1) This is an upgrade to the touch sensitive button that's on all YubiKeys today. The reason you have to touch the key is so that if an attacker gains access to your computer with an attached Yubikey, they will not be able to use it (it requires physical presence). Now that touch sensitive button becomes a fingerprint reader, so it can't be activated by just anyone.
2) The computer/OS doesn't have to support anything for this added feature.
> 1) This is an upgrade to the touch sensitive button that's on all YubiKeys today. The reason you have to touch the key is so that if an attacker gains access to your computer with an attached Yubikey, they will not be able to use it (it requires physical presence). Now that touch sensitive button becomes a fingerprint reader, so it can't be activated by just anyone.
I'd like it to work that way but when I'm reading the article it doesn't explicitly say that (only mentioning integration with Azure that's not interesting for me).
Is there any authoritative info that the fingerprint reader will work as touch button but with verification of fingerprints in all scenarios? (like touch-to-use on OpenPGP applet, U2F applet etc.)
> The reason you have to touch the key is so that if an attacker gains access to your computer with an attached Yubikey, they will not be able to use it (it requires physical presence).
Additionally, it prevents brute force attacks on the hardware.
Only If you keep your key and computer hardware separate and kept separate.
Some hardware keys are being built into devices, or are left in them semi-perminately (to be fair, physical attacks arent a real concern for most people)
No - what I meant is exactly that a hardware key permanently left in a computer is still safe from brute force attacks by software running on that computer (which could be Javascript on a website the user visited) because it requires physical interaction for each single operation it performs.
Yeah I would like this for a yubikey I leave plugged into a machine, like my desktop at work. That way I don't have to fish the one I carry on my keyring out of my pocket and remember to bring it home.
For cases like this, when people leave their key permanently attached to a device, it would be nice if the device itself had this functionality built in. I mean, the iPhone already has a secure enclave to store this kind of sensitive data.
There is a web service using exactly such a mechanism for U2F in browsers: https://krypt.co/
This works through an addon in the browser rather than native functionality but the system is secure enough that I use it as a backup for some of my 2FA services in case I lose my TOTP keys.
A fingerprint is only going to stop a very opportunistic attacker. Someone who already has your desktop and app password and physical access to your desktop can probably get a fingerprint off a glass, cup or something else.
I don't think this product is as useful as it seems at first glance. Using stronger passwords is probably just as safe.
But I am no tptacek so I may be completely wrong :)
> A fingerprint is only going to stop a very opportunistic attacker. Someone who already has your desktop and app password and physical access to your desktop can probably get a fingerprint off a glass, cup or something else.
I do hope you realize this raises the amount of work the attacker has to do to actually get access to your device. It's a little like saying a second lock on your door is not going to stop anyone, but in practice statistics are clear: adding one more layer, even if that layer can be defeated as well, reduces the chance of a successful attack, or deters the attacker in the first place.
For most people, their threat model is someone in their home, office or circle of acquaintances snooping on their computer - either casually or with criminal intent but little savvy. These are not sophisticated actors, they are not lifting fingerprints off glasses.
Anyway, Yubikey is only a second factor - not your entire security strategy - and I think it is made a bit stronger with a biometric, thats all.
A fingerprint is only going to stop a very opportunistic attacker. Someone who already has your desktop and app password and physical access to your desktop can probably get a fingerprint off a glass, cup or something else.
The people most of us work with have physical access to our computers and they could probably shoulder surf a short password (use a password manager!). I don't imagine any of them could successfully lift a fingerprint sufficiently well to fool a biometric reader. It's looks easy in perfect conditions on YouTube but in the real world it's a bit harder.
I hope not anyway because my office has fingerprint access.
Funnily, this might actually stop the YubiKey from being triggered inadvertently by my lap. The number of times I have broadcasted OTP codes on Slack is embarrassing.
If you're looking to fix this, you can use the guide below.
I've had vim open when on accidental presses before, and that always made me panic. The stuff on your screen can start jumping around like how movies always portray "hacking". If it wasn't for tools like gundo, I'd always be wondering if ran undo enough or if I went back too much.
I now have long-press disabled by default, but I used to be in a state of constant worry.
I actually plug in my nano key upside down while I am not using it. Inadvertent texting aside, I had real issues when programs like Lightroom suddenly started acting on dozens of random text shortcuts.
As someone that does a lot of rock climbing, no finger print readers work for me. I lose skin off my hands on a daily basis, I know not all products are made for all people but if my (extremely security conscious) employer ever implements something like this Im screwed.
You get flappers on your first pads or what? I'm also a climber and impressed with how consistently fingerprint login works on my phone no matter how much I climb.
I don't climb rocks and my finger is recognized maybe 50% to 75% from my phone and only under good circumstances. If they are wet or dirty forget it.
There are probably just different recognition technologies around and my phone probably uses a very cheap one.
Personally I don't really care about biometric protections, because they can very often with more or less effort be copied and faked and once they are leaked, you cannot change them easily yourself.
My experience is that using Argan oil right after climbing solves this for the next day. The combination of a nights rest and Argan oil almost always does the trick. The times it did not work was when I had a more serious skin injury.
I'm rock climbing as well and I devleoped a similar biometric token for my company, my experience is that the thumb works best, as you usually don't use your thumb a lot for rock climbing compared to the other 4 fingertips
You'll have company-provided proof that the lack of fingerprints can be overcome with reasonable accommodation. Feels like that should be grounds to mount a (moral, at least) defense, but I'm no lawyer.
Jesus, calm down. The parent experienced something that a ton of climbers do. Literally search any climbing forum for this topic. When I’m climbing frequently, I have to reset my iPhone Touch ID about every two weeks. When I’m not climbing, I never have to reset it.
Is there any credit card size yubikeys yet? Also, how come macbooks don't come with nfc yet? Carrying keys is not something I've done for 10 years or so.
What I'd really like to see is government ID that works somehow similarly how domain certificates work - you can either use your Id as yubikey or authorize/mint multiple additional keys using same certificate chain...
My country Id has a chip that requires you to run java applet in browser. Nobody uses that shit. Other options are logging in via internet banking (people are flocking away from traditiona banks in europe to monese, revolut and the like) or via SMS while using special SIM card (requires paid membership from oligopolic mobile providers). It's so modern that you are locked out from your government digital services if you live abroad...
What I would recommend is buying an off-the-shelf retractable lanyard [1] and putting a Yubikey on it. I do so myself, and it has a number of advantages:
* You cannot leave your computer alone with Yubikey plugged in (especially useful when combined with modifying your PAM stack to lock the screen when yubikey is plugged out [2])
* Plugging Yubikey on a keychain which is bulky is cumbersome
* Yubikey on your neck can be a great conversation opener :)
I remember having a Dell Latitude laptop with both a contacted smart card reader and an NFC reader near the trackpad.
The uses would be bulletproof authentication with client certificates. Your identities can live on a physical card (instead of “hacks” like password managers which are a pain to sync, etc) which you can use on any machine (laptop, phone) and taking the card away inherently prevents the machine from using your credentials down the line no matter how evil it is. It also allows your identities to be carried over from the physical world to the internet - your existing bank card can be used for online banking instead of a separate login that can be reset by an attacker, and your biometric passport or national ID card allows you to login to pay tax or similar government tasks.
Felicia readers have been in Japanese laptops like Vaio since 2006. Not sure if that is NFC or not. it's the system the public transportation virtual cash cards use. They were added to let you make your expense reports by scanning your company provided transportation cards.
I have mixed feelings about this. The form factor is great as a second factor, but I don’t trust fingerprints as a primary auth factor due to (1) existing precedent of bugs in fingerprint recognition (2) that you can’t revoke your fingerprint, and (3) that Yubikeys are somewhat easy to lose.
This is strictly an upgrade from the old button though, as this is a single form of physical security vs zero. If used with a password, the key is only secure in computers with the password, AND it has to be you pressing.
Fingerprint are not very secure, but as this is meant to be only for physical access with the password, it's much better than before.
The use case we're all familiar with is that the YubiKey acts as the second (physical) factor. In that use case, this is great, because now you can opt to make the login three-factor: something you know (password), something you have (the fob), and something you are (your fingerprint).
However, Yubico has also been pushing the password-less login angle. If you look at the FIDO 2/WebAuthn standards and the new capabilities in the current generation of YubiKeys (YubiKey 5's), there's a new capability called a resident key. This removes the dependence on passwords entirely. Currently you can protect that key with a password. I believe this new thumbprint reader allows you to unlock the resident key with a thumbprint. That's what would bring it to parity with built-in thumbprint readers on laptops.
Passwordless login currently exists in the form of thumbprint readers (like on Thinkpads and those Samsung phones that recently showed they had a major flaw) and face recognition (laptops and phones). In the case of facial recognition, I think the convenience benefit is worth the security tradeoff. However, I'd be nervous about using passwordless fingerprint authentication on my YubiKey because that thing is so much easier to lose track of, and I don't trust fingerprint recognition.
If you assume state actors can compromise the supply chain with impunity your Yubikey is the least of your concerns I would think. Why wouldn’t they just place a hardware implant in your computer :).
There is no potentially detectable 'implant' required in these cases, it can be sufficient to capture a factory initialized private key.
The width supply chain of computers is enormous, and only a tiny fraction of computers available are interesting to compromise. This would make it astronomically expensive to compromise a significant fraction of all computers that are useful to compromise and the risk of detection would be fairly high. The market of security keys is relatively small and a significant portion are worth compromising, compromises there are much more effective.
If state actors do not completely compromise the manufacture of these keys then they are extremely incompetent and derelict in their duties.
Put another way, if the {pick your boogeyman state} government started issuing hardware cryptokeys and suggesting you use them as a single factor access to your servers, what would you think of that?
Would your opinion be improved if they just didn't announce that they were the boogeyman state and instead did business under a cover company?
Do you have any realistic means of determining that this isn't happening?
"I let someone else generate my secret keys for me" is a failure at the most basic level of security, and that failure isn't removed by them also putting the secret keys in a potted, opaque, and unauditable hardware device.
Yubikey as a second factor is a fantastic improvement-- it's a quite strong protection against attackers who couldn't compromise the keys.
Yubikey as a single factor is simply key escrow with extra steps.
Claiming that trusting the devices own 'fingerprint permission' is two-factor is deceptive since an attacker which has compromised the device's construction, design, or confidentiality of its state only faces one-factor security.
What I'm hoping is that it can be used as a more secure version of the button that the other keys have. That is, if I get this, I wouldn't use the fingerprint without the PIN. I hope I can use both for a single authentication.
You cannot revoke your fingerprint, but your fingerprint is just unlocking a private key. You can revoke that private key. So if you lose the YubiKey you can still revoke that YubiKey.
Correct, you can revoke the YubiKey itself, although the actual mechanism to do that is implemented by the web app you're authenticating with, not some central registry, so other than conventional expectations, your mileage may vary. You can also hopefully re-enroll the YubiKey after you change the fingerprint.
To my knowledge (electrical engineer) there is no usb-c connector with solid strain relief. I haven't been looking for one specifically but I've been looking at upgrading a project to usb-c.
All the usb-c connectors I know have soldered body connections, which makes for a really poor mechanical bond. Solder joints are full of mechanical stresses and the only thing preventing a bend is the copper delaminating from the pcb.
In usb-a, any bending has to break the entire substrate. Decent plated contacts will outlast the connectors they're plugging into. On top of that you can plate something like a yubikey on both sides if you wanted to, so the only advantage is size and it's not like you're plugging these things into your phone. As long as computers still have a single usb-a (and they should, if only for backwards compatibility) it's a non-issue, IMO.
USB-C connectors also accumulate dust in a way that prevents the connector from staying fully plugged in. They are very hard to clean out if the dust clumps together. The original USB-A and USB-B connectors did not have this problem and they could be cleaned easily (as long as the equipment was powered off...)
Similarly to how some cheap electronics cover the "confidential" portions of their PCBs and some components to obscure them with epoxy, wouldn't you be able to cover the connector with that for some strain relief?
Yeah, with a waterproof connector. However there's a reason yubikey uses just a float board connector and most of those itty bitty wifi/bluetooth usb-a dongles have custom connectors: the connector and solder joint are much more rigid than the surrounding epoxy. It's just a reality of them being metal joints.
What I mean by solid strain relief is basically a plastic float that bridges the soldered connections to the connector body. I haven't seen one like that, but it's necessary to isolate the connector itself from the board and soldered bits. Covering the whole thing in goop helps for excessive force, but does almost nothing for the everyday wiggles that eventually cause connections to loosen. You need built in flex for that.
Sure, but integrating cords into manufacturing is a huge pain in the ass and usually done by hand. Honestly I'd rather see something kind of like this[1], where the body was totally flush with the computer (or as close to as possible) and the reader was facing outwards instead of up. That wouldn't fit in the pocket for shit though.
They've got the best kind of connector I've seen[1], with soldered joints on both sides of the board and a little wrap around, but it's still not as solid long-term as the USB-A keys. Over time the solder will start to crack. It also requires a much thinner board, so it's fragile because of that.
With a high-quality product like a 2factor key, this may not be an issue. But wifi/bluetooth/SDR dongles and adapters get made to much lower standards and with cheaper solder. Cheap solder is far more prone to degradation.
And one of mine already jiggles and has unreliable connection because of stress. I've cringed when I accidentally yanked my computer not realizing it's charging or connected to something else.
My next macbook, I'm definitely buying those 3rd party magsafe-like dongles that sit in my usb-c ports!
> My next macbook, I'm definitely buying those 3rd party magsafe-like dongles that sit in my usb-c ports!
Do you have any recommendations on brands by any chance? I don't know anyone who has them, but I've been considering getting a couple for my phone and random devices that use usb-c.
you could maybe sniff OTP over it but to time it with an attack, you’d still need quite a few other things. I wouldn’t get a wireless yubikey personally but I can see how some might prefer the convenience over security
You mean if you get a cut on the finger you registered. On this page[1], though, it says it would support "[storing] multiple fingerprints", so that should help in that case.
Hmmm, I wonder if there's a way to set this up with a "duress" fingerprint, that'll unlock a special/different key and log you in to completely vanilla accounts instead of your real ones?
That is a must, I recently started skateboarding and wipping it up and grabbing the sanding paper-like surface makes my fp scanner not work for about 2 days!
I currently have multiple keys. One I carry on me and one I locked in our firesafe with other important documents.
The way I see it, I would want the bio version to be the one on my person. I still have the other put away where it won't be lost.
I lose my hand? Still have a backup. I lose my key? Backup and maybe I have a little bit of extra time to update my bank MFA while the thief figures out the fingerprint situation.
That's been my biggest struggle, I want a primary and backup key but almost every service I use only allows one at a time. I cannot duplicate the same key because it increments internally to avoid replay.
What most comments are missing here is that webauth is a replacement for passwords. You know the "123456789", "jim1966", "monkey123", etc. With this key, remote attackers are completely neutralized. That's the bulk if not almost all attacks usually.
It is not a password replacement, you still need multiple factors of authentication. Yubikey satisfies the “something you have” factor, your password is still the “something you know”. Your password can be learned but should not be usable without something you have. Your token can be taken but should not be usable without the something you know. Fingerprints are not infalable, it’s more confidence of a match then exact match - Samsung was just in the news because someone figured out how to trick their sensors to read a false positive. Having a password also would keep that from being exploitable. Also keep in mind that current school of legal thought in the US is that biometrics don’t qualify for 5th amendment protections whereas passwords do - police can force you to put your finger on a reader, but they can’t force you to give a password without judicial review.
You missed my point entirely. So I repeat it here: most attacks are online attacks, remote in nature, so even a physical security key without fingerprint reader is still superior to passwords and would mitigate majority attacks. Webauthn [1] is not the same as 2FA. That's a different standard and it is meant to replace passwords. The fingerprint reader on this new yubikey is an additional measure against someone in close proximity of your physical key bring able to use it.
You do not need 2 factors with this solution, which is the whole point. This isn’t a 2FA token anymore. 2FA was a mitigation against phishing and credential theft. This solves that problem with a single factor. It is a password replacement.
If I were defending against legal duress, then I would design the system to require my MFA and there would be a prompt to a team in another region that has to "approve" my login real time. This method is not perfect, because that team has to be an entirely different company/organization to not be included in the same legal order and there are other legal issues with that setup. I am not a lawyer and would never pass the bar. Anyway, my MFA would decrypt part of the key and the other team would provide the remainder of the decryption of the key if they approve my access. Some old secure mainframes were setup in this fashion.
I'd still prefer mfa for important stuff, because two factors are better then one. Since the one thing we know about security is that we don't know or understand it that well, and time works against security engineering.
Yeah, it may be a decent tradeoff for those who don't want the increased effort of entering 2-factors. Password + key. For those who don't trust the fingerprint reader that much, it does upgrade you to effectively 3 factors; password, key, and finger.
This is so cool. What I am worried about using fingerprint is that they are either stored on a laptop or a smartphone. You have to trust a lot of hardware, the whole software stack made by many third parties to protect that data.
With this key, that's already many less parts to verify and trust.
Let's hope it's not easily reverse-engineerable and the key is never shared with Yubikey.
Again: fingerprints are absolutely unsuitable as 'passwords'. They are at most, usernames. Because they cant be changed regularly, are left around for people to find (on the yubikey device itself!), are readily connected to you as a person, have terrible entropy (a few bits).
Your understand that in this flow the password isn't used right?
You plug the key into the Windows PC, and you put your fingertip on the sensor and you're signed in. That's two factors, "Something you have" and "Something you are" not three.
But that's not how must Yubikey flows are implemented. For an AWS console, you sign in with a username and password, then tap the contact on your Yubikey. The only difference here is that the key now only works with your finger print and not any random person's.
You're correct, that's not how most flows are implemented. But it is the new flow enabled by this device.
For your AWS sign in obviously it won't need a fingerprint and so it'd be kind of silly for the demo to be "this more expensive product works like the older cheaper product you already have" they wanted to show off the new feature which is the "resident credential" user verification mode.
It's just another layer on top of an already well built crypto system.
It can prevent someone that gains physical access to your yubikey from easily using the device.
It might not stop a very advanced attacker, but it at least makes things more difficult.
No. Passwords can be phished. Even password+OTP has proven to be weak. This cannot be phished, and it’s far more user-friendly.
The fingerprint is not a password replacement. The yubikey is a password replacement. The fingerprint prevents a random person from using your yubikey before you notice that it’s gone and you revoke it.
IBM have a product that works like this. You get a prompt on your computer to check your phone, and then you use biometrics on your phone and the website logs you in.
not exactly what you're asking for, but you could look at DUO. That can do a push notification to your phone, which would require you to unlock your phone to authorise, but doesn't require typing anything.
It's actually easier to support this in Linux than a "conventional" PIN-based FIDO2 token because the Linux system doesn't need to arrange to read a PIN from the user and send that to the token, the token is going to read the user's fingerprint instead.
If you just want a second factor, it'll work like an old FIDO device, which you might be familiar with for U2F - everything is already in place, loads of people are doing this including with Yubico's existing FIDO2 (pin-based) product.
If you want this to be the sole factor (as in the Windows demos or for a site where the convenience of one touch login is good but you don't need MFA security) that ought to work with WebAuthn out of the box, but I actually haven't seen a demo, so I can't say this from personal experience even though I own a FIDO2 token.
Thanks. So that‡ works on my Windows gaming laptop with Chrome, but not (with the same FIDO2 token) with Firefox including on any of my Linux systems (I don't run Chrome on Linux so did not test). Plenty of work to be done there apparently. Good to know.
‡ Referring to "Go usernameless too" which is the mode where a PIN is needed. All the other modes are just plain FIDO and don't need any further verification, and they work just fine on all my systems with any of my tokens.
The flag you're talking about is (as its name hints) about the legacy U2F which can't do this flow at all. As I explained this already works fine and I use it every day.
Using the FIDO2 Yubikey as sole source of truth replacing usernames and passwords is not available in U2F that's a WebAuthn feature only and apparently it doesn't work in Firefox yet which is disappointing.
I /presume/ that no Linux desktop setups today actually support this workflow for user login, which is one of the things touted for Windows.
For Firefox since they advertise support for WebAuthn I /presume/ that the browser will do all the PIN prompts and so on to make this work, but again I have never seen this even _demonstrated_ let alone used in anger. The browser feature doesn't help you if the PC has booted and is at the login screen though, no browser there (yet?).
I own a device (Yubico's own "Security Key 2") which supports this workflow and I've played with it on a demo Windows setup, and though I'd probably never use it to sign into my Linux PCs I'd try it out because I'm a nerd. This device works fine as a FIDO key for my WebAuthn accounts and is enrolled at GitHub etcetera for that purpose but then so does my much cheaper Key-ID FIDO key.
Edited to add: There are a couple of replies now talking about non-FIDO flows like Smartcards or whatever. Some of Yubico's other devices can do these, but we're talking about FIDO2 like this new Yubikey, those flows aren't relevant.
> I /presume/ that no Linux desktop setups today actually support this workflow for user login,
I login to my Linux desktops with a Yubikey and its PIN. I have it configured as a OpenPGP smartcard, and to authenticate (for login, raising privileges with sudo, or unlocking the screen, etc.), I use the poldi[1] PAM module.
One thing that has been frustrating with the OpenPGP setup with the Yubikey has been the inability to re-add the stub key entries after they are deleted from the host. I do edit-card, unlock and fetch but the entry doesn't show, rendering it useless in `gpg`.
"fetch" fetches from the URL you set in the card/Yubikey. If you put the public key on an HTTP server and put the URL in the Yubikey (with the "url" command after enabling "admin" commands), you can fetch it with "fetch".
Getting the public key out from an OpenPGP smartcard otherwise is not supported by the protocol it uses. That is frustrating that it wasn't included in the procotol, but I've gotten over it.
After you've imported the public key, getting the private key stubs is a matter of checking the status of the card with `gpg --card-status`. The stubs are added then.
If you have another machine that has the public key, you can export it with `gpg --export -a $key_identity`, and import it with `gpg --import < $exported_public_key_file`.
Otherwise, if you don't hold another copy of the public key, the only option left might be to make a new keypair and be careful to not lose all copies of the public key again.
Also, if you backup the private key, you can get the public key from it by importing it somewhere.
Regarding your edit the problem here is that you assume that U2F/FIDO is some sort of a new, separate thing when in fact it can be just one 'program' or applet of your device which can support others, that are more suitable for logins. FIDO just wasn't designed for it.
Just because this or some other Yubico devices might not allow it doesn't mean others don't. AFAIK for instance Feitian ePass supports GIDS applet, which you can install on smartcards too. And yes, you can install U2F applet on smartcards also.
I was going to say how associated software is not required to use some features, but I see that what you quoted continues with:
> The key seamlessly integrates with the native biometric enrollment and management features supported in the latest versions of Windows 10 and Azure Active Directory, making it quick and convenient for users to adopt a phishing-resistant passwordless login flow.
So I'm also curious if this indicates that biometric enrollment is not going to be added to yubikey-manager or yubico-pam.
I think they’re talking about Windows Hello in that blurb, not requiring some special Windows software to enable the fingerprint sensor. That would be very much against their philosophy of keeping all the processing on the device.
FWIW, the current YubiKey does everything on the device, not much of a stretch for it to also do the fingerprint sensing there too.
I think the concern is how would you tell the key that you want to enroll a fingerprint with it? On Windows, you'd use Windows software, but Linux has no such biometric management software as far as I know.
This will surely need enough computer help to initiate the process, but the actual biometric data is likely on the dongle itself.
Alternatively, the dongle could produce a wrapped key blob that contains a fingerprint. This would look almost like a normal FIDO enrollment and would allow multiple users to share one dongle with access to different keys.
Hopefully. The concern is if what the article says is indication that they won't, or at least not for some time. Does "does not require associated software because Windows doesn't need it" mean that they didn't see a point in making the associated software for a user minority? That's what I think the concern is.
I believe the device performs it's biometric verification entirely on device. The operating system should see the key no differently that a regular non-biometric key.
The biometric verification, yes, but you need to somehow register/enroll a fingerprint with it. The article says that it's going to depend on Windows' native biometric enrollment and management for that.
Enrollment is a FIDO thing. If you have a FIDO key then you've done enrollment, it was that first time you had to press the button when you'd already signed in and were adding it as a second factor.
For a fingerprint (or like, I dunno, a pinprick blood sample, or maybe they'll make one that requires a freshly plucked hair from your head) that enrollment step just adds a boolean flag saying the Relying Party demands the user's identity be verified by the device during enrollment and any subsequent authorisations.
It's sort of on the honour system, except, if you actually demanded this (maybe in a corporate environment?) FIDO has a mechanism for devices to provide a certificate proving which batch of devices they're from, so you could say OK, I trust Yubico's BioKey 4.1 and BioKey 4.2 and the FooCorp EyeBallSlicer 1000 but any other devices aren't allowed to enroll. If you then found out the BioKey 4.1 can be fooled by breathing on it instead of a fingerprint you'd remove that from your whitelist.
Firefox (and maybe Chrome?) let you blank this out basically, so sites can either accept that you won't tell them what device it is or they can refuse to let you enroll. I can imagine _maybe_ making an exception for my bank or government, but any other site can fuck right off.
Doesn’t that imply that each fingerprint registration becomes per website? So if you want to add a second finger to the device after the fact, you can’t just add it globally to the device but need to do that on a per-credential basis?
I’d be very surprised if anything, including the enrollment, happened off the device. Likely all it involves is sending a “register my fingerprint now” message being sent to the YK, you touch it, then the YK works as expected. They already provide a Linux-native “YK management” program, presumably it just needs to be updated.
It uses a standard protocol (CTAP2 - https://fidoalliance.org/specs/fido-v2.0-rd-20170927/fido-cl...) that's part of the standards for FIDO2. IIRC as long as your OS lets your application speak to the YubiKey over USB, you should be able to use this in the application. In the browser, you can just use WebAuthn.
Only the static password and one time password modes though. In those modes, the YubiKey acts like a keyboard and literally types out the password when the user presses the button.
The flagship YubiKeys can also act like a smart card. They are PIV compatible and support X.509 certificates. They can also store encryption, authentication and signing OpenPGP keys. GNU Privacy Guard opens the YubiKey as if it was a smart card.
If you wanted the absolutely easiest possible option, you can have yubikey's act as a HID and dump a string of text (password) out. Any machine, without any additional software, that can support a USB keyboard... could then use this.
What happens if you lose your yubikey? Are you then locked out of your accounts? Or is there a backup way to get in, and if so does that make the yubikey kinda pointless anyway?
You could generate keys off the device and keep a copy elswhere allowing you to revoke the device's sub key and generate a new one for a replacement device.
You could have two, and only carry one. (Big downside is that you need to fish out the backup every time you register for something new.)
You could use something else as a second factor as well, and just treat the device as a more convenient option than looking up and typing in an TOTP code, say.
I've seen something similar done with a yubikey 5C nano + onboard biometric. I like that more than this because this is a giant dongle sticking out of my computer. Still better than the military's CAC card solution, which seems like the worst of all worlds.
I've read several articles and discussions about the topic, but I'm still a little fuzzy on where biometrics fit in the context of authentication: username, password, just another factor? What is the role of the fingerprint in the case of this key?
I think a lot of people are questioning whether “something I am” is even a good target to aim for at all. As other folks in these comments have mentioned: if your fingerprints/retinas/DNA are compromised, you can’t change them the way you can with a password.
That's why you combine them. Nobody is saying auth should purely be based on biometric. It's all three: Something I know, AND something I have, AND something I am. If your DNA is compromised, you still have the thing you know and the thing you have to keep you secure.
I mean, if someone is forcing me to login at gunpoint, I'll gladly oblige - no need for them to gouge my eye out.
This is not the threat model being used here. This feature is meant to protect you when you forget your yubikey on your laptop while on lunch break, allowing any co-worker from logging in/using the GPG keys stored within.
If someone is willing to do that to you to get to the things behind the password, it wouldn't matter whether you enrolled a biometric factor. At that point it's not a tech problem anymore.
Also, just a nit, iPhones aren't purely biometric. You have to input your pin after reboot or a long period of inactivity. I'll agree it's still a bit too close to being a password for comfort though.
PINs and passwords are not the same though, PINs are for devices and usually not intended to be sent anywhere else, unlike passwords. PINs are also protected from bruteforce, that's why they are usually just 4 numbers.
Fundamentally, I think PINs in the traditional sense are just passwords with a tradition of particular password requirements.
You can also mention passphrases and say how they're different from passwords, but you can put passwords in fields labeled passphrases and passphrases in fields labeled passwords. They're all functionally the same.
EDIT: From the Password Wikipedia article[1]
> In general, a password is an arbitrary string of characters including letters, digits, or other symbols. If the permissible characters are constrained to be numeric, the corresponding secret is sometimes called a personal identification number (PIN).
> In common usage, PINs are used in [...] internet transactions or to log into a restricted website.
EDIT: Also, the IRS uses PINs online[1]:
> Your IP PIN will be displayed to you online once we verify your identity. A new IP PIN is generated for each filing season and can be retrieved starting in mid-January of each year by logging into the account you create.
They even allow you to enter it on paper[2]:
> Paper Return: [...] Enter your IP PIN(s) as applicable in the boxes marked "Identity Protection PIN" in signature area of the return.
EDIT 2: There are also many employee time-clocks that use PINs to authenticate the employees, like this one[3]. You can connect to them through the network to export some nifty reports that includes everyone's PIN, like this one[4].
I'm sure use of PINs is also common with ERPs and POS systems (to authenticate a cashier supervisor authorizing some action), and those are also networked.
EDIT 3: On the Microsoft link you provided, they're talking specifically about the PINs in Windows 10. I wouldn't take that page as talking about all PINs in general.
Meanwhile I just wish I could use my old Yubikey like everyone else. But it seems that outside of walled googlenet there is very low chance for it. It is now second year as yubikey is collecting dust in my drawer. Fuckyou very much google, I really appreciate this.
I've done a bit of IT support for old folks. People over 70 typically battle to register their fingerprints and get them working on Apple and Samsung devices.
Ditto. I have found that it has improved slowly over the years as fingerprint readers' sensors have become more advanced. My Pixel 3 gets it almost 60%~70% of the time now (unless my fingers are wet).
Just to remind people who lie behind centrally administered distribution of keys, tokens, the authority can probably always add their thumbs to the prints on the key.
So any belief this implies only your permission-ed access to your work is moot: If its not your computer, you probably don't have an implied right to privacy anyway, and a yubikey with bio isn't going to give you it either.
(maybe a non sequiteur, but some people may be assuming this means your local U2F bearing host is YOUR host, but.. not always)
2) The computer/OS doesn't have to support anything for this added feature.