Fingerprint checking YubiKey Bio security key helps banish passwords
The key builds two-factor authentication into one $80 USB device. And Google gave 100,000 of its own Titan security keys to high-risk account holders.
Stephen Shanklandprincipal writer
Stephen Shankland has been a reporter at CNET since 1998 and writes about processors, digital photography, AI, quantum computing, computer science, materials science, supercomputers, drones, browsers, 3D printing, USB, and new computing technology in general. He has a soft spot in his heart for standards groups and I/O interfaces. His first big scoop was about radioactive cat poop.
Expertiseprocessors, semiconductors, web browsers, quantum computing, supercomputers, AI, 3D printing, drones, computer science, physics, programming, materials science, USB, UWB, Android, digital photography, scienceCredentials
I've been covering the technology industry for 24 years and was a science writer for five years before that. I've got deep expertise in microprocessors, digital photography, computer hardware and software, internet standards, web technology, and other dee
Yubico on Tuesday began selling two new hardware security keys called YubiKey Bio that incorporate fingerprint recognition to add an extra level of login security on a single device. The UBS-C key costs $85 and the USB-A key $80.
Hardware security keys such as Yubico's are often used in combination with passwords to bolster conventional login processes. A hacker with your password can't access your account without the security key, too. Hackers can't download millions of hardware security keys as they do with stolen passwords.
The YubiKey Bio keys add another layer of protection to the authentication process by enabling a second factor of identification, a fingerprint. That could replace a password altogether on sites like Microsoft's that let you register the key. The key itself stores the fingerprint data and tells the site when you've successfully authenticated.
The YubiKey Bio keys are part of a growing movement to overthrow passwords, the reigning method for login technology. Passwords are convenient and familiar but face a host of security shortcomings. They can be stolen, forgotten, reused and easily guessed.
Tech giants like Microsoft, Facebook and Google are shoring up password weaknesses and, in some cases, moving beyond them entirely. In addition to hardware security keys, the tech industry is easing password problems with biometrics, authentication apps on phones and an authentication standard called FIDO (Fast Identity Online).
I tried the YubiKey Bio with my passwordless Microsoft account and found it easy to set up through the process for adding a hardware security key offered on the Microsoft account page. (Head to its Security section, then the Advanced Security Options subsection.) Once I enrolled my fingerprint, logging in involved entering my username, inserting the key, then touching the YubiKey bio's fingerprint sensor.
The key also accommodates a PIN code. That ensures it can be useful for sites that don't support the biometric approach. They don't support NFC wireless links that other security keys use to communicate with phones, though.
Significant obstacles have prevented hardware security keys from becoming mainstream. The differences from conventional physical keys outweigh their outward similarity. They cost a lot more than conventional keys, and you can't just make a copy at a mall kiosk. Hardware security keys also are more complex to manage, like registering them for use on multiple websites.
If you put up with the hassles, though, hardware keys offer major security advantages. Hardware keys protect against phishing attempts that use fake websites because they are registered with specific websites. Unlike conventional keys, a single hardware security key can be used to log on to many sites.