Yubico this week introduced its latest — and most expensive — hardware security key, the company's first key to incorporate biometric authentication in the form of a fingerprint reader.
The YubiKey Bio (opens in new tab) comes in USB-A ($80) and USB-C ($85) configurations for optimal compatibility with your favorite port flavor. It supports the open FIDO U2F and FIDO2/WebAuthn standards, both of which are widely used.
- You're probably doing 2FA wrong — here's the right way
- The best password managers you can use
- Plus: You can now free the Oculus Quest 2 from Facebook's grip — but there's a catch
Hardware security keys provide the best "second factor" in two-factor authentication (2FA), which itself is the most effective way to protect your online accounts. The most common second factor, a one-time code transmitted via text message, is convenient and easy to implement but can also be hacked in a number of different ways.
By contrast, a hardware security key is something you physically have and isn't used for any other purpose. Google requires them for its employee accounts and say it hasn't had a successful account takeover since it deployed them.
What the YubiKey Bio can and can't do
Yubico told us that the YubiKey Bio is primarily targeted at enterprise desktop users who want biometric security. That may explain the fairly high price, which is a good $20 higher than rival biometric keys made by Chinese security-key maker Feitian. Despite that, Yubico told us that current stock of the USB-C model of the YubiKey Bio has already sold out.
However, the Bio's utility is a bit limited compared to that of the YubiKey 5 series. The YubiKey Bio does not support many of the 5 series' functions, including several one-time-password and smart-card formats. Many services that require YubiKey 5, such as Instagram, LastPass and Twitch, won't work with YubiKey Bio.
Yubico representatives told me this is because FIDO and FIDO2 support biometric authentication while the other formats do not.
Smartphones won't work with the YubiKey Bio either, despite the USB-C option. Neither Android nor iOS supports the FIDO Client to Authenticator Protocol (CTAP) version 2.1 (opens in new tab) that the keys use. There's also no NFC chip on the YubiKey Bio to wirelessly interact with phones.
Functionally, the YubiKey Bio is similar to the $25 Security Key by Yubico, a basic security key with a USB-A plug that supports only FIDO U2F and FIDO2/WebAuthn but also has NFC.
Easy to set up and use
We had no trouble setting up either the USB-A or USB-C models with our Windows 10 PC and then enrolling each one with a Google account.
Yubico says the YubiKey Bio also works with Microsoft (Office) 365 and other Microsoft accounts, Coinbase, eBay, Electronic Arts, Facebook, GitHub, Twitter, Yahoo and YouTube. Like other hardware security keys, the YubiKey Bio can replace your password for Microsoft accounts.
Among password managers, the consumer-security sector that has the most support for two-factor authentication, the YubiKey Bio is supported by Bitwarden, Dashlane, Keeper and 1Password (paid versions only). Browsers that support YubiKey Bio include Brave, Chrome, Edge, Opera and Safari.
We were a bit surprised to find that we had to go through a Windows setup process to enroll our fingerprints before we could begin the Yubico part of the process.
Had we read the press release a bit more closely, we'd have seen that "the new security keys integrate with the native biometric enrollment and management features supported in the latest platforms and operating systems."
On Mac, Linux and Chrome OS, you can set up the YubiKey Bio using Chrome or another Chromium-based browser like Brave or Microsoft Edge. (Once it's set up on Chrome, you can use it with Safari to log into accounts.)
You can also set up the YubiKey Bio to work with the desktop versions of the Yubico Authenticator software on Windows, Mac and Linux.
Officially, the YubiKey Bio supports Windows 10 (build 1903 or later) or 11; macOS 10.15 Catalina and 11 Big Sur; Ubuntu Linux 18.04 or later; and Chrome OS 93 or later.
You can enroll up to five fingerprints on each YubiKey Bio key, and it's also possible to factory-reset the key and start over.
You might need more than one
As Yubico recommends (and as we recommend for all hardware security keys), you'll want to have one or two backup keys in case you lose the primary one. They don't all need to be able to read your fingerprints; we would just get a couple of Security Keys by Yubico for $25 each.