Hacker News new | past | comments | ask | show | jobs | submit login
Biometric YubiKey (yubico.com)
264 points by JoachimS 29 days ago | hide | past | web | favorite | 198 comments

1) This is an upgrade to the touch sensitive button that's on all YubiKeys today. The reason you have to touch the key is so that if an attacker gains access to your computer with an attached Yubikey, they will not be able to use it (it requires physical presence). Now that touch sensitive button becomes a fingerprint reader, so it can't be activated by just anyone.

2) The computer/OS doesn't have to support anything for this added feature.

> 1) This is an upgrade to the touch sensitive button that's on all YubiKeys today. The reason you have to touch the key is so that if an attacker gains access to your computer with an attached Yubikey, they will not be able to use it (it requires physical presence). Now that touch sensitive button becomes a fingerprint reader, so it can't be activated by just anyone.

I'd like it to work that way but when I'm reading the article it doesn't explicitly say that (only mentioning integration with Azure that's not interesting for me).

Is there any authoritative info that the fingerprint reader will work as touch button but with verification of fingerprints in all scenarios? (like touch-to-use on OpenPGP applet, U2F applet etc.)

> The reason you have to touch the key is so that if an attacker gains access to your computer with an attached Yubikey, they will not be able to use it (it requires physical presence).

Additionally, it prevents brute force attacks on the hardware.

Only If you keep your key and computer hardware separate and kept separate.

Some hardware keys are being built into devices, or are left in them semi-perminately (to be fair, physical attacks arent a real concern for most people)

No - what I meant is exactly that a hardware key permanently left in a computer is still safe from brute force attacks by software running on that computer (which could be Javascript on a website the user visited) because it requires physical interaction for each single operation it performs.

The physical interaction was already necessary for the non-biometric keys, no?

Yes, it's not an advantage specifically of the biometric one.

Ah my bad, I misunderstood your comment.

Yeah I would like this for a yubikey I leave plugged into a machine, like my desktop at work. That way I don't have to fish the one I carry on my keyring out of my pocket and remember to bring it home.

For cases like this, when people leave their key permanently attached to a device, it would be nice if the device itself had this functionality built in. I mean, the iPhone already has a secure enclave to store this kind of sensitive data.

There is a web service using exactly such a mechanism for U2F in browsers: https://krypt.co/

This works through an addon in the browser rather than native functionality but the system is secure enough that I use it as a backup for some of my 2FA services in case I lose my TOTP keys.

You mean like the MacBook Pro?


Yes: this is apparently supported by https://github.com/github/SoftU2F — see https://github.com/github/SoftU2F/pull/29#issuecomment-32408... — but the documentation doesn't reflect that yet.

That's what the TPM does. Windows Hello in conjunction with a TPM can be used for FIDO2 authentication in the current Windows 10 version.

A fingerprint is only going to stop a very opportunistic attacker. Someone who already has your desktop and app password and physical access to your desktop can probably get a fingerprint off a glass, cup or something else.

I don't think this product is as useful as it seems at first glance. Using stronger passwords is probably just as safe.

But I am no tptacek so I may be completely wrong :)

> A fingerprint is only going to stop a very opportunistic attacker. Someone who already has your desktop and app password and physical access to your desktop can probably get a fingerprint off a glass, cup or something else.

I do hope you realize this raises the amount of work the attacker has to do to actually get access to your device. It's a little like saying a second lock on your door is not going to stop anyone, but in practice statistics are clear: adding one more layer, even if that layer can be defeated as well, reduces the chance of a successful attack, or deters the attacker in the first place.

For most people, their threat model is someone in their home, office or circle of acquaintances snooping on their computer - either casually or with criminal intent but little savvy. These are not sophisticated actors, they are not lifting fingerprints off glasses.

Anyway, Yubikey is only a second factor - not your entire security strategy - and I think it is made a bit stronger with a biometric, thats all.

A fingerprint is only going to stop a very opportunistic attacker. Someone who already has your desktop and app password and physical access to your desktop can probably get a fingerprint off a glass, cup or something else.

The people most of us work with have physical access to our computers and they could probably shoulder surf a short password (use a password manager!). I don't imagine any of them could successfully lift a fingerprint sufficiently well to fool a biometric reader. It's looks easy in perfect conditions on YouTube but in the real world it's a bit harder.

I hope not anyway because my office has fingerprint access.

The tremendous majority of property crime, especially cyber, is opportunistic.

Depends how you define an opportunistic hacker.


Funnily, this might actually stop the YubiKey from being triggered inadvertently by my lap. The number of times I have broadcasted OTP codes on Slack is embarrassing.

If you're looking to fix this, you can use the guide below.

> https://support.yubico.com/support/solutions/articles/150000...

You can obstruct the lower contact (such that the metal is not exposed) by painting it, or covering it with a sticker.

You can switch to the long press slot.

You can remove the carriage return at the end of the sequence (so it doesn't hit ENTER for you).

It's a bit silly that the default implementation is so non-user-friendly.

I've had vim open when on accidental presses before, and that always made me panic. The stuff on your screen can start jumping around like how movies always portray "hacking". If it wasn't for tools like gundo, I'd always be wondering if ran undo enough or if I went back too much.

I now have long-press disabled by default, but I used to be in a state of constant worry.

Over time, The inadvertent social media/twitter & slack posts made by this are quite hilarious.

I actually plug in my nano key upside down while I am not using it. Inadvertent texting aside, I had real issues when programs like Lightroom suddenly started acting on dozens of random text shortcuts.

As someone that does a lot of rock climbing, no finger print readers work for me. I lose skin off my hands on a daily basis, I know not all products are made for all people but if my (extremely security conscious) employer ever implements something like this Im screwed.

You get flappers on your first pads or what? I'm also a climber and impressed with how consistently fingerprint login works on my phone no matter how much I climb.

I don't climb rocks and my finger is recognized maybe 50% to 75% from my phone and only under good circumstances. If they are wet or dirty forget it.

There are probably just different recognition technologies around and my phone probably uses a very cheap one.

Personally I don't really care about biometric protections, because they can very often with more or less effort be copied and faked and once they are leaked, you cannot change them easily yourself.

You’d be screwed because your employer would fire you because their fingerprint reader-based security does not work for you?

That's what nfc cards are for

You can pass the NFC card, which is different from biometric. Unless you mean implants?

Someone needs to commercialize unique artificial fingertips. Use them to register with your Yubikey or phone :)

My experience is that using Argan oil right after climbing solves this for the next day. The combination of a nights rest and Argan oil almost always does the trick. The times it did not work was when I had a more serious skin injury.

Have you tried using your thumbprints? For me, they never fail to unlock my phone when the other fingers do. OTHO, I only climb plastic so YMMV.

I'm rock climbing as well and I devleoped a similar biometric token for my company, my experience is that the thumb works best, as you usually don't use your thumb a lot for rock climbing compared to the other 4 fingertips

How does your employer handle people with no hands?

In the US, by abiding by federal law which mandates reasonable accommodation; able rock climbers categorically need not apply.

You'll have company-provided proof that the lack of fingerprints can be overcome with reasonable accommodation. Feels like that should be grounds to mount a (moral, at least) defense, but I'm no lawyer.


Would you please stop posting comments that break the site guidelines? We ban accounts that do that and I don't want to ban you.


Why was this response warranted? He simply made a claim that when researched you find many people run into the same thing.

Sources: https://www.google.com/amp/s/amp.reddit.com/r/climbing/comme... https://www.reddit.com/r/climbing/comments/2ah692/fingerprin...

Jesus, calm down. The parent experienced something that a ton of climbers do. Literally search any climbing forum for this topic. When I’m climbing frequently, I have to reset my iPhone Touch ID about every two weeks. When I’m not climbing, I never have to reset it.

Is there any credit card size yubikeys yet? Also, how come macbooks don't come with nfc yet? Carrying keys is not something I've done for 10 years or so.

What I'd really like to see is government ID that works somehow similarly how domain certificates work - you can either use your Id as yubikey or authorize/mint multiple additional keys using same certificate chain...

My country Id has a chip that requires you to run java applet in browser. Nobody uses that shit. Other options are logging in via internet banking (people are flocking away from traditiona banks in europe to monese, revolut and the like) or via SMS while using special SIM card (requires paid membership from oligopolic mobile providers). It's so modern that you are locked out from your government digital services if you live abroad...

What I would recommend is buying an off-the-shelf retractable lanyard [1] and putting a Yubikey on it. I do so myself, and it has a number of advantages:

* You cannot leave your computer alone with Yubikey plugged in (especially useful when combined with modifying your PAM stack to lock the screen when yubikey is plugged out [2])

* Plugging Yubikey on a keychain which is bulky is cumbersome

* Yubikey on your neck can be a great conversation opener :)

[1] https://www.amazon.com/Updated-CarryLuxe-Lanyard-Polyester-R...

[2] https://tbabej.com/Yubikey-secure-session-setup/

Good way to destroy your laptop by pulling it to the ground when you pull away from your device rapidly.

I've done it enough with wired headphones to know you never really acclimatize to having something hanging from your body

Isn't there an NFC yubikey? That should solve the "have to plug it" issue.

The Neo, at least, supports NFC

> Is there any credit card size yubikeys yet?

Nope, I'd like to see one too. In the mean-time Fidesmo card can replace some usages of Yubikey (U2F, OpenPGP): https://shop.fidesmo.com/products/fidesmo-card-2-0

> Also, how come macbooks don't come with nfc yet?

Are there _any_ laptops with NFC? What other uses would it have?

I remember having a Dell Latitude laptop with both a contacted smart card reader and an NFC reader near the trackpad.

The uses would be bulletproof authentication with client certificates. Your identities can live on a physical card (instead of “hacks” like password managers which are a pain to sync, etc) which you can use on any machine (laptop, phone) and taking the card away inherently prevents the machine from using your credentials down the line no matter how evil it is. It also allows your identities to be carried over from the physical world to the internet - your existing bank card can be used for online banking instead of a separate login that can be reset by an attacker, and your biometric passport or national ID card allows you to login to pay tax or similar government tasks.

Felicia readers have been in Japanese laptops like Vaio since 2006. Not sure if that is NFC or not. it's the system the public transportation virtual cash cards use. They were added to let you make your expense reports by scanning your company provided transportation cards.

I have mixed feelings about this. The form factor is great as a second factor, but I don’t trust fingerprints as a primary auth factor due to (1) existing precedent of bugs in fingerprint recognition (2) that you can’t revoke your fingerprint, and (3) that Yubikeys are somewhat easy to lose.

This is strictly an upgrade from the old button though, as this is a single form of physical security vs zero. If used with a password, the key is only secure in computers with the password, AND it has to be you pressing.

Fingerprint are not very secure, but as this is meant to be only for physical access with the password, it's much better than before.

That's not the whole story.

The use case we're all familiar with is that the YubiKey acts as the second (physical) factor. In that use case, this is great, because now you can opt to make the login three-factor: something you know (password), something you have (the fob), and something you are (your fingerprint).

However, Yubico has also been pushing the password-less login angle. If you look at the FIDO 2/WebAuthn standards and the new capabilities in the current generation of YubiKeys (YubiKey 5's), there's a new capability called a resident key. This removes the dependence on passwords entirely. Currently you can protect that key with a password. I believe this new thumbprint reader allows you to unlock the resident key with a thumbprint. That's what would bring it to parity with built-in thumbprint readers on laptops.

Passwordless login currently exists in the form of thumbprint readers (like on Thinkpads and those Samsung phones that recently showed they had a major flaw) and face recognition (laptops and phones). In the case of facial recognition, I think the convenience benefit is worth the security tradeoff. However, I'd be nervous about using passwordless fingerprint authentication on my YubiKey because that thing is so much easier to lose track of, and I don't trust fingerprint recognition.

I agree, I could've been clearer. I meant as a third for of authentication overall, with an additional password

Single factor use of a hardware token like this is a MASSIVE weakening of security against state actors that could compromise the token supply chain.

If you assume state actors can compromise the supply chain with impunity your Yubikey is the least of your concerns I would think. Why wouldn’t they just place a hardware implant in your computer :).

There is no potentially detectable 'implant' required in these cases, it can be sufficient to capture a factory initialized private key.

The width supply chain of computers is enormous, and only a tiny fraction of computers available are interesting to compromise. This would make it astronomically expensive to compromise a significant fraction of all computers that are useful to compromise and the risk of detection would be fairly high. The market of security keys is relatively small and a significant portion are worth compromising, compromises there are much more effective.

If state actors do not completely compromise the manufacture of these keys then they are extremely incompetent and derelict in their duties.

Put another way, if the {pick your boogeyman state} government started issuing hardware cryptokeys and suggesting you use them as a single factor access to your servers, what would you think of that?

Would your opinion be improved if they just didn't announce that they were the boogeyman state and instead did business under a cover company?

Do you have any realistic means of determining that this isn't happening?

"I let someone else generate my secret keys for me" is a failure at the most basic level of security, and that failure isn't removed by them also putting the secret keys in a potted, opaque, and unauditable hardware device.

Yubikey as a second factor is a fantastic improvement-- it's a quite strong protection against attackers who couldn't compromise the keys.

Yubikey as a single factor is simply key escrow with extra steps.

Claiming that trusting the devices own 'fingerprint permission' is two-factor is deceptive since an attacker which has compromised the device's construction, design, or confidentiality of its state only faces one-factor security.

What I'm hoping is that it can be used as a more secure version of the button that the other keys have. That is, if I get this, I wouldn't use the fingerprint without the PIN. I hope I can use both for a single authentication.

You cannot revoke your fingerprint, but your fingerprint is just unlocking a private key. You can revoke that private key. So if you lose the YubiKey you can still revoke that YubiKey.

Do I understand that correct?

Correct, you can revoke the YubiKey itself, although the actual mechanism to do that is implemented by the web app you're authenticating with, not some central registry, so other than conventional expectations, your mileage may vary. You can also hopefully re-enroll the YubiKey after you change the fingerprint.

The new private key would still be unlockable with the same fingerprint.

Doesn’t matter, it’s in your possession. If you lose it, you revoke the yubikey.

3) Keep it on a lanyard. Works very well.

And let's not forget (4) your fingerprint can still be used while you are asleep.

So can your existing Yubikey, albeit with a much lower probability of waking you up.

Existing yubikey is not being positioned as a replacement for passwords so there is a key difference here.

This is pretty neat. I wish there was a USB-C model.

To my knowledge (electrical engineer) there is no usb-c connector with solid strain relief. I haven't been looking for one specifically but I've been looking at upgrading a project to usb-c.

All the usb-c connectors I know have soldered body connections, which makes for a really poor mechanical bond. Solder joints are full of mechanical stresses and the only thing preventing a bend is the copper delaminating from the pcb.

In usb-a, any bending has to break the entire substrate. Decent plated contacts will outlast the connectors they're plugging into. On top of that you can plate something like a yubikey on both sides if you wanted to, so the only advantage is size and it's not like you're plugging these things into your phone. As long as computers still have a single usb-a (and they should, if only for backwards compatibility) it's a non-issue, IMO.

USB-C connectors also accumulate dust in a way that prevents the connector from staying fully plugged in. They are very hard to clean out if the dust clumps together. The original USB-A and USB-B connectors did not have this problem and they could be cleaned easily (as long as the equipment was powered off...)

Similarly to how some cheap electronics cover the "confidential" portions of their PCBs and some components to obscure them with epoxy, wouldn't you be able to cover the connector with that for some strain relief?

Yeah, with a waterproof connector. However there's a reason yubikey uses just a float board connector and most of those itty bitty wifi/bluetooth usb-a dongles have custom connectors: the connector and solder joint are much more rigid than the surrounding epoxy. It's just a reality of them being metal joints.

What I mean by solid strain relief is basically a plastic float that bridges the soldered connections to the connector body. I haven't seen one like that, but it's necessary to isolate the connector itself from the board and soldered bits. Covering the whole thing in goop helps for excessive force, but does almost nothing for the everyday wiggles that eventually cause connections to loosen. You need built in flex for that.

You should be able to place a USB C connector on one end of a flexible cable/ribbon connector.

Sure, but integrating cords into manufacturing is a huge pain in the ass and usually done by hand. Honestly I'd rather see something kind of like this[1], where the body was totally flush with the computer (or as close to as possible) and the reader was facing outwards instead of up. That wouldn't fit in the pocket for shit though.

[1]: https://cdn10.bigcommerce.com/s-u7jmw/products/93/images/840...

My macbook has only usb-c ports

Same here. That's why I got their mini USB C key so it's barely noticeable.

Solokey is also pretty good.

They've got the best kind of connector I've seen[1], with soldered joints on both sides of the board and a little wrap around, but it's still not as solid long-term as the USB-A keys. Over time the solder will start to crack. It also requires a much thinner board, so it's fragile because of that.

With a high-quality product like a 2factor key, this may not be an issue. But wifi/bluetooth/SDR dongles and adapters get made to much lower standards and with cheaper solder. Cheap solder is far more prone to degradation.

[1]: https://i.shgcdn.com/25b75d64-fced-4845-acc5-91c39d0029bd/-/...

And one of mine already jiggles and has unreliable connection because of stress. I've cringed when I accidentally yanked my computer not realizing it's charging or connected to something else.

My next macbook, I'm definitely buying those 3rd party magsafe-like dongles that sit in my usb-c ports!

> My next macbook, I'm definitely buying those 3rd party magsafe-like dongles that sit in my usb-c ports!

Do you have any recommendations on brands by any chance? I don't know anyone who has them, but I've been considering getting a couple for my phone and random devices that use usb-c.

I'd love a model that supported both USB-A, USB-C and NFC. I realize it wouldn't be nearly as small, but that would certainly cover all the bases.

You forgot BLE! Then you could actually use it across all of your devices.

The same BLE with known vulnerabilities?

you could maybe sniff OTP over it but to time it with an attack, you’d still need quite a few other things. I wouldn’t get a wireless yubikey personally but I can see how some might prefer the convenience over security


heh, just build a little facade for it.

Yubikey has USB-C touch models so likely a USB-C bio version is next on the list.

Sounds like a creative new way to get locked out of your own keys.

You mean if you get a cut on the finger you registered. On this page[1], though, it says it would support "[storing] multiple fingerprints", so that should help in that case.

[1] https://www.yubico.com/products/yubikey-hardware/

Hmmm, I wonder if there's a way to set this up with a "duress" fingerprint, that'll unlock a special/different key and log you in to completely vanilla accounts instead of your real ones?

That is a must, I recently started skateboarding and wipping it up and grabbing the sanding paper-like surface makes my fp scanner not work for about 2 days!

Hot tip for guitarists: left thumb fluctuates least.

I currently have multiple keys. One I carry on me and one I locked in our firesafe with other important documents.

The way I see it, I would want the bio version to be the one on my person. I still have the other put away where it won't be lost.

I lose my hand? Still have a backup. I lose my key? Backup and maybe I have a little bit of extra time to update my bank MFA while the thief figures out the fingerprint situation.

What services even support multiple keys?

That's been my biggest struggle, I want a primary and backup key but almost every service I use only allows one at a time. I cannot duplicate the same key because it increments internally to avoid replay.

Not as many as I would like, but: google, github, hetzner, ovh, gandi, gitlab, bitwarden are some that support multiple keys.

I suppose for sites that only allow one, you can store their backup codes in bitwarden behind you multi-key service. Still annoying.

Facebook, GitHub and Google are common sites which allow multiple keys.

Is there a service that limits to a single key? I've never encountered one.

AWS only allows one U2F token to be registered at a time.


twitter. :(

Google does, and IIRC Github does too.

What most comments are missing here is that webauth is a replacement for passwords. You know the "123456789", "jim1966", "monkey123", etc. With this key, remote attackers are completely neutralized. That's the bulk if not almost all attacks usually.

It is not a password replacement, you still need multiple factors of authentication. Yubikey satisfies the “something you have” factor, your password is still the “something you know”. Your password can be learned but should not be usable without something you have. Your token can be taken but should not be usable without the something you know. Fingerprints are not infalable, it’s more confidence of a match then exact match - Samsung was just in the news because someone figured out how to trick their sensors to read a false positive. Having a password also would keep that from being exploitable. Also keep in mind that current school of legal thought in the US is that biometrics don’t qualify for 5th amendment protections whereas passwords do - police can force you to put your finger on a reader, but they can’t force you to give a password without judicial review.

You missed my point entirely. So I repeat it here: most attacks are online attacks, remote in nature, so even a physical security key without fingerprint reader is still superior to passwords and would mitigate majority attacks. Webauthn [1] is not the same as 2FA. That's a different standard and it is meant to replace passwords. The fingerprint reader on this new yubikey is an additional measure against someone in close proximity of your physical key bring able to use it.

[1]: https://en.m.wikipedia.org/wiki/WebAuthn

You do not need 2 factors with this solution, which is the whole point. This isn’t a 2FA token anymore. 2FA was a mitigation against phishing and credential theft. This solves that problem with a single factor. It is a password replacement.

Unlike a password, a court (in the US) might be able to compel you to provide access to your accounts/encrypted disks via your YubiKey + fingerprint.

While the cases in which a court could compel you to provide your password are much narrower, note that they still do exist.


If I were defending against legal duress, then I would design the system to require my MFA and there would be a prompt to a team in another region that has to "approve" my login real time. This method is not perfect, because that team has to be an entirely different company/organization to not be included in the same legal order and there are other legal issues with that setup. I am not a lawyer and would never pass the bar. Anyway, my MFA would decrypt part of the key and the other team would provide the remainder of the decryption of the key if they approve my access. Some old secure mainframes were setup in this fashion.

I'd still prefer mfa for important stuff, because two factors are better then one. Since the one thing we know about security is that we don't know or understand it that well, and time works against security engineering.

Fingerprints can be stolen. A fingerprint is an obfuscated username, it's not a replacement for a password.

Yeah, it may be a decent tradeoff for those who don't want the increased effort of entering 2-factors. Password + key. For those who don't trust the fingerprint reader that much, it does upgrade you to effectively 3 factors; password, key, and finger.

This is so cool. What I am worried about using fingerprint is that they are either stored on a laptop or a smartphone. You have to trust a lot of hardware, the whole software stack made by many third parties to protect that data.

With this key, that's already many less parts to verify and trust.

Let's hope it's not easily reverse-engineerable and the key is never shared with Yubikey.

Again: fingerprints are absolutely unsuitable as 'passwords'. They are at most, usernames. Because they cant be changed regularly, are left around for people to find (on the yubikey device itself!), are readily connected to you as a person, have terrible entropy (a few bits).

This product does not make your fingerprint into a password.

The fingerprint is a third factor. Your password is the first. The physical key is the second. And the fingerprint is the third.

If your fingerprint is compromised, this system reverts to the security of a 2FA system with a normal physical token (i.e. very strong).

Your understand that in this flow the password isn't used right?

You plug the key into the Windows PC, and you put your fingertip on the sensor and you're signed in. That's two factors, "Something you have" and "Something you are" not three.

But that's not how must Yubikey flows are implemented. For an AWS console, you sign in with a username and password, then tap the contact on your Yubikey. The only difference here is that the key now only works with your finger print and not any random person's.

You're correct, that's not how most flows are implemented. But it is the new flow enabled by this device.

For your AWS sign in obviously it won't need a fingerprint and so it'd be kind of silly for the demo to be "this more expensive product works like the older cheaper product you already have" they wanted to show off the new feature which is the "resident credential" user verification mode.

It's just another layer on top of an already well built crypto system.

It can prevent someone that gains physical access to your yubikey from easily using the device. It might not stop a very advanced attacker, but it at least makes things more difficult.

Didn't the password do that already? The one that can be changed?

No. Passwords can be phished. Even password+OTP has proven to be weak. This cannot be phished, and it’s far more user-friendly.

The fingerprint is not a password replacement. The yubikey is a password replacement. The fingerprint prevents a random person from using your yubikey before you notice that it’s gone and you revoke it.

Passwords can be used from anywhere. Keys cannot. That is the attack this blocks.

Fingerprints aren’t passwords here.

I believe the 'convenience' mentions was, no longer needing the password. Else this would be more inconvenient, not less?

And the fingerprint is absolutely not a good password replacement.

The problem is still there.

The problem of your misunderstanding in this case. That can be fixed though.


Can someone point me to a similar MFA solution where I use my phone biometrics as the factor instead of yubikey?

I have the Authenticator apps but it’d be nice if the phone and computer could exchange those numbers for me.

If you use Android, Google is implementing that into the OS itself: https://krebsonsecurity.com/2019/04/android-7-0-phones-can-n...

IBM have a product that works like this. You get a prompt on your computer to check your phone, and then you use biometrics on your phone and the website logs you in.


(Disclosure: I work at IBM, but not on this)

not exactly what you're asking for, but you could look at DUO. That can do a push notification to your phone, which would require you to unlock your phone to authorise, but doesn't require typing anything.

What happens if you lose your yubikey? Are you then locked out of your accounts? Or is there a backup way to get in, and if so does that make the yubikey kinda pointless anyway?

The obvious solution to me (although I don't see it recommended on the yubikey website) is to buy 2 yubikeys and register both with services.

Then put the 2nd in a locked safe or other location that requires someone to have absurd access.

If you lose the 1st, use the 2nd to deregister the 1st and register a 3rd.

Usually you'd have more than one sysadmin on the team so the 2nd guy could restore your access.

Having a reliance on 1 individual creates a great deal of risk, not just in the case of lost YubiKeys.

For business use, sure, but not for personal use.

Relying on recovery methods for all your yubikey secured accounts would be a vast amount of work.

ahh sorry yes. For some reason personal use completely slipped my mind.

You can do either, whatever you prefer.

You could generate keys off the device and keep a copy elswhere allowing you to revoke the device's sub key and generate a new one for a replacement device.

You could have two, and only carry one. (Big downside is that you need to fish out the backup every time you register for something new.)

You could use something else as a second factor as well, and just treat the device as a more convenient option than looking up and typing in an TOTP code, say.

Any word how this will be supported on Linux? The article states:

"In keeping with Yubico’s design philosophy, the YubiKey Bio will not require any batteries, drivers, or associated software."

This is a FIDO2 device.

It's actually easier to support this in Linux than a "conventional" PIN-based FIDO2 token because the Linux system doesn't need to arrange to read a PIN from the user and send that to the token, the token is going to read the user's fingerprint instead.

If you just want a second factor, it'll work like an old FIDO device, which you might be familiar with for U2F - everything is already in place, loads of people are doing this including with Yubico's existing FIDO2 (pin-based) product.

If you want this to be the sole factor (as in the Windows demos or for a site where the convenience of one touch login is good but you don't need MFA security) that ought to work with WebAuthn out of the box, but I actually haven't seen a demo, so I can't say this from personal experience even though I own a FIDO2 token.

www.passwordless.dev has a demo passwordless fido2 login workflow that will trigger the fido2 pin prompt in Chrome.

Thanks. So that‡ works on my Windows gaming laptop with Chrome, but not (with the same FIDO2 token) with Firefox including on any of my Linux systems (I don't run Chrome on Linux so did not test). Plenty of work to be done there apparently. Good to know.

‡ Referring to "Go usernameless too" which is the mode where a PIN is needed. All the other modes are just plain FIDO and don't need any further verification, and they work just fine on all my systems with any of my tokens.

FIDO2/U2F support is still an experimental feature in Firefox, but can be activated with the "security.webauth.u2f" setting in about:config.

The flag you're talking about is (as its name hints) about the legacy U2F which can't do this flow at all. As I explained this already works fine and I use it every day.

Using the FIDO2 Yubikey as sole source of truth replacing usernames and passwords is not available in U2F that's a WebAuthn feature only and apparently it doesn't work in Firefox yet which is disappointing.

Yeah, it works for me with Chrome on linux but not Firefox (yet).

if I remember correctly (at least a few months ago) you had to enable a flag in Firefox to make it work

> Linux system doesn't need to arrange to read a PIN from the user

Is that a problem now?

I /presume/ that no Linux desktop setups today actually support this workflow for user login, which is one of the things touted for Windows.

For Firefox since they advertise support for WebAuthn I /presume/ that the browser will do all the PIN prompts and so on to make this work, but again I have never seen this even _demonstrated_ let alone used in anger. The browser feature doesn't help you if the PC has booted and is at the login screen though, no browser there (yet?).

I own a device (Yubico's own "Security Key 2") which supports this workflow and I've played with it on a demo Windows setup, and though I'd probably never use it to sign into my Linux PCs I'd try it out because I'm a nerd. This device works fine as a FIDO key for my WebAuthn accounts and is enrolled at GitHub etcetera for that purpose but then so does my much cheaper Key-ID FIDO key.

Edited to add: There are a couple of replies now talking about non-FIDO flows like Smartcards or whatever. Some of Yubico's other devices can do these, but we're talking about FIDO2 like this new Yubikey, those flows aren't relevant.

> I /presume/ that no Linux desktop setups today actually support this workflow for user login,

I login to my Linux desktops with a Yubikey and its PIN. I have it configured as a OpenPGP smartcard, and to authenticate (for login, raising privileges with sudo, or unlocking the screen, etc.), I use the poldi[1] PAM module.

[1] http://git.gnupg.org/cgi-bin/gitweb.cgi?p=poldi.git

One thing that has been frustrating with the OpenPGP setup with the Yubikey has been the inability to re-add the stub key entries after they are deleted from the host. I do edit-card, unlock and fetch but the entry doesn't show, rendering it useless in `gpg`.

"fetch" fetches from the URL you set in the card/Yubikey. If you put the public key on an HTTP server and put the URL in the Yubikey (with the "url" command after enabling "admin" commands), you can fetch it with "fetch".

Getting the public key out from an OpenPGP smartcard otherwise is not supported by the protocol it uses. That is frustrating that it wasn't included in the procotol, but I've gotten over it.

After you've imported the public key, getting the private key stubs is a matter of checking the status of the card with `gpg --card-status`. The stubs are added then.

If you have another machine that has the public key, you can export it with `gpg --export -a $key_identity`, and import it with `gpg --import < $exported_public_key_file`.

Otherwise, if you don't hold another copy of the public key, the only option left might be to make a new keypair and be careful to not lose all copies of the public key again.

Also, if you backup the private key, you can get the public key from it by importing it somewhere.

Thanks. That resolves the issue. But definitely unfortunate public key retrieval wasn't included into the protocol. After unlocking of course.

Regarding your edit the problem here is that you assume that U2F/FIDO is some sort of a new, separate thing when in fact it can be just one 'program' or applet of your device which can support others, that are more suitable for logins. FIDO just wasn't designed for it.

Just because this or some other Yubico devices might not allow it doesn't mean others don't. AFAIK for instance Feitian ePass supports GIDS applet, which you can install on smartcards too. And yes, you can install U2F applet on smartcards also.



Why people are not rooting and fighting for an ability to extend things with open source is beyond me.

Smartcard logins were a thing for a long time, especially in military. PINs are the norm, not the exception.

I was going to say how associated software is not required to use some features, but I see that what you quoted continues with:

> The key seamlessly integrates with the native biometric enrollment and management features supported in the latest versions of Windows 10 and Azure Active Directory, making it quick and convenient for users to adopt a phishing-resistant passwordless login flow.

So I'm also curious if this indicates that biometric enrollment is not going to be added to yubikey-manager or yubico-pam.

I think they’re talking about Windows Hello in that blurb, not requiring some special Windows software to enable the fingerprint sensor. That would be very much against their philosophy of keeping all the processing on the device.

FWIW, the current YubiKey does everything on the device, not much of a stretch for it to also do the fingerprint sensing there too.

I would guess this means that the Yubikey is enrolled with Windows via Windows software, but your finger is enrolled on the key by the key itself.

> by the key itself

I think the concern is how would you tell the key that you want to enroll a fingerprint with it? On Windows, you'd use Windows software, but Linux has no such biometric management software as far as I know.

Probably a PDU telling the key to do it. Think:

$ ykmgr bio enroll

This will surely need enough computer help to initiate the process, but the actual biometric data is likely on the dongle itself.

Alternatively, the dongle could produce a wrapped key blob that contains a fingerprint. This would look almost like a normal FIDO enrollment and would allow multiple users to share one dongle with access to different keys.

> Probably

Hopefully. The concern is if what the article says is indication that they won't, or at least not for some time. Does "does not require associated software because Windows doesn't need it" mean that they didn't see a point in making the associated software for a user minority? That's what I think the concern is.

I believe the device performs it's biometric verification entirely on device. The operating system should see the key no differently that a regular non-biometric key.

The biometric verification, yes, but you need to somehow register/enroll a fingerprint with it. The article says that it's going to depend on Windows' native biometric enrollment and management for that.

Enrollment is a FIDO thing. If you have a FIDO key then you've done enrollment, it was that first time you had to press the button when you'd already signed in and were adding it as a second factor.

For a fingerprint (or like, I dunno, a pinprick blood sample, or maybe they'll make one that requires a freshly plucked hair from your head) that enrollment step just adds a boolean flag saying the Relying Party demands the user's identity be verified by the device during enrollment and any subsequent authorisations.

It's sort of on the honour system, except, if you actually demanded this (maybe in a corporate environment?) FIDO has a mechanism for devices to provide a certificate proving which batch of devices they're from, so you could say OK, I trust Yubico's BioKey 4.1 and BioKey 4.2 and the FooCorp EyeBallSlicer 1000 but any other devices aren't allowed to enroll. If you then found out the BioKey 4.1 can be fooled by breathing on it instead of a fingerprint you'd remove that from your whitelist.

Firefox (and maybe Chrome?) let you blank this out basically, so sites can either accept that you won't tell them what device it is or they can refuse to let you enroll. I can imagine _maybe_ making an exception for my bank or government, but any other site can fuck right off.

Doesn’t that imply that each fingerprint registration becomes per website? So if you want to add a second finger to the device after the fact, you can’t just add it globally to the device but need to do that on a per-credential basis?

Hopefully the fingerprint is not limited to FIDO. I'm hoping I can use it in place of the button confirmation when using it as an OpenPGP smartcard.

I’d be very surprised if anything, including the enrollment, happened off the device. Likely all it involves is sending a “register my fingerprint now” message being sent to the YK, you touch it, then the YK works as expected. They already provide a Linux-native “YK management” program, presumably it just needs to be updated.

I would imagine it definitely isn’t that simple as otherwise anyone could add their fingerprint when you weren’t looking.

It uses a standard protocol (CTAP2 - https://fidoalliance.org/specs/fido-v2.0-rd-20170927/fido-cl...) that's part of the standards for FIDO2. IIRC as long as your OS lets your application speak to the YubiKey over USB, you should be able to use this in the application. In the browser, you can just use WebAuthn.

If you want to see how a native app can talk to the YubiKey, you can play with Yubico's own implementation: https://github.com/Yubico/python-fido2/

For browser based code, you can use WebAuthn and leave the device communication to the browser and OS: https://developer.mozilla.org/en-US/docs/Web/API/Web_Authent...

Yubico has released open source programs to manage YubiKeys.


For example, it is possible to configure whether user interaction is necessary before encrypting:

  ykman openpgp set-touch enc off
The program will probably gain support for fingerprint configuration when the new YubiKeys are released.

Yubikey's use the standard keyboard USB driver so they should be hot pluggable on any linux system that is configured to enable hotplug.

I think vzaliva didn't quote the right part, and was referring to how the Yubikey is going to depend on Windows to enroll your fingerprint with it.

Only the static password and one time password modes though. In those modes, the YubiKey acts like a keyboard and literally types out the password when the user presses the button.

The flagship YubiKeys can also act like a smart card. They are PIV compatible and support X.509 certificates. They can also store encryption, authentication and signing OpenPGP keys. GNU Privacy Guard opens the YubiKey as if it was a smart card.

If you wanted the absolutely easiest possible option, you can have yubikey's act as a HID and dump a string of text (password) out. Any machine, without any additional software, that can support a USB keyboard... could then use this.

It works fine currently in Linux. I can’t imagine this would be any different.

I've seen something similar done with a yubikey 5C nano + onboard biometric. I like that more than this because this is a giant dongle sticking out of my computer. Still better than the military's CAC card solution, which seems like the worst of all worlds.

I've read several articles and discussions about the topic, but I'm still a little fuzzy on where biometrics fit in the context of authentication: username, password, just another factor? What is the role of the fingerprint in the case of this key?

Other factor, this is 3rd factor auth.

"Something I know, something I have, something I am". I think "something I am" is difficult to achieve.

I think a lot of people are questioning whether “something I am” is even a good target to aim for at all. As other folks in these comments have mentioned: if your fingerprints/retinas/DNA are compromised, you can’t change them the way you can with a password.

That's why you combine them. Nobody is saying auth should purely be based on biometric. It's all three: Something I know, AND something I have, AND something I am. If your DNA is compromised, you still have the thing you know and the thing you have to keep you secure.

So, they make you write the password down.

Then they take the Yubikey.

Then they take your eyeballs and your fingers.

I'm not so sure I want to encourage them to do #3.

I mean, if someone is forcing me to login at gunpoint, I'll gladly oblige - no need for them to gouge my eye out.

This is not the threat model being used here. This feature is meant to protect you when you forget your yubikey on your laptop while on lunch break, allowing any co-worker from logging in/using the GPG keys stored within.

If someone is willing to do that to you to get to the things behind the password, it wouldn't matter whether you enrolled a biometric factor. At that point it's not a tech problem anymore.

Plenty of people are saying it should be purely biometric. For example, iPhones. (Though they do it better than the vast majority of implementations!)

By nobody, I meant here in this article.

Also, just a nit, iPhones aren't purely biometric. You have to input your pin after reboot or a long period of inactivity. I'll agree it's still a bit too close to being a password for comfort though.

Something I know: The PIN (password)

Something I have: The Yubikey (hardware key)

Something I am: The fingerprint (biometrics)

So this Yubikey enables 3FA.

PINs and passwords are not the same though, PINs are for devices and usually not intended to be sent anywhere else, unlike passwords. PINs are also protected from bruteforce, that's why they are usually just 4 numbers.

gpg and the OpenPGP card spec calls it PIN, but it's not restricted to numbers and can be quite long, though I don't remember the limit.

Passwords are normally also protected from bruteforce. Many places lock you out for some time after many failed attempts.

The "PINs are for devices" seems kind of arbitrary.

But they can if they want.

Fundamentally, I think PINs in the traditional sense are just passwords with a tradition of particular password requirements.

You can also mention passphrases and say how they're different from passwords, but you can put passwords in fields labeled passphrases and passphrases in fields labeled passwords. They're all functionally the same.

EDIT: From the Password Wikipedia article[1]

> In general, a password is an arbitrary string of characters including letters, digits, or other symbols. If the permissible characters are constrained to be numeric, the corresponding secret is sometimes called a personal identification number (PIN).

[1] https://en.wikipedia.org/wiki/Password

Not sending PIN over the network is the most important distinction between a proper PIN and a password.


From the Wikipedia article you shared:

> In common usage, PINs are used in [...] internet transactions or to log into a restricted website.

EDIT: Also, the IRS uses PINs online[1]:

> Your IP PIN will be displayed to you online once we verify your identity. A new IP PIN is generated for each filing season and can be retrieved starting in mid-January of each year by logging into the account you create.

They even allow you to enter it on paper[2]:

> Paper Return: [...] Enter your IP PIN(s) as applicable in the boxes marked "Identity Protection PIN" in signature area of the return.

EDIT 2: There are also many employee time-clocks that use PINs to authenticate the employees, like this one[3]. You can connect to them through the network to export some nifty reports that includes everyone's PIN, like this one[4].

I'm sure use of PINs is also common with ERPs and POS systems (to authenticate a cashier supervisor authorizing some action), and those are also networked.

EDIT 3: On the Microsoft link you provided, they're talking specifically about the PINs in Windows 10. I wouldn't take that page as talking about all PINs in general.

[1] https://www.irs.gov/identity-theft-fraud-scams/get-an-identi...

[2] https://www.irs.gov/identity-theft-fraud-scams/frequently-as...

[3] https://www.alliedtime.com/Compumatic-XLS-21-Badge-Time-Cloc...

[4] https://www.alliedtime.com/v/vspfiles/assets/images/pdfs/com...

I am just imagining how insane this would have been if it were released 20 years ago, or ten years ago, or even as recent as five years ago.

Meanwhile I just wish I could use my old Yubikey like everyone else. But it seems that outside of walled googlenet there is very low chance for it. It is now second year as yubikey is collecting dust in my drawer. Fuckyou very much google, I really appreciate this.

How is it Google's fault that you can't use Yubikeys on non-Google sites?

I'm not sure I understand what google has to do with it at all? There are a lot of non-google sites that support Yubikey (and others).

I can't stand fingerprint readers. My skin for whatever reason tends to get only about a 20% success ration over three attempts.

I've done a bit of IT support for old folks. People over 70 typically battle to register their fingerprints and get them working on Apple and Samsung devices.

Ditto. I have found that it has improved slowly over the years as fingerprint readers' sensors have become more advanced. My Pixel 3 gets it almost 60%~70% of the time now (unless my fingers are wet).

Eczema on my hands. One pointer finger's print is totally unreadable to anything. So I get you on that one.

But this device is a simply a step up from the non-biometric enabled units which you can buy today.

Just to remind people who lie behind centrally administered distribution of keys, tokens, the authority can probably always add their thumbs to the prints on the key.

So any belief this implies only your permission-ed access to your work is moot: If its not your computer, you probably don't have an implied right to privacy anyway, and a yubikey with bio isn't going to give you it either.

(maybe a non sequiteur, but some people may be assuming this means your local U2F bearing host is YOUR host, but.. not always)

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact