Worth upgrading Yubikey NEO and Yubikey 5C NFC to Yubikey Bio?

Cromulent · April 25, 2022, 9:31pm

I’m sitting on the fence at the moment. I’m highly tempted to buy the Yubikey Bio but that will be my third Yubikey which seems somewhat excessive. I also forget which websites use which key so adding another one is going to be a juggling act.

On the other hand, it offers great protection even if I leave my key in a bad place as it’ll still require my fingerprint which is important to me. What are your thoughts on the Yubikey Bio?

philw · December 7, 2024, 12:25pm

I just got one of those - YubiKey 5C Bio, to work along with a few older FIDO2 keys I already have.

I like the idea that you can steal the key and even if you know what it is, you’re going nowhere fast unless you stole the correct finger as well.

As far as I can tell it works like my old standard FIDO2 keys, so I just have to replace those with this in various sites and it’s all good.
You can store Passkeys on the key… which I can’t do with those old keys, so now instead of username + password + key, I can sign in with key +fingerprint, which is neat.
I previously used Bitwarden with FIDO2, then got the un&pwd from that, then used the site’s 2FA. This is simpler and not less secure, I think.
As most sites don’t even support FIDO2, never mind Passkeys, you still need Bitwarden, but that does support Passkeys properly.
Some sites use the word “Passkey” to mean “FIDO2 key”, it’s a bit confusing. One’s a 2FA token, the other is the entire token you need. A good example is GitHub and GitLab - both will work with the Bio key, both claim “PassKey” support, but the former generates a passkey on the Yubikey, but the latter does not, instead using it as an ordinary key.

I’m still migrating stuff, but it’s a good excuse to review my accounts across the piece.

Bitwarden’s “you’re not using 2FA” report seems a bit broken; it should allow you to at least say “yes a am, please do not nag me about something I already did”.

I can’t see how they’d know, but a report listing sites you can use a true Passkey on would be useful.

grb · December 7, 2024, 7:34pm

This is unlikely to help OP, but as this 2022 thread is now resurrected after almost 3 years, I will offer my own experience in case it is helpful to somebody else:

You can enroll up to five fingerprints.
The biometric user verification falls back to a regular Yubikey PIN after 3 failed attempts to match the fingerprint to one of the enrolled fingerprints.
Fingerprint match failure is not uncommon, and happens frequently in the winter, or if you do not properly touch the fingerprint sensor and its bezel.
While in PIN-only mode, the Yubikey will lock itself after 8 failed PIN entries (just like a regular Yubikey).
Unlike a regular Yubikey, which can be used without a PIN if the relying party does not require User Verification, using the Yubikey Bio always requires User Verification (in the form of a fingerprint or PIN), independent of the relying party’s requirements.

If you want to not have to worry about unauthorized use of the Yubikey (if lost, stolen, or accessed by someone else), then you need to set a sufficiently strong PIN.

kpiris · December 7, 2024, 9:25pm

Ditto…

This is an optional feature of the CTAP protocol called alwaysUv that the Bio implements and is on by default.

I recall having read somewhere that it can be set to off. Although I would not recommend it.

And, in my opinion, it would not make a lot of sense if you had spent the extra money on a security key with a biometric sensor.

grb · December 7, 2024, 9:47pm

In the most recent Yubikey firmware (5.7), the alwaysUV flag can be enabled (for non-Bio keys), but the current documentation for the Yubikey Bio states that “the YubiKey Bio implements always-on user verification” (and does not mention any option for disabling this requirement).

kpiris · December 8, 2024, 7:51am

It turns out that alwaysUv can be turned off with ykman (the CLI version of yubikey manager).

grb · December 8, 2024, 3:23pm

There is at least one scenario in which this cannot be done (FIPS140-3 Yubikeys), besides all keys with firmware prior to 5.5 (July, 2024). However, I’m curious about how/whether the toggle-always-uv would work with Bio key, since they had “Always UV” behavior even prior to the implementation of the alwaysUV flag in firmware version 5.5. Have you tested it?

kpiris · December 8, 2024, 5:03pm

I tested it today with a spare YubiKey Bio (that I bought on may’2023 and has firmware version 5.5.6).

The key had a pin set and only one fingerprint enrolled (index finger).
I turned off alwaysUv [*].
I registered it as 2SV on a test bitwarden account (touching the key with my middle finger).
Logged out and logged back in the web vault with my master password and just touching the key also with my middle finger.

[*]

$ ykman fido info
PIN:                          8 attempt(s) remaining
Minimum PIN length:           4
Fingerprints:                 registered, 3 attempt(s) remaining
Always Require UV:            on
Credential storage remaining: 25

$ ykman fido config toggle-always-uv
Enter your PIN:

$ ykman fido info
PIN:                          8 attempt(s) remaining
Minimum PIN length:           4
Fingerprints:                 registered, 3 attempt(s) remaining
Always Require UV:            off
Credential storage remaining: 25

grb · December 8, 2024, 5:57pm

Thanks for performing the test. So it seems that it did revert to checking user presence only (which is accomplished by touching the metal bezel around the fingerprint sensor on the Yubikey Bio). Although as you already noted in your original comment, it makes no sense to configure a Bio key in this way, with alwaysUV disabled.