Forward by Kathleen Moriarty.
Passkeys are appearing more and more in tech news, with support for them increasing. Since many administrators test out new technologies themselves first, we embarked on a short project to see what happened when an intern with our CTO team had the opportunity to implement passkeys. This technology is one of the few authentication solutions that prevent credential theft. It has the potential to provide a user view of having Single Sign-On (SSO) while meeting the requirements of zero trust with strong two-factor authentication (2FA) for every application. We hope this blog post serves as a useful resource for testing this emerging technology.
Hardware security keys are well-known for their secure, phishing-resistant properties when used for Multi-Factor Authentication (MFA). Now, with the newer, multi-protocol security keys, they can also be used as passkeys to provide a passwordless user experience. But how accessible is the process of setting up and using a security key for the average user? The purpose of this blog post is to explore that question and provide guidance that may help you choose whether a security key may be right for you.
For some context, today’s market includes a variety of hardware security key options from vendors such as Feitian, Google, Yubico, and more. The FIDO Certified Showcase lists FIDO Alliance members and their FIDO-certified solutions. It’s a great resource for researching products such as security keys.
Because I planned to use my security key as a passkey for passwordless authentication, I looked specifically at FIDO2 security keys. After reviewing my options, I chose to focus on products from Yubico, the first company to create a security key series to support FIDO2 and WebAuthn. It’s also one of the primary contributors to FIDO2, WebAuthn, and FIDO U2F open authentication standards.
Compatibility of your devices
Before ordering your key, it is important to confirm that your devices will be compatible. Security keys should only be used with trusted devices whose operating systems (OS) are up to date and equipped with the latest security patches.
Below is information on how to check if your device’s OS is compatible with a security key.
- Windows 10 (1903 or later)
- ChromeOS (90 or later) and Chrome Browser (90 or later)
- macOS (Catalina or later)
- Ubuntu (18.04 or later)
The key that I selected for my personal accounts was the YubiKey 5Ci, a part of the multi-protocol YubiKey 5 Series. The YubiKey 5Ci has Lightning and USB-C interfaces that would work well with the physical interfaces on my devices. For those with devices that don’t use Lightning, the YubiKey 5 Series also offers a Near Field Communication (NFC) option that can be used by holding the key close to your mobile device.
Additional keys as a best practice
It is best practice to have a minimum of two physical security keys registered to each account with which you will use your keys. To stay organized (so that you know if one goes missing), you should treat one key as your active, primary key and keep it somewhere accessible like on a keyring.
You should store the additional key (spare key) somewhere secure where only you can access it. The spare physical key holds a different public/private keypair than the primary. The two distinct, physical keys both need to be registered with each service, as this will make it easier for you to deregister one should you need to. Both keys will work independently of one another, and you will not be required to differentiate between them for MFA or the use of a passkey.
Some services, like iCloud, will not allow you to register a key without setting up a minimum of two keys. An advantage to having more than one key registered to your accounts is that if your key ends up lost, broken, or stolen, you can still access your accounts with the spare. Unfortunately, if that does happen, you would need to order another key to take the place of the key that was lost, as the spare would then become the primary.
If cost is a consideration, you might see purchasing more than one key as a potential drawback. Keys are said to last for many years, so depending on which model you choose and how often you lose a key, it is likely that the initial investment will be the most that you are purchasing at one time. Table 1 lists some popular models and their associated costs.
|Model||Cost per key|
|Yubico 5 Series||USD 50 – 75|
|Google Titan Security Key||USD 30 – 35|
|Feitian FIDO Security Key||USD 32 – 78|
Before you register your keys
Once you have your keys, you may want to dive right in and start registering them to your accounts. If you can refrain from rushing into that, you will find it helpful to review the setup instructions that come with the key (or are listed on the key vendor’s website) first. That way, you won’t miss any important steps. For example, if you’re setting up a FIDO2 PIN on your key, you should do that first — before you register any services. The Yubico website has a comprehensive list of resources and frequently asked questions that I found very helpful to look through before setting up my own keys.
Many service providers will require a PIN as the result of a WebAuthn setting known as ‘User Verification’. If a service provider doesn’t specify a setting for User Verification, browsers will default to setting it as preferred. If you plan to use your security key to store a passkey, you will need a FIDO2 PIN. Because many sites require a PIN, you should try to set up the PIN first before registering a key with a service so that you don’t have to backtrack and de-register/re-register services.
YubiKeys don’t come with a FIDO2 PIN programmed to the key; you must manually set them up through the YubiKey Manager. A security key’s PIN is different from a password because it is stored locally to the key’s hardware and has no value without the key itself. When you enter a PIN, you unlock access to the private keys that are stored in the hardware of the key. It is those private keys, not the PIN, that authenticate you to a service using public key cryptography. Because of these differences, PINs aren’t subject to the same security requirements as passwords, making it reasonable to choose a PIN that will be easy to remember such as a word or phrase. YubiKey PINs can consist of 4 to 63 alphanumeric characters.
Setting a FIDO2 PIN is not a forever decision. If needed, you can change or reset a PIN through the YubiKey Manager. After struggling to remember my PIN, I changed it to a phrase that was easier for me to recall. Changing a PIN only changes the value of the PIN itself, so there is no need to revisit any account settings. The key will continue to function as it did before. Resetting a PIN is different and will deregister the key from all accounts with which you’ve paired it using FIDO2/WebAuthn or Universal 2nd Factor (U2F). It is important not to select ‘reset’ unless you intentionally want to deregister accounts.
Registering your key as a passkey
The term ‘passkey’ refers to WebAuthn/FIDO2 credentials that permit passwordless authentication. Passkeys use public key cryptography to authenticate and are more secure than password login methods. When enabling passkeys, you have the choice to generate one through the platform itself or to use a device such as a mobile phone or security key. YubiKeys can currently hold up to 25 unique passkeys, but as the number of services offering passkeys continues to grow, that capacity will likely expand with newer models. Like FIDO2 PINs, passkeys stored in YubiKeys are bound to the physical hardware of the key and cannot be copied. They are thus more secure than a platform-generated passkey.
Table 2 lists services that currently allow users to register a security key as a passkey. For more information about services that support passkeys, you can check out the Passkeys.directory website. Please note that the services listed below specifically allow hardware security keys to serve as passkeys.
|Websites and applications that support passkey use||Supports alternative and/or backup login methods||When signing in after the key is setup as passkey|
|Microsoft||Yes||Enter your email and follow the prompts on how to use key.|
|Yes||Enter your email and follow the prompts on how to use the key.|
|Kayak||Yes||Select ‘Sign in’, then ‘Continue with email’, and follow the prompts on how to use the key.|
|eBay||Yes||Select ‘Sign in with security key’ and follow the prompts on how to use the key (only allows one FIDO2 key to be registered).|
|Adobe||Yes||Select ‘Sign in with passkey’ and follow the prompts on how to use the key.|
|DocuSign||Yes||Select ‘Log in Without Password’ and follow the prompts on how to use the key.|
Registering your key for MFA
The website and applications in the table below offer easy-to-follow instructions for registering a security key as an MFA method with their service. It is always good to have alternative or backup MFA methods established as a safeguard in case your key is not available.
|Service||Supported devices||Compatible hardware keys||Supports alternative and/or backup MFA methods?|
|Computer, Android, iPhone, and iPad||Google Titan Security Key, YubiKey, or any FIDO2-certified security keys||Yes|
|Apple||iPhone, iPad, and Mac||Requires at least two (2) FIDO2-certified security keys such as YubiKey 5C NFC, YubiKey 5Ci, and FEITIAN ePass K9 NFC USB-A||Yes|
|Microsoft||Microsoft Account and Windows||YubiKey 5 Series or any FIDO2-certified and Microsoft-compliant security key||Yes|
|Computer, iPad, iPhone, Android, and Mobile Browser||Any Universal 2nd Factor (U2F) or FIDO2-certified security keys such as YubiKey 5 Series||Yes|
|Desktop, iOS, and Android||Doesn’t specify||Yes|
|Instagram app on Android and iPhone||Yubico Authenticator (doesn’t support key itself)||Yes|
|Yahoo||Mobile browser||Any FIDO Universal 2nd Factor (U2F) compatible key||Yes|
Using your key
Once you register your key with a service, you can use it right away! Hardware security keys do not depend on power or network connectivity to work. Whether you’re using your key as a passkey or for MFA, once you get to the step where it is time to use your key, you will receive prompts that will tell you what to do with it. After following the prompts successfully, you will receive access. All in all, the whole process only takes a few seconds. For MFA in particular, I find it much faster than using an OTP or responding to a push notification.
If you use a password manager, you can consider adding a security key as an extra layer of defence. If someone compromises your password manager’s primary password (or phrase), you can feel safe knowing that no one can access your password vault without the key. The YubiKey 5Ci works with major password managers such as LastPass Premium, 1Password, and Bitwarden Premium. Learn more about password managers and how they can help you secure your identity online.
If your key is lost or stolen
As with any physical token or device, there is the potential for you to lose your physical key or for someone to steal it. While no one wants to lose a key, either by theft or bad luck, sometimes things just happen. Taking a proactive approach by preparing for the worst (and hoping for the best) is the most practical thing to do. First, ensure that you have at least two security keys — a primary and a spare — registered to all your accounts.
Next, check to see if the services or applications with which you’ve registered your keys accept alternative authentication methods and set them up if available. Lastly, keep your primary key in or on something that is always accessible to you such as a keyring so if it does end up going missing, you can discover it right away. You should store your spare key somewhere secure where no one else can access it such as in a safe or lockbox.
While the idea of losing a security key can be panic-inducing, remember that YubiKeys do not store any identifiable information. YubiKeys also have a built-in control that blocks a PIN and destroys all private keys stored on the YubiKey after eight incorrect PIN attempts. If someone were to find your lost key and try to use it on their device without knowing to whom it belongs, they wouldn’t find it to be of use. This is true even for accounts where you use a key as a passkey. For example, to use a key as a passkey for Google, you would first need to select your account username, then select the key as a login method, and then, after using the key (inserting, holding near, and so forth), you would need to respond to a FIDO2 PIN prompt.
The threat is different if your key is suspected to be intentionally stolen. In this situation, you can’t rule out that someone might have observed your PIN and/or compromised your credentials as part of a profiling activity. To protect against this type of targeted threat, be aware of your surroundings and look out for shoulder surfers when using your key and entering your PIN. Think of your PIN as your wallet and your key as what is inside. By using your key discretely and being cognizant of where you keep it when not in use, you can minimize the risk of targeted theft.
If your key does end up lost or stolen, you should use your spare key to access your accounts and deregister the passkeys stored on the missing key from all services, thus making it unusable. The process for deregistering a key may differ based on the service, but in most cases, you would remove it in the same place where you added it. If you only had two keys to start with, you would also need to purchase an additional key so that you have a new spare to rely on.
Damaging your key
Another potential concern associated with a physical key may be the ease with which it could be damaged. Yubico asserts that their security keys are built to last and are difficult to damage. The YubiKey 5Ci is:
- Made with glass-fibre reinforced plastic
- Water-, dust-, and crush-resistant
- Usable without batteries
- Unhampered by moving parts that can come apart
My key has been tossed about in my bag for a few months now. It seems no worse for the wear.
Deprecating your key
When the security key is at the end of its lifecycle or no longer needed, you can dispose of it as electronic waste. In addition to local waste management stations, many major retailers offer electronics recycling and disposal. Disassociate all accounts from the key before recycling or disposing of it.
There were a few situations where I found troubleshooting to be necessary or processes to not be as intuitive as I thought. This section will go over some of those situations and how to address them.
When setting up my spare key, I encountered an error that read, ‘Failed connecting to the YubiKey’. This appears to be a common error that can occur across OSs for many reasons. In my case, I was working in Windows 11 and just needed to right-click and ‘Run as administrator’. Once I did that, I was able to continue setting up the keys with no problems. Yubico has some troubleshooting tips should you encounter the same error.
Some services like Instagram don’t have the option to use security keys and so require authenticator codes for MFA. The Yubico Authenticator is a companion to the YubiKey and is compatible with other authenticator apps such as Google Authenticator.
To add a service to the Yubico Authenticator, you need to first plug your key into the device where you have the authenticator. Next, you should access the service that you want to add to the authenticator on a different device. For example, if using the authenticator app on a mobile device, you should look up the services on a laptop or desktop computer.
Most services will either display a QR code for you to scan or provide a secret key that you can enter into the ‘secret’ field. Learn how to set up and use the Yubico Authenticator for MFA.
Changing or resetting your FIDO2 PIN on Windows
If you decide to intentionally change or reset the FIDO2 PIN associated with your YubiKey, you can do so through the YubiKey Manager application. These instructions will describe the steps for using the application on a Windows machine. On your machine, navigate to the folder where the YubiKey Manager is stored and right-click to ‘Run as administrator’. You will then be prompted to insert your key. Go to the ‘Applications’ tab and then toggle to ‘FIDO2’. There will be two options — one to change the PIN and one to reset it.
If changing your PIN
Select the option that will let you ‘Change PIN’. Next, you will enter your current PIN and your desired new PIN (twice to confirm). The PIN can be anywhere from 4 to 63 alphanumeric characters. Once you have changed your PIN, it will be updated for all accounts that require it.
If resetting your PIN
Select the option that will let you ‘Reset FIDO’, and then click ‘Yes’. Next, you will be prompted to remove, reinsert, and touch your key to complete the reset. Yubico’s support page has more information about how to reset a PIN. It is important to note that only services that were registered to the key to using FIDO2/WebAuthn will be affected. You can use the Works with YubiKey catalogue to search which services work with your key and use FIDO2/WebAuthn. Before resetting your PIN, confirm that you have alternative ways to access your accounts such as with an extra security key.
Here are YubiKey Manager download resources and instructions for the following operating systems:
Looking back on my security key experiment
Overall, I found the process of setting up a hardware security key and linking it to my accounts relatively easy to do. Determining where to add the key within my account settings was often more difficult than registering it. Usually, it ended up being in a section that contained the word ‘security’ or ‘two-factor authentication’. When in doubt, the search bar came in handy. Once I registered my key, I received on-screen prompts with step-by-step instructions on what to do and when. The thing that I like best about the key is knowing that this little piece of technology is providing my accounts with the highest level of protection.
Learn more about your options for protecting your accounts.
Lindsay Graham is an Intern at the Center for Internet Security’s CTO Office.
Kathleen Moriarty is the Chief Technology Officer at the Center for Internet Security and the former IETF Security Area Director. She has more than two decades of experience working on ecosystems, standards, and strategy.
Adapted from the original post on CIS Blog.
The views expressed by the authors of this blog are their own and do not necessarily reflect the views of APNIC. Please note a Code of Conduct applies to this blog.