SecurityBrief Australia logo
Australia's leading source of cybersecurity and cyber-attack news
Story image

Hands-on review: Yubico's YubiKey Bio brings no-nonsense biometrics to 2FA

By Sara Barker
Wed 10 Nov 2021

In 2007, Swedish company Yubico launched the YubiKey 1.0, a one-time password hardware key. Its purpose was to offer a portable authentication key that works across different services. Since then, Yubico has produced many iterations of the YubiKey, including one of the most recent products, the YubiKey Bio. 

Form

The YubiKey Bio measures just 4cm long and 1.3cm wide and looks similar to a standard USB stick. There is a round fingerprint sensor in the middle of the device, otherwise, the design is unassuming and understated.

The device is simple to use and set up. Available in USB-C and USB-A, and it also has a hole so you can store it on a keyring or lanyard if preferred.

Function

The YubiKey Bio supports “biometric login on desktop with all applications and services that support FIDO2/WebAuthn/U2F”.

A quick rundown of those acronyms: FIDO2 is a framework that aims to move the world beyond passwords to other methods of authentication, like two-factor authentication (2FA), tokens, biometrics, to name a few. WebAuthn is a browser API that supports secure user authentication. It is supported by Google Chrome, Microsoft Edge, and Mozilla Firefox. And U2F is a standard for 2FA.  Basically, the YubiKey can work for authentication across any service that supports FIDO2/WebAuthn/U2F.

While The YubiKey Bio works perfectly well for home consumers who want to add a hardware-based authentication method to their social account logins, it’s clear that the YubiKey Bio is geared more towards business users and cloud-first or desktop login environments, particularly as it “works out-of-the-box with Citrix Workspace, Duo, GitHub, IBM Security Verify, Microsoft Azure Active Directory and Microsoft 365, Okta and Ping Identity.” 

"Use cases are for authentication to services on shared workstations and mobile restricted environments The YubiKey Bio can be used wherever FIDO2 or FIDO U2F authentication is available. For mobile devices requiring NFC, we recommend using the YubiKey 5 NFC or YubiKey 5C NFC," says Yubico's APJ director solution engineering, Alex Wilson.

The YubiKey Bio works across platforms including Windows, macOS, Chrome OS and Linux. I used Windows 11 as my testing platform and found that Windows Security controls the dialogue boxes instructing you to insert or touch the YubiKey, set up fingerprints, and a PIN. This is because it supports native biometric features. But it's important to note that currently, the YubiKey Bio does not work for local PC logins.

Wilson explains, "Simply put, Microsoft Windows 10 and 11 offer inbuilt support to manage external authenticators such as ours, but as yet do not allow you to use them for local login into the platform. If you are using Azure Active Directory or Office 365 products then you can use the YubiKey Bio to log in to those services," he says.

He adds, "Multi-factor options in Windows Hello do create some confusion. There are two different flows to use a biometric identifier depending on what type of biometric reader you have. Some types of laptops include a biometric sensor with the keyboard. In those cases, you can use the fingerprint icon in Windows Hello to use it. The other flow is truly a portable option. The biometric is enabled by selecting the “security key” options in Windows Hello. The difference is that the security key (YubiKey Bio) stores your fingerprint which makes it more secure and more portable as it can be used on any supporting device."

The YubiKey Bio's genius really shines when it comes to apps. It works easily with apps including Outlook, Gmail, Facebook, Dropbox and Office 365. Yubico also has a 'Works with YubiKey' catalogue which lists all compatible apps - just make sure to filter by security protocol FID)2/WebAuthn and the YubiKey Bio series.

My first test involved browser-based authentication for Gmail. My Gmail is already set up with two-factor authentication. If yours is not, you will need to do this before you can begin. (Simply go to security, 2-step verification, ‘show more options’, and select ‘security key’.) I went through a similar process for other platforms including Twitter, Facebook, and Outlook. It's fast, and it's easy. Voila, 2FA at the touch of a YubiKey.

Every time I need to log in, I simply go through the 2FA process. For the biometric authentication, I simply touch the YubiKey, complete my other authentication method, and I’m in. If, after three attempts, the YubiKey doesn’t accept my fingerprint, I just enter a PIN, much in the same way that my phone does when I try to unlock it with wet fingers.

I note that Yubico also offers the Yubico Authenticator app, which is not a mandatory piece of software (the YubiKey is designed to work with no additional hardware or software). I was curious to see what additional features it provides.

Wilson explains, "The Yubico Authenticator is a user-based application to support YubiKey functions, which now include the ability to register fingerprints, view what services (Office 365, Facebook, etc) have been registered with the YubiKey Bio and reset the YubiKey Bio."

Verdict

The YubiKey Bio will doubtless be compatible with more platforms as FIDO authentication protocols become more common.

"The number of online services and common applications that are supporting FIDO2 and FIDO U2F client authentication are increasing over time. The FIDO2 protocol continues to be enhanced with additional management features and platform support being added. The FIDO U2F protocol has been available since 2014 and was launched within GSuite applications at that time. This was then closely followed by Facebook, Dropbox and others thereafter," Wilson adds.

It’s easy to use and a no-fuss way to make multi-factor authentication painless and simple and a recommended security tool for businesses and consumers alike.

Related stories
Top stories
Story image
Network Management
Superloop helping Aussie K12 schools with latest offering
Superloop has launched CyberEdge, a new cybersecurity platform that will give K12 schools in Australia the tools to optimise, secure and manage their network.
Story image
ExtraHop
Organisations exposing highly sensitive protocols to public internet
More than 60% of organisations expose remote control protocol SSH to the public internet, while 36% of organisations expose the insecure FTP protocol.
Story image
IDC
High level of Customer Identity & Access Management adoption
The study from Okta revealed that the pandemic has either accelerated or highlighted the need for digital-first strategies.
Story image
Microsoft
Microsoft, NSW partnership to accelerate digital transformation
The renewed partnership is designed to maximise the value of Microsoft solutions to various NSW Government agencies.
Story image
Ransomware
Big business in cryptocurrencies and cybercrime
As of June this year, about a quarter (26%) of Australians considered cryptocurrency as a good investment, and over 36% have at one point considered buying cryptocurrency as an investment.
Story image
Remote Working
Cybersecurity concerns higher than before the pandemic - report
BeyondTrust's new survey shows Australian organisations are more concerned about cyberattacks than they were before the COVID-19 pandemic.
Story image
Privileged Access Management / PAM
The importance of stopping identity sprawl for cybersecurity
The 2021 Data Breach Investigations Report (DBIR) shows that 61% of all breaches involve malicious actors gaining unauthorised, privileged access to data by using a compromised credential. Unfortunately, it is often too late when the misuse of a credential is detected.
Story image
Dark web
Beware the darkverse and its cyber-physical threats
A darkverse of criminality hidden from law enforcement could quickly evolve to fuel a new industry of metaverse-related cybercrime.
Story image
Healthcare
SOTI research explores professional's thoughts on digitisation in the healthcare sector
Interconnectivity, automation and data management were the three key trends highlighted in the report as integral parts of successful medical technology implementation.
Story image
Open source
Flashpoint acquires Echosec Systems, elevates OSINT capabilities
Flashpoint has acquired Echosec Systems, a provider of open-source intelligence and publicly available information.
Story image
Indusface
Why enhancing bot protection for web and API endpoints matters
The trouble with bots is that they aren’t all bad. Unfortunately, this can make it challenging to detect malicious bots that find their way into your system and threaten your business.
Story image
Cloud
DCI plans to build new cloud edge data centre in Canberra
DCI is one of the first to commit to the Precinct which has a focus on defence, space, cybersecurity and high-tech manufacturing sectors.
Story image
Compliance
Why security needs to shape your journey to the cloud
It's estimated that 80% of workloads could be in the cloud in the next few years. How can you make all that data secure?
Story image
Malware
Research shows attacks on the gaming industry are getting worse
Web application attacks in the gaming sector have grown by 167% from Q1 2021 to Q1 2022, according to new research from Akamai.
Story image
Data Protection
VMware introduces advanced workload protection for AWS
VMware Carbon Black Workload for AWS delivers comprehensive visibility and security across on-premises and cloud environments for AWS customers.
Story image
Neat
Workplace design a crucial factor for better employee experience - report
The key to a successful workplace could be its design, according to research from Ecosystm and Neat.
Story image
Rubrik
Gartner names Rubrik Leader in 2022 Magic Quadrant
Rubrik has been positioned by Gartner as a Leader in the 2022 Magic Quadrant for Enterprise Backup and Recovery Software Solutions.
Story image
Firewall
Fortinet unveils compact firewall for hyperscale data centres, 5G networks
"Fortinet’s dedication to pushing the boundaries of what is possible in security performance has yielded the most powerful compact firewall yet."
Story image
Data Protection
Cloud privacy, data protection more complex than on-prem
In the past 12 months, over a third of Australian businesses (36%) experienced a cloud-based data breach or failed audit. 
AWS Marketplace
Learn how security orchestration, automation, and response (SOAR) enhances your security strategy.
Link image
Story image
Mergers and Acquisitions
Netskope acquires Infiot, delivers integrated SASE platform
Converged SASE platform provides AI-driven zero trust security and simplified, optimised connectivity to any network location or device, including IoT.
Story image
Gartner
Veeam named Leader in enterprise backup and recovery
"We believe our innovation and ability to execute validates our solid standing as the #1 trusted provider of modern data protection."
Story image
Data Protection
CyberRes partners with Google Cloud in lead up to BigQuery release
CyberRes, a Micro Focus line of business, has announced a partnership with Google Cloud to support the upcoming release of BigQuery remote functions.
Story image
Gartner Magic Quadrant
Gartner positions Commvault as Leader in 2022 Magic Quadrant
Gartner has named Commvault a Leader in its 2022 Gartner Magic Quadrant for Enterprise Backup and Recovery Software Solutions report.
Story image
Healthcare
Why the Metaverse could be the key to enhancing the healthcare sector
The experts at Accenture understand that the programmable world is about building the next version of the physical world in healthcare, understanding complex layers in order to fully utilise technology to its maximum effect.
Story image
Migration
Four benefits companies can realise by transitioning to S/4HANA early
Although there is time before organisations are required to transition to a cloud-based solution, such as S/4HANA, it is beneficial to transition now. Waiting too long could complicate the process.
Story image
Ransomware
Ivanti and SentinelOne partner on patch management solution
Ivanti and SentinelOne will integrate their technologies Ivanti Neurons for Patch Management and SentinelOne's Singularity XDR platform.
Story image
Cybersecurity
Optic Security Group on Australia recruitment drive
Trans-Tasman security integrator looks to meet the twin challenges of high client project demand tight & labour market supply with new opportunities.
Story image
SAP
Microsoft unveils two new security products to help reduce attack surfaces
The products are set to give companies deeper insights into threat actor activity and help them successfully navigate the changing threat landscape.
Story image
Digital Transformation
Dear boardroom, please don’t put digital transformation back in the box
Australian companies are years ahead of where they would have been – a position that the country is poised to take advantage of to do great things. And one that it risks losing.
AWS Marketplace
See how managed security services (MSS) have evolved to Managed Detection and Response (MDR) and Extended Detection and Response (XDR). Learn how these new holistic solutions can simplify security management and improve your threat detection and response.
Link image
Story image
Web application firewall
Radware recognised in KuppingerCole’s 2022 Leadership Compass report
Radware has been named a Product, Innovation, Market and Overall Leader in the 2022 KuppingerCole Leadership Compass report for Web Application Firewalls.
Story image
Cybersecurity
Qualys develops EASM capabilities for Cloud Platform
"Qualys unique approach to EASM is integrating the internal and external asset data from CyberSecurity Attack Management with its VMDR solution into a single view."
Story image
SaaS
Claroty launches new cloud-based industrial cybersecurity platform
The company says Claroty xDome is the industry's first solution to deliver the ease and scalability of SaaS without compromising on visibility, protection, and monitoring controls.
Story image
Malware
Nozomi Networks Labs identifies impacts on 2022 threat landscape
Nozomi Networks’ latest research finds that wiper malware, IoT botnet activity, and the Russia/Ukraine war have had the biggest impact on the threat landscape in 2022 so far.
Story image
Data Protection
Video: 10 Minute IT Jams - An update from SearchInform
Alexey Pinchuk joins us today to discuss the role the company plays in helping organisations manage risk and provide better security outcomes.
Story image
Artificial Intelligence
Exclusive: NZ-based DEFEND offers global cyber protection
DEFEND supports customers in 66 countries across the globe with a relentless focus on ensuring that every dollar spent on security provides a meaningful return on investment and reduces cyber risk.
Story image
Gaming
Attacks on gaming companies more than double over past year
The State of the Internet report shows gaming companies and gamer accounts are at risk, following a surge in web application attacks post pandemic.
Story image
Cybersecurity
Palo Alto Networks responds to rise in threats with MDR service
Unit 42 Managed Detection and Response is a new service that can offer continuous 24/7 threat detection, investigation and response.
Story image
Malware
Avast One extends protection with Online Safety Score
Avast One has extended its cross-platform support by adding its Online Safety Score feature to both the Mac and iOS platforms of Avast One.
Story image
Government
Mandiant researchers uncover significant new disinformation campaign
Researchers from Mandiant say they have uncovered a significant disinformation campaign from the Chinese Government in the wake of U.S. Speaker Nancy Pelosi's visit to Taiwan.
Story image
Cheetah Digital
Privacy, data ethics and the ‘seismic shift’ in consumer trust
Aussie consumers have low levels of trust for advertising, but will pay more to purchase from a trusted brand, a new report from Cheetah Digital reveals.
Story image
API
Security gaps in APIs plague organisations - study
Together, the findings highlight that existing solutions and API security tactics focused on shift-left strategies are failing to adequately protect APIs.