Yubico on Tuesday began selling two new hardware security keys called YubiKey Bio that incorporate fingerprint recognition to add an extra level of login security on a single device. The UBS-C key costs $85 and the USB-A key $80.
Hardware security keys such as Yubico’s are often used in combination with passwords to bolster conventional login processes. A hacker with your password can’t access your account without the security key, too. Hackers can’t download millions of hardware security keys as they do with stolen passwords.
The YubiKey Bio keys add another layer of protection to the authentication process by enabling a second factor of identification, a fingerprint. That could replace a password altogether on sites like Microsoft’s that let you register the key. The key itself stores the fingerprint data and tells the site when you’ve successfully authenticated.
The YubiKey Bio keys are part of a growing movement to overthrow passwords, the reigning method for login technology. Passwords are convenient and familiar but face a host of security shortcomings. They can be stolen, forgotten, reused and easily guessed.
Tech giants like Microsoft, Facebook and Google are shoring up password weaknesses and, in some cases, moving beyond them entirely. In addition to hardware security keys, the tech industry is easing password problems with biometrics, authentication apps on phones and an authentication standard called FIDO (Fast Identity Online).
Google, an enormous player with billions of people using services like Gmail, YouTube and Google Workspace, is working hard to overcome the weaknesses of passwords alone. On Friday, it announced it’s given out 100,000 of its own Titan hardware security keys to election officials and female politicians, activists, journalists and executives through its Advanced Protection Program. And on Tuesday, it announced that this year it will switch 150 million people to two-factor authentication (2FA), which it calls two-step verification (2SV). It also uses hardware security keys to protect employee accounts.
I tried the YubiKey Bio with my passwordless Microsoft account and found it easy to set up through the process for adding a hardware security key offered on the Microsoft account page. (Head to its Security section, then the Advanced Security Options subsection.) Once I enrolled my fingerprint, logging in involved entering my username, inserting the key, then touching the YubiKey bio’s fingerprint sensor.
The key also accommodates a PIN code. That ensures it can be useful for sites that don’t support the biometric approach. They don’t support NFC wireless links that other security keys use to communicate with phones, though.
The YubiKey Bio, whose release coincides with National Cyber Security Awareness Month, isn’t the first biometric security key. Feitian, a Chinese company that also makes Google’s Titan hardware security keys, has been selling its BioPass keys for years. Sweden-based Yubico is the largest security key maker.
Enrolling the YubiKey Bio for use at a website requires you to register your fingerprint, similar to the setup process you may have experienced for phones or PCs.
Screenshot by Stephen Shankland/CNET
Significant obstacles have prevented hardware security keys from becoming mainstream. The differences from conventional physical keys outweigh their outward similarity. They cost a lot more than conventional keys, and you can’t just make a copy at a mall kiosk. Hardware security keys also are more complex to manage, like registering them for use on multiple websites.
If you put up with the hassles, though, hardware keys offer major security advantages. Hardware keys protect against phishing attempts that use fake websites because they are registered with specific websites. Unlike conventional keys, a single hardware security key can be used to log on to many sites.
