SecurityBrief Asia - Technology news for CISOs & cybersecurity decision-makers
Story image
Hands-on review: Yubico's YubiKey Bio brings no-nonsense biometrics to 2FA
Wed, 10th Nov 2021
FYI, this story is more than a year old

In 2007, Swedish company Yubico launched the YubiKey 1.0, a one-time password hardware key. Its purpose was to offer a portable authentication key that works across different services. Since then, Yubico has produced many iterations of the YubiKey, including one of the most recent products, the YubiKey Bio.

Form

The YubiKey Bio measures just 4cm long and 1.3cm wide and looks similar to a standard USB stick. There is a round fingerprint sensor in the middle of the device, otherwise, the design is unassuming and understated.

The device is simple to use and set up. Available in USB-C and USB-A, and it also has a hole so you can store it on a keyring or lanyard if preferred.

Function

The YubiKey Bio supports “biometric login on desktop with all applications and services that support FIDO2/WebAuthn/U2F”.

A quick rundown of those acronyms: FIDO2 is a framework that aims to move the world beyond passwords to other methods of authentication, like two-factor authentication (2FA), tokens, biometrics, to name a few. WebAuthn is a browser API that supports secure user authentication. It is supported by Google Chrome, Microsoft Edge, and Mozilla Firefox. And U2F is a standard for 2FA.  Basically, the YubiKey can work for authentication across any service that supports FIDO2/WebAuthn/U2F.

While The YubiKey Bio works perfectly well for home consumers who want to add a hardware-based authentication method to their social account logins, it's clear that the YubiKey Bio is geared more towards business users and cloud-first or desktop login environments, particularly as it “works out-of-the-box with Citrix Workspace, Duo, GitHub, IBM Security Verify, Microsoft Azure Active Directory and Microsoft 365, Okta and Ping Identity.”

"Use cases are for authentication to services on shared workstations and mobile restricted environments The YubiKey Bio can be used wherever FIDO2 or FIDO U2F authentication is available. For mobile devices requiring NFC, we recommend using the YubiKey 5 NFC or YubiKey 5C NFC," says Yubico's APJ director solution engineering, Alex Wilson.

The YubiKey Bio works across platforms including Windows, macOS, Chrome OS and Linux. I used Windows 11 as my testing platform and found that Windows Security controls the dialogue boxes instructing you to insert or touch the YubiKey, set up fingerprints, and a PIN. This is because it supports native biometric features. But it's important to note that currently, the YubiKey Bio does not work for local PC logins.

Wilson explains, "Simply put, Microsoft Windows 10 and 11 offer inbuilt support to manage external authenticators such as ours, but as yet do not allow you to use them for local login into the platform. If you are using Azure Active Directory or Office 365 products then you can use the YubiKey Bio to log in to those services," he says.

He adds, "Multi-factor options in Windows Hello do create some confusion. There are two different flows to use a biometric identifier depending on what type of biometric reader you have. Some types of laptops include a biometric sensor with the keyboard. In those cases, you can use the fingerprint icon in Windows Hello to use it. The other flow is truly a portable option. The biometric is enabled by selecting the “security key” options in Windows Hello. The difference is that the security key (YubiKey Bio) stores your fingerprint which makes it more secure and more portable as it can be used on any supporting device."

The YubiKey Bio's genius really shines when it comes to apps. It works easily with apps including Outlook, Gmail, Facebook, Dropbox and Office 365. Yubico also has a 'Works with YubiKey' catalogue which lists all compatible apps - just make sure to filter by security protocol FID)2/WebAuthn and the YubiKey Bio series.

My first test involved browser-based authentication for Gmail. My Gmail is already set up with two-factor authentication. If yours is not, you will need to do this before you can begin. (Simply go to security, 2-step verification, ‘show more options', and select ‘security key'.) I went through a similar process for other platforms including Twitter, Facebook, and Outlook. It's fast, and it's easy. Voila, 2FA at the touch of a YubiKey.

Every time I need to log in, I simply go through the 2FA process. For the biometric authentication, I simply touch the YubiKey, complete my other authentication method, and I'm in. If, after three attempts, the YubiKey doesn't accept my fingerprint, I just enter a PIN, much in the same way that my phone does when I try to unlock it with wet fingers.

I note that Yubico also offers the Yubico Authenticator app, which is not a mandatory piece of software (the YubiKey is designed to work with no additional hardware or software). I was curious to see what additional features it provides.

Wilson explains, "The Yubico Authenticator is a user-based application to support YubiKey functions, which now include the ability to register fingerprints, view what services (Office 365, Facebook, etc) have been registered with the YubiKey Bio and reset the YubiKey Bio."

Verdict

The YubiKey Bio will doubtless be compatible with more platforms as FIDO authentication protocols become more common.

"The number of online services and common applications that are supporting FIDO2 and FIDO U2F client authentication are increasing over time. The FIDO2 protocol continues to be enhanced with additional management features and platform support being added. The FIDO U2F protocol has been available since 2014 and was launched within GSuite applications at that time. This was then closely followed by Facebook, Dropbox and others thereafter," Wilson adds.

It's easy to use and a no-fuss way to make multi-factor authentication painless and simple and a recommended security tool for businesses and consumers alike.