YubiKey Bio review

YubiKey recently released its YubiKey Bio FIDO Edition, a biometric (fingerprint) key that allows you to log in using the FIDO protocol. The key itself is an elegantly slim USB key in a black robust synthetic resin. A metal ring on top tells you where you put your finger to read your fingerprint. The YubiKey Bio cannot be used to log into your Mac.

The YubiKey Bio works out-of-the-box with operating systems and browsers including Windows, macOS, Chrome OS, Linux, Chrome, and Edge, supports FIDO2/WebAuthn, U2F and is available in both USB-A and USB-C form factors. My test unit was the YubiKey Bio with USB-A connector. The Bio is made for desktops and offers secure password-less 2FA. I tested with my mid-2017 iMac.

On Macs, you can’t set up the key any other way but by using Google’s Chrome browser. This seemed very odd to me as it’s not exactly a secret Chrome is under almost constant and often successful attack (commonly known as zero-day attacks — the last one took place last month, in October 2021). A zero-day exploit can be anything from a software flaw to sending unencrypted information across the Internet that’s immediately exploited by hackers.

To set up the key, you first need to “feed” it with fingerprints. That requires you to start the Chrome browser and navigate to its Preferences panel. There you select the security options and in that category you will find setting up security keys. As far as I know, Chrome is the only browser that offers an option to set up a fingerprint key, one like the YubiKey Bio.

When you start the process, you will need to enter a PIN code in a Chrome pop-up. Then the browser asks you to create the first fingerprint template and so on, until you’ve reached the maximum of five. It’s advised you use at least two fingers, but I have a habit of using two on each hand.

After that, you’re done. The fingerprint templates are stored in the secure element on the key itself. This is very secure, which makes having to use Chrome for the setup process even more uncomfortable. It soon became clear (see further down) why Yubico didn’t invest time and effort in developing an app for setting up the key.

Also to their credit, YubiKey advise to “use a device that is not public and has an up to date operating system; this can be a computer running either Windows 10 (1903 or later) / Windows 11, or any of the following with the Chrome browser 93 or later: macOS (Catalina or Big Sur), Chrome OS 93 or later, Ubuntu 18.04 or later.

Yubico further recommends that you add a backup YubiKey to any account to which you have added your primary YubiKey. This can be a YubiKey Bio Series key, or alternatively any YubiKey 5 Series or any Security Key by Yubico — or another vendor, I might add. This is good advice, but I was to experience problems when trying out the Bio key with WordPress, Google and any other service the YubiKey 5 NFC works with.

Using Safari, as that is my preferred browser, I had already added the YubiKey 5 NFC as a secondary key besides an OTP app to WP.com. Adding the Bio key appeared to go well initially but confuse WP.com later as it now started asking for a PIN when I inserted the YubiKey NFC (which it shouldn’t and hadn’t ever done before adding the Bio key) but not when I inserted the Bio key. That only happened after the first setup, when everything seemed to be fine.

Again in Safari, I tried adding the Bio key to Google, which is listed on the Yubico page as a service that accepts the Bio key. It didn’t work as with other services I tried it with. Now I tried all these logins with Safari, interpreting Yubico’s insistence on Chrome for setup literally — that you only need it to set up the key and that proved to be incorrect. When I switched to Chrome, the YubiKey Bio worked like a charm.

Now the exclusive use of Chrome becomes even more an enigma to me as you are entering the PIN on your computer in an unsecured browser that has become infamous for its sloppy follow-up of security breaches. To their defence, though, I don’t think you can blame Yubico for not having developed their own browser just because the others can’t handle a biometric key correctly.

On Windows PCs my story may be totally different, but for Mac users I hesitate to recommend the Bio key for logging in to online services, at least until there is a viable alternative for the Chrome browser. It could work brilliantly for logging into the Mac as an alternative to a smart card, but upon checking the support document on the topic, it turned out the Bio key isn’t compatible. SO, in my opinion, you’re better off buying a YubiKey 5 NFC for the time being.

The YubiKey Bio retails for around 80 EUR.