Losing control of your online accounts is a nightmare, one that could lead to outright identity theft. The solution is multi-factor authentication (MFA), and with the $80 Yubico YubiKey Bio, you can use your fingerprint to identify yourself. This device works with the major MFA standards, but it doesn’t have NFC or the wider support for authentication methods found in high-end YubiKeys. That said, if you absolutely must have biometric MFA, love USB-A connectors, and are willing to shell out the extra cash, the YubiKey Bio is a great choice. Editors’ Choice winner YubiKey 5C NFC is a more versatile and affordable security key. For first-time buyers, we recommend the Security Key NFC.
What Is Multi-Factor Authentication?
Multi-factor authentication (sometimes called two-factor authentication, or 2FA) improves password logins for websites and services by adding multiple factors from a list of three possibilities:
- something you know,
- something you have, and
- something you are.
Something you know could be a password, while something you have could be a security key or an authenticator app. Something you are is any kind of measurable physical trait, like a fingerprint scan or facial recognition. Even if an attacker has your password, it’s unlikely they’ll also have the additional factors necessary to access your account.
While any MFA is better than none, each has its own advantages and drawbacks. Receiving SMS messages through your phone, for instance, isn’t a secure MFA system until the FCC does something about the threat of SIM-swapping. Authentication apps are free and secure, but require that you have a working phone. Security keys meanwhile are difficult to attack and require no batteries to operate, but could be lost. On balance, we think that authenticator apps are the easiest to get started with, but security keys are the most secure.
Google has shown that MFA is an excellent way to secure your online accounts, but even with MFA you can’t be complacent. We strongly recommend using antivirus software and using a password manager to create unique and complex passwords for every site and service you use.
Classic, Durable Design
In terms of design, the YubiKey Bio is nearly identical to most other Yubico products. It’s made of slightly textured black plastic with an unshielded USB-A connector on one end and a metal-reinforced ring on the other to attach it to a keyring or lanyard. Instead of Yubico’s usual capacitive gold disk, the Bio has a smooth, black circle with a raised metal edge. The flat, circular surface is the fingerprint reader while the ring is touch sensitive to help ensure a real human finger and not a clever simulacrum is being used.
At 1.78 by 0.71 by 0.13 inches (45 by 18 by 3.35 millimeters, HWD), the YubiKey Bio is about the size of a standard house key. The $69.99 Kensington VeriMark Guard USB-C Fingerprint Key and the $60 YubiKey 5C Nano are much smaller and can live full time attached to your device. The Bio weighs only 0.16 ounces (4.5g), which is slightly less than its USB-C sibling, the $85 YubiKey C Bio.
Yubico tells me that the YubiKey Bio is crushproof and water and dust resistant to maximum industry standards (IP68). The company didn’t reveal much about its fingerprint reader, or what it’s made of. I’d like to see Yubico release this information if only for transparency’s sake. I lightly rubbed a piece of metal against the reader’s surface and it barely left a mark, but I just don’t know whether this essential component is rugged enough to survive on a key ring.
One key element you won’t find in the YubiKey Bio is NFC (Near-Field Communication). Other keys, like Editors’ Choice winner YubiKey 5C NFC, use NFC to communicate with mobile devices for on-the-go authentication.
What MFA Standards does the YubiKey Bio Support?
Yubico is a huge motivating force in not only producing hardware security keys, but also in developing the standards that make them work. That’s why it’s not surprising that the YubiKey Bio uses the latest FIDO2/WebAuthn standard for MFA as well as CTAP1/CTAP2. It’s also backward-compatible with FIDO U2F.
That’s excellent, but it’s a short list for a YubiKey. Keys in the YubiKey 5 series—from the $45 YubiKey 5 NFC to the $70 YubiKey 5Ci—are more capable. They can double as smart cards (PIV standard) and can store encryption keys (OpenPGP). Along with the Yubico Authenticator App, they can be used to store and generate time-based one-time passcodes (TOTP) or generate codes using Yubico’s own OTP system (Yubico OTP). They can even be configured to spit out static passwords on command. Neither the YubiKey Bio or the C Bio can do any of that, but the average person won’t miss these features.
Weirdly, the devices that support the same standards as the Bio series are some of the least expensive: the €29 Nitrokey FIDO2, which uses open-source hardware and firmware, and the $24.50 Security Key NFC. Neither of these, however, supports biometrics.
Bio or C Bio?
I was told by PCMag’s hardware analysts that USB-C is now easy to find on new computers and, indeed, my 2020 MacBook Pro only offers USB-C. Still, there’s something to be said for good ol’ USB-A. For one thing, it has been the standard for decades and there are innumerable devices that still support it. For another, it creates a firmer connection than itty bitty USB-C.
Ultimately, you should evaluate the devices you have to determine whether the YubiKey C Bio or the Bio (USB-A) is the better fit for you. Keep in mind, of course, that you can increase the compatibility of either device with a simple, if inelegant, dongle.
Talkative Lights
One thing I really like about the Kensington VeriMark Guard is that it moves between biometric authentication and a simple tap-to-authenticate unlocking mechanism depending on what the site supports. The YubiKey Bio series also does this, but so much more transparently. The Bio keys have two LEDs on them that blink in patterns to let you know what kind of authentication is happening and whether it’s successful.
Small LEDs flash green fast when the key is using biometrics and slowly when it’s using tap-to-authenticate. A single amber LED means your fingerprint was rejected. If your fingerprint is rejected three times in a row, the device locks out biometrics. To get biometrics working again, you just tap the device and then enter your PIN when prompted. You can unlock the device using instructions found on the Yubico site. I had no idea the YubiKey Bio had this biometric lockout option, but it wasn’t difficult to figure out.
The VeriMark Guard, on the other hand, tells you nothing. It’s frustrating because user intent needs to be a critical part of any authentication system and is the main reason why facial recognition is the biggest mistake in technology.
What’s the Advantage of Biometrics?
There are two major advantages to biometric MFA. First, if someone steals your key, they won’t be able to use it to log in to your accounts. It’s far more likely that an attacker will go after your account along with thousands of others using logins from data breaches, although security key theft cannot be ruled out.
Another reason to embrace biometric MFA is future-proofing the password-less revolution. The most exciting facet of the latest MFA standards is that they allow for completely password-less authentication. Instead of using a password, you tap your security key (something you have) and enter a PIN (something you know). With a biometric security key, you have two factors in one (something you have, something you are) and can skip the PIN altogether.
Going password-less may sound like a pipe dream, but the movement is picking up momentum. Microsoft now allows passwordless authentication for any Microsoft account.
Hands-On With the YubiKey Bio
Yubico has perfected its onboarding process, giving it a big advantage over the competition. The packaging points you toward an easily typed URL where you identify the device and receive step-by-step instructions on how to get started. You even get a list of services that work with your specific device. I’d still like to see more information included with the device, but the process was undeniably smooth.
Onboarding is always important for MFA keys but especially for biometric ones because they can’t read your fingerprints until you configure them. You can configure your fingerprints using the security settings in Windows 10/11, or in the Security Settings of the Chrome browser. This last option is particularly useful since it works anywhere you can run Chrome version 90 or later.
Yubico goes a step further by letting you configure your device on Linux, macOS, or Windows with its Yubico Authenticator app. Just plug it in, assign a PIN, tap the sensor when prompted, and name your fingerprint entry. I enrolled fingerprints using both Chrome and the Yubico Authenticator on macOS without incident.
After that, the YubiKey Bio is ready to go. I enrolled it as a security key with a Twitter account and with a Microsoft account. I easily logged in to Twitter from Chrome and Firefox on macOS. I logged in without a password to my Microsoft account through Chrome on macOS. Firefox, unfortunately, doesn’t work with Microsoft’s password-less login scheme. While support for security keys has greatly improved, it’s not unusual to run into the occasional mismatch.
In all these tests, I confirmed that the YubiKey only accepted a fingerprint that had been enrolled. Yubico says the Bio also works without biometrics if the site supports security keys but not biometric authentication. In my testing, the Yubico Bio and C Bio always used biometric authentication.
Yubico says the YubiKey Bio is meant for desktop environments, but I still had no trouble logging into Twitter using the key and a USB-C dongle and my Pixel 3a. Neither Firefox nor Chrome supports Microsoft password-less login on Android, so I wasn’t able to test this scenario.
Biometrics In the Key of A
The YubiKey Bio is a truly impressive device. It’s very easy to use, and the onboarding is superbly simple. It’s built with Yubico’s emphasis on durability and security, and because it supports biometric password-less authentication, it will be useful for years to come.
That said, the YubiKey Bio ends up in a bit of an odd spot. Its pricing puts it among the prosumer class of security keys, but it lacks the signature suite of advanced authentication features found in other YubiKeys. That’s sure to disappoint tech-savvy shoppers, while the lack of NFC for mobile use means everyday customers won’t get as much use from the YubiKey Bio. For its part, Yubico seems aware of this unusual positioning and telegraphs that the Bio might be better suited for professional environments.
For experienced MFA users, we still recommend the cheaper and more capable YubiKey 5C NFC. Anyone shopping for a security key for the first time would be better served by the extremely affordable and flexible Security Key NFC from Yubico. But if you absolutely must have biometrics now, the YubiKey Bio and its sibling the C Bio are excellent choices.