Yubico has shed some light on the development of its upcoming biometric security key. The YubiKey Bio was first unveiled in November of 2019, and is now in a private preview phase with the company’s technology partners and with select enterprise customers. The biometric security key will be available in USB-A and USB-C form factors when it makes its debut.
Until then, Yubico is walking customers through the thinking that influenced the key’s final design. The company noted that smartphones normalized the concept of fingerprint recognition for millions of consumers, and that the technology can deliver a smooth authentication experience across multiple channels. With that in mind, building a security key with a fingerprint sensor was a logical next step for the company.
The problem, of course, is that a smartphone is much larger than the standard security key, which makes it easier to integrate a fingerprint sensor into the design. Since a smaller sensor might not work properly in certain environments, the YubiKey Bio will always allow users to log in with a PIN code in instances when the device’s default fingerprint sensor fails to deliver.
Once registered, the user’s fingerprint template is stored on a Secure Element dedicated to the purpose, while the biometric subsystem runs independently of the key’s core security functionality. All communication between the Secure Element and the rest of the key is encrypted to help thwart replay attacks.
In that regard, Yubico warned that no security system is foolproof, and that any fingerprint sensor can be beat with the right materials. However, a hacker with a fake print would still need to get their hands on the user’s physical device to take advantage of that print, which dramatically reduces the threat to the average YubiKey customer.
The YubiKey Bio will support the FIDO U2F, FIDO2, and WebAuthn protocols. In some cases, using the YubiKey to log into an app on a phone or a desktop computer will turn that phone or desktop into a trusted device, which will negate the need for daily verification when accessing certain applications. Step-up authentication would still be required for high-risk transactions.
Yubico has argued that its YubiKeys can help protect remote activity during the COVID-19 pandemic. The YubiKey Bio will be available through the company’s YubiEnterprise Subscription and YubiEnterprise Delivery services.
November 10, 2020 – by Eric Weiss