
ekianjo
> A fingerprint is only going to stop a very opportunistic attacker. Someone
> who already has your desktop and app password and physical access to your
> desktop can probably get a fingerprint off a glass, cup or something else.

I do hope you realize this raises the amount of work the attacker has to do to
actually get access to your device. It's a little like saying a second lock on
your door is not going to stop anyone, but in practice statistics are clear:
adding one more layer, even if that layer can be defeated as well, reduces the
chance of a successful attack, or deters the attacker in the first place.

------
aloknnikhil
Funnily, this might actually stop the YubiKey from being triggered
inadvertently by my lap. The number of times I have broadcasted OTP codes on
Slack is embarrassing.

If you're looking to fix this, you can use the guide below.

>
> [https://support.yubico.com/support/solutions/articles/150000...](https://support.yubico.com/support/solutions/articles/15000006440-accidentally-
> triggering-otp-codes-with-your-nano-yubikey)

~~~
sturmeh
You can obstruct the lower contact (such that the metal is not exposed) by
painting it, or covering it with a sticker.

You can switch to the long press slot.

You can remove the carriage return at the end of the sequence (so it doesn't
hit ENTER for you).

It's a bit silly that the default implementation is so non-user-friendly.

------
wedn3sday
As someone that does a lot of rock climbing, no finger print readers work for
me. I lose skin off my hands on a daily basis, I know not all products are
made for all people but if my (extremely security conscious) employer ever
implements something like this Im screwed.

~~~
CaptainMarvel
You’d be screwed because your employer would fire you because their
fingerprint reader-based security does not work for you?

~~~
tomcooks
That's what nfc cards are for

~~~
manbash
You can pass the NFC card, which is different from biometric. Unless you mean
implants?

------
dzhiurgis
Is there any credit card size yubikeys yet? Also, how come macbooks don't come
with nfc yet? Carrying keys is not something I've done for 10 years or so.

What I'd really like to see is government ID that works somehow similarly how
domain certificates work - you can either use your Id as yubikey or
authorize/mint multiple additional keys using same certificate chain...

My country Id has a chip that requires you to run java applet in browser.
Nobody uses that shit. Other options are logging in via internet banking
(people are flocking away from traditiona banks in europe to monese, revolut
and the like) or via SMS while using special SIM card (requires paid
membership from oligopolic mobile providers). It's so modern that you are
locked out from your government digital services if you live abroad...

~~~
tbabej
What I would recommend is buying an off-the-shelf retractable lanyard [1] and
putting a Yubikey on it. I do so myself, and it has a number of advantages:

* You cannot leave your computer alone with Yubikey plugged in (especially useful when combined with modifying your PAM stack to lock the screen when yubikey is plugged out [2])

* Plugging Yubikey on a keychain which is bulky is cumbersome

* Yubikey on your neck can be a great conversation opener :)

[1] [https://www.amazon.com/Updated-CarryLuxe-Lanyard-
Polyester-R...](https://www.amazon.com/Updated-CarryLuxe-Lanyard-Polyester-
Retractable/dp/B071D55VN9/)

[2] [https://tbabej.com/Yubikey-secure-session-
setup/](https://tbabej.com/Yubikey-secure-session-setup/)

~~~
riffraff
Isn't there an NFC yubikey? That should solve the "have to plug it" issue.

~~~
coremoff
The Neo, at least, supports NFC

------
munchbunny
I have mixed feelings about this. The form factor is great as a second factor,
but I don’t trust fingerprints as a primary auth factor due to (1) existing
precedent of bugs in fingerprint recognition (2) that you can’t revoke your
fingerprint, and (3) that Yubikeys are somewhat easy to lose.

~~~
regnerba
You cannot revoke your fingerprint, but your fingerprint is just unlocking a
private key. You can revoke that private key. So if you lose the YubiKey you
can still revoke that YubiKey.

Do I understand that correct?

~~~
fnenrjfkdke
The new private key would still be unlockable with the same fingerprint.

~~~
lawnchair_larry
Doesn’t matter, it’s in your possession. If you lose it, you revoke the
yubikey.

------
sahaskatta
This is pretty neat. I wish there was a USB-C model.

~~~
hwillis
To my knowledge (electrical engineer) there is no usb-c connector with solid
strain relief. I haven't been looking for one specifically but I've been
looking at upgrading a project to usb-c.

All the usb-c connectors I know have soldered body connections, which makes
for a really poor mechanical bond. Solder joints are full of mechanical
stresses and the only thing preventing a bend is the copper delaminating from
the pcb.

In usb-a, any bending has to break the entire substrate. Decent plated
contacts will outlast the connectors they're plugging into. On top of that you
can plate something like a yubikey on both sides if you wanted to, so the only
advantage is size and it's not like you're plugging these things into your
phone. As long as computers still have a single usb-a (and they should, if
only for backwards compatibility) it's a non-issue, IMO.

~~~
thefounder
My macbook has only usb-c ports

~~~
sdan
Same here. That's why I got their mini USB C key so it's barely noticeable.

Solokey is also pretty good.

~~~
hwillis
They've got the best kind of connector I've seen[1], with soldered joints on
both sides of the board and a little wrap around, but it's still not as solid
long-term as the USB-A keys. Over time the solder will start to crack. It also
requires a much thinner board, so it's fragile because of that.

With a high-quality product like a 2factor key, this may not be an issue. But
wifi/bluetooth/SDR dongles and adapters get made to much lower standards and
with cheaper solder. Cheap solder is far more prone to degradation.

[1]:
[https://i.shgcdn.com/25b75d64-fced-4845-acc5-91c39d0029bd/-/...](https://i.shgcdn.com/25b75d64-fced-4845-acc5-91c39d0029bd/-/format/auto/-/preview/3000x3000/-/quality/lighter/)

------
donpdonp
Sounds like a creative new way to get locked out of your own keys.

~~~
jolmg
You mean if you get a cut on the finger you registered. On this page[1],
though, it says it would support "[storing] multiple fingerprints", so that
should help in that case.

[1] [https://www.yubico.com/products/yubikey-
hardware/](https://www.yubico.com/products/yubikey-hardware/)

~~~
teekert
That is a must, I recently started skateboarding and wipping it up and
grabbing the sanding paper-like surface makes my fp scanner not work for about
2 days!

~~~
cormacrelf
Hot tip for guitarists: left thumb fluctuates least.

------
oxplot
What most comments are missing here is that webauth is a replacement for
passwords. You know the "123456789", "jim1966", "monkey123", etc. With this
key, remote attackers are completely neutralized. That's the bulk if not
almost all attacks usually.

~~~
zxcvbn4038
It is not a password replacement, you still need multiple factors of
authentication. Yubikey satisfies the “something you have” factor, your
password is still the “something you know”. Your password can be learned but
should not be usable without something you have. Your token can be taken but
should not be usable without the something you know. Fingerprints are not
infalable, it’s more confidence of a match then exact match - Samsung was just
in the news because someone figured out how to trick their sensors to read a
false positive. Having a password also would keep that from being exploitable.
Also keep in mind that current school of legal thought in the US is that
biometrics don’t qualify for 5th amendment protections whereas passwords do -
police can force you to put your finger on a reader, but they can’t force you
to give a password without judicial review.

~~~
lawnchair_larry
You do not need 2 factors with this solution, which is the whole point. This
isn’t a 2FA token anymore. 2FA was a mitigation against phishing and
credential theft. This solves that problem with a single factor. It _is_ a
password replacement.

~~~
ryeights
Unlike a password, a court (in the US) might be able to compel you to provide
access to your accounts/encrypted disks via your YubiKey + fingerprint.

~~~
daxelrod
While the cases in which a court could compel you to provide your password are
much narrower, note that they still do exist.

[https://arstechnica.com/tech-policy/2017/03/man-jailed-
indef...](https://arstechnica.com/tech-policy/2017/03/man-jailed-indefinitely-
for-refusing-to-decrypt-hard-drives-loses-appeal/)

------
antpls
This is so cool. What I am worried about using fingerprint is that they are
either stored on a laptop or a smartphone. You have to trust a lot of
hardware, the whole software stack made by many third parties to protect that
data.

With this key, that's already many less parts to verify and trust.

Let's hope it's not easily reverse-engineerable and the key is never shared
with Yubikey.

------
JoeAltmaier
Again: fingerprints are absolutely unsuitable as 'passwords'. They are at
most, usernames. Because they cant be changed regularly, are left around for
people to find (on the yubikey device itself!), are readily connected to you
as a person, have terrible entropy (a few bits).

~~~
nobodyshere
Fingerprints aren’t passwords here.

~~~
eeZah7Ux
The problem is still there.

~~~
nobodyshere
The problem of your misunderstanding in this case. That can be fixed though.

~~~
eeZah7Ux
_facepalm_

------
xchaotic
Can someone point me to a similar MFA solution where I use my phone biometrics
as the factor instead of yubikey?

I have the Authenticator apps but it’d be nice if the phone and computer could
exchange those numbers for me.

~~~
icebraining
If you use Android, Google is implementing that into the OS itself:
[https://krebsonsecurity.com/2019/04/android-7-0-phones-
can-n...](https://krebsonsecurity.com/2019/04/android-7-0-phones-can-now-
double-as-google-security-keys/)

------
vzaliva
Any word how this will be supported on Linux? The article states:

"In keeping with Yubico’s design philosophy, the YubiKey Bio will not require
any batteries, drivers, or associated software."

~~~
tialaramex
This is a FIDO2 device.

It's actually easier to support this in Linux than a "conventional" PIN-based
FIDO2 token because the Linux system doesn't need to arrange to read a PIN
from the user and send that to the token, the token is going to read the
user's fingerprint instead.

If you just want a second factor, it'll work like an old FIDO device, which
you might be familiar with for U2F - everything is already in place, loads of
people are doing this including with Yubico's existing FIDO2 (pin-based)
product.

If you want this to be the sole factor (as in the Windows demos or for a site
where the convenience of one touch login is good but you don't need MFA
security) that ought to work with WebAuthn out of the box, but I actually
haven't seen a demo, so I can't say this from personal experience even though
I own a FIDO2 token.

~~~
psanford
www.passwordless.dev has a demo passwordless fido2 login workflow that will
trigger the fido2 pin prompt in Chrome.

~~~
tialaramex
Thanks. So that‡ works on my Windows gaming laptop with Chrome, but not (with
the same FIDO2 token) with Firefox including on any of my Linux systems (I
don't run Chrome on Linux so did not test). Plenty of work to be done there
apparently. Good to know.

‡ Referring to "Go usernameless too" which is the mode where a PIN is needed.
All the other modes are just plain FIDO and don't need any further
verification, and they work just fine on all my systems with any of my tokens.

~~~
snorremd
FIDO2/U2F support is still an experimental feature in Firefox, but can be
activated with the "security.webauth.u2f" setting in about:config.

~~~
tialaramex
The flag you're talking about is (as its name hints) about the legacy U2F
which can't do this flow at all. As I explained this already works fine and I
use it every day.

Using the FIDO2 Yubikey as sole source of truth replacing usernames and
passwords is not available in U2F that's a WebAuthn feature only and
apparently it doesn't work in Firefox yet which is disappointing.

------
jonplackett
What happens if you lose your yubikey? Are you then locked out of your
accounts? Or is there a backup way to get in, and if so does that make the
yubikey kinda pointless anyway?

~~~
Dayshine
The obvious solution to me (although I don't see it recommended on the yubikey
website) is to buy 2 yubikeys and register both with services.

Then put the 2nd in a locked safe or other location that requires someone to
have absurd access.

If you lose the 1st, use the 2nd to deregister the 1st and register a 3rd.

~~~
laumars
Usually you'd have more than one sysadmin on the team so the 2nd guy could
restore your access.

Having a reliance on 1 individual creates a great deal of risk, not just in
the case of lost YubiKeys.

~~~
Dayshine
For business use, sure, but not for personal use.

Relying on recovery methods for all your yubikey secured accounts would be a
vast amount of work.

~~~
laumars
ahh sorry yes. For some reason personal use completely slipped my mind.

------
killjoywashere
I've seen something similar done with a yubikey 5C nano + onboard biometric. I
like that more than this because this is a giant dongle sticking out of my
computer. Still better than the military's CAC card solution, which seems like
the worst of all worlds.

------
SloopJon
I've read several articles and discussions about the topic, but I'm still a
little fuzzy on where biometrics fit in the context of authentication:
username, password, just another factor? What is the role of the fingerprint
in the case of this key?

~~~
kovek
"Something I know, something I have, something I am". I think "something I am"
is difficult to achieve.

~~~
Uehreka
I think a lot of people are questioning whether “something I am” is even a
good target to aim for at all. As other folks in these comments have
mentioned: if your fingerprints/retinas/DNA are compromised, you can’t change
them the way you can with a password.

~~~
roblabla
That's why you combine them. Nobody is saying auth should purely be based on
biometric. It's all three: Something I know, AND something I have, AND
something I am. If your DNA is compromised, you still have the thing you know
and the thing you have to keep you secure.

~~~
bradknowles
So, they make you write the password down.

Then they take the Yubikey.

Then they take your eyeballs and your fingers.

I'm not so sure I want to encourage them to do #3.

~~~
roblabla
I mean, if someone is forcing me to login at gunpoint, I'll gladly oblige - no
need for them to gouge my eye out.

This is not the threat model being used here. This feature is meant to protect
you when you forget your yubikey on your laptop while on lunch break, allowing
any co-worker from logging in/using the GPG keys stored within.

------
drannex
I am just imagining how insane this would have been if it were released 20
years ago, or ten years ago, or even as recent as five years ago.

------
Yizahi
Meanwhile I just wish I could use my old Yubikey like everyone else. But it
seems that outside of walled googlenet there is very low chance for it. It is
now second year as yubikey is collecting dust in my drawer. Fuckyou very much
google, I really appreciate this.

~~~
icebraining
How is it Google's fault that you can't use Yubikeys on non-Google sites?

------
paggle
I can't stand fingerprint readers. My skin for whatever reason tends to get
only about a 20% success ration over three attempts.

~~~
RachelF
I've done a bit of IT support for old folks. People over 70 typically battle
to register their fingerprints and get them working on Apple and Samsung
devices.

------
ggm
Just to remind people who lie behind centrally administered distribution of
keys, tokens, the authority can probably always add their thumbs to the prints
on the key.

So any belief this implies only your permission-ed access to your work is
moot: If its not your computer, you probably don't have an implied right to
privacy anyway, and a yubikey with bio isn't going to give you it either.

(maybe a non sequiteur, but some people may be assuming this means your local
U2F bearing host is YOUR host, but.. not always)

