• Home » Blog » Getting a biometric security key right

    Getting a biometric security key right

    Today, we are excited to share some updates regarding the next highly-anticipated members of our YubiKey family: the upcoming YubiKey Bio in both USB-A and USB-C form factors. The YubiKey Bio will be the first product to introduce biometric capabilities (in addition to PIN) to our portfolio of YubiKeys. 

    Yubico has been considering adding biometrics to our line of security keys for quite some time, and while biometric authentication seems straightforward at first, there is quite a lot of engineering to get it right and meet the standards that people have grown to expect from a YubiKey. A great piece of hardware does not live in isolation; it needs to work with a larger ecosystem to be usable. When we launch new products, we set the highest bar for security, usability, durability, and design, and we do everything in our power to not compromise on any of these traits.

    The FIDO-enabled YubiKey Bio is currently in private preview, being tested and reviewed by many of our enterprise customers and technology partners. We have received excellent feedback on our product designs, and now our goal is to further ensure that the overall user experience is smooth with a wide range of platforms and FIDO-based use cases.  We welcome you to sign up here to receive updates on the YubiKey Bio, including those about general availability.

    Below, we are sharing a short video demonstrating how the YubiKey Bio works, sharing some behind-the-scenes information on the engineering process, and diving into some of the considerations when using a biometric authenticator such as the YubiKey Bio. 

    Why biometrics?

    The concept of using biometric and fingerprint sensors for user verification has been around for decades. However, wider user acceptance was achieved with general availability and accessibility of fingerprint sensors in smartphones. It is end-user convenience that has been driving this adoption, not necessarily security.

    The challenge with biometric authenticators has been to get cross-platform support, standardization, and a good user experience much like what already exists with biometric sensors that are built into laptops, tablets, and mobile phones. Fortunately, FIDO2 has helped this cause by expanding from user touch to also support biometrics, including fingerprints, facial recognition, etc. Yubico continues to work with browser platforms and the FIDO ecosystem to optimize the user login flow, but there is still work to do for a seamless experience for both consumers and enterprises, consistently across different end user devices.

    Usability considerations for biometrics

    On smartphones, fingerprint authentication is an integral part of the system. A screen and well-defined user interface makes it fairly easy and intuitive to set up a fingerprint on a mobile device and manage lockouts. The story is different for a small, portable security key like the YubiKey that needs to work across platforms and services.

    As opposed to a correct PIN, a correct finger cannot always be read by fingerprint sensors. Variables in skin texture, such as moisture or temperature, can introduce scanning issues. To address this, the YubiKey Bio will default to biometrics, but will allow the PIN to be used if there are issues.

    Biometric authentication can be a convenient alternative to typing a PIN, especially when the user needs to authenticate to a system multiple times per day. However, with FIDO, the leading online services do not always require daily use of either a password, PIN, or a security key, which already adds improved convenience for users. For example, after registering a YubiKey to services and applications, a user may only need to authenticate once to make the phone or computer a trusted device, and may only need it again for new devices or risky operations. 

    This unmatched user experience for strong authentication is a core reason the FIDO standards are winning mass adoption. Users should keep this in mind when considering the YubiKey Bio for the purpose of simplicity or ease of use; for non-daily use it may not have as great of an impact on convenience compared to use cases where authentication is more frequent.

    Security and privacy features of the YubiKey Bio

    Yubico will never compromise on security, and it’s imperative to protect the privacy of our users. Biometric sensor technology has come a long way in recent years. However, there are still security tradeoffs. Artificial fingerprints (spoofs) can still be used to impersonate a user and we felt that it was important enough to consider that, in addition to other biometric-specific threats, as part of our threat models when we began engineering the YubiKey Bio.

    For example, in 2015, the Office of Personnel Management (OPM) breach included fingerprints for individuals that had applied for government clearances and had access to national secrets. A leak of this caliber leads to legitimate concerns that a sophisticated adversary may use fingerprint spoofs to physically attack a user’s biometric device. 

    Threats against biometric systems also include how the biometric is processed. Security weaknesses in biometric components could undermine the security of the system. To reduce the potential impact of a security flaw, we separated the biometric subsystem from the key’s core functionality.

    Furthermore, we store the enrolled fingerprint templates and perform biometric matching in a dedicated secure element to protect it from both digital and physical attacks. We then encrypt the communication between this biometric secure element and the one we use for the core YubiKey software to mitigate eavesdropping and replay attacks.

    It’s important to note that all fingerprint sensors we tested were susceptible to high quality spoofed fingerprints created with a cooperative enrolled user, including those in popular phones and laptops, and the one in the YubiKey Bio. We believe with sufficient skill and practice that this can be done even with latent prints without the cooperation of the enrolled user. An example of this was demonstrated at the Chaos Communication Congress by using photographs of hands to create a spoof of the enrolled user’s fingerprints. However, the vast majority of potential attackers are not physically near to their victims and do not have physical access to their devices.

    Even so, to make fingerprint spoofing harder, the Yubico team did extensive research and tested many different fingerprint sensors. The results informed our components selection, tuning, and development for the YubiKey Bio. We believe that our device is tuned well for usability and spoof rejection compared to similar devices on the market.

    Because watching a user type their PIN, replicating fingerprints, or stealing YubiKeys are all attacks that fall into the domain of patient, skilled, physically-present attackers, some users may still wish to choose a device — like the YubiKey Bio — that allows for more convenience with the choice of using a PIN or fingerprint. We believe that offering the best biometric security key on the market as an option to those users makes sense.

    FIDO and WebAuthn biometric experiences

    The YubiKey Bio will protect users by requiring an enrolled finger match (or optionally a PIN + touch for some FIDO2 use cases) for all uses. It will work everywhere that FIDO U2F, FIDO2, or WebAuthn is supported today.

    Like the YubiKey 5 Series, the YubiKey Bio enables a passwordless experience when FIDO2 is supported by the service, and where a security key resident credential is used instead of a username and password. Unlike the YubiKey 5 Series, users can achieve these FIDO-based experiences using just a fingerprint match instead of always requiring a PIN + touch.

    Today, a few services support this enhanced experience, but we expect the number will grow over time. In the demo video above, we chose to use the passwordless option of our own demo site because it was the simplest way to show this experience without being distracted by third party service and account options.

    What makes a YubiKey a YubiKey? 

    Since the first YubiKey was launched in 2008, and over the years, our customers have appreciated the core values that represent a YubiKey: usability, security, durability, and in a sleek form factor. The YubiKey Bio follows these same design principles.

    To stay up to date on YubiKey Bio general availability, and to apply for the closed preview program, sign up here. To speak with a Yubico sales representative about whether the upcoming YubiKey Bio may be right for your organization, contact us here

    Share this article: