Yubikey Bio Reviewed (GitHub Auth & Linux Login)

I’ve been using Yubikey products for some time now, after they hooked me up with their 5Ci and NFC. They have become integral to my workflow. Since I work across a number of devices, including many freshly provisioned Raspberry Pi’s, I tended to scp private keys between devices to save the hassle of provisioning a new one. I’d keep some amount of key hygiene, and trash the scattered-all-over-device ones occasionally but I think we’re probably all on the same page when I say: this was not good.

If you’re not, I’ll outline the issue in brief: Having keys scattered across very small, easy to go missing computers and microSD cards meant they could be pinched and though they were password protected it’s all too easy to leak that password into .bash_history. Game over. Oh and guess who has a bad habit of using the default “pi” and “raspberry” login?

Yubikey replaced this rather cumbersome – and tremendously insecure – arrangement with a single, secure device and I haven’t looked back.

With a Yubikey I can connect it to the Pi I happen to be working on, and return it to my – physical! – key chain when finished. No key remains on the device to be found, and – since they’re unlocked by a touch, not a password – no secrets can ever be accidentally keylogged either.

I was lucky enough for them to send me their new Yubikey Bio recently to take a look at. It probably wont surprise you to learn that I’m a fan.

Yubikey Bio takes the convenience of Yubikey and ups the ante, trading a small amount of convenience (a touch now needs to be a recognized fingerprint) for an additional layer of security. In short; if I leave my Yubikey 5Ci plugged into a Raspberry Pi then anyone can use my private key with just a touch. If I do the same with the Bio? They can’t.

In this… review?… I’ll touch upon a few of the useful things you can do with Yubikey Bio and delve into some specific config. This is not a guide, however, so expect to do some sleuthing of your own to get things set up on your particular distribution or OS. Ping me on the bird site if you do something cool!

A Small Loss Of Convenience

Touching a Yubikey – such a a 5Ci – is a near automatic and completely faultless process for me now. I use a keyboard with a built-in USB hub (now the DasKeyboard 4C TKL) so the Yubikey is close at hand.

Touching a Bio is a slightly different arrangement. You need to use a registered finger, and you can’t be too sloppy or it’ll – after three tries – lock you out. Regaining access isn’t tricky- you just fire up Yubikey Authenticator, try to configure your key and type your password when it prompts you- but if you’ve relied upon the Bio for system login… *that* might be a problem!

For the most part this tiny, capacitive fingerprint sensor has worked incredibly well but there are instances where it just … doesn’t. One particularly frustrating example is when I’m using my Star Lite in bed. Standard horrible-for-my-back-curled-over-like-a-kidney-bean posture. I’m doing it right now. For some reason something about this positioning or posture, the angle of my finger, location, computer or combination of all the above causes the Yubikey Bio to be *very* temperamental. Indeed I wanted to auth SSH access and system login, but I cannot for love nor money get it to work reliably *in this specific situation*. This makes me apprehensive to rely totally upon the Bio.

Sat at a desk is a completely different story, the Yubikey Bio plugged into the same laptop with the same power supply except perched upon a desk or a kitchen table will work with near 100% reliability, with the very occasional second try needed. Perhaps Yubico are indirectly commenting on my poor computing habits, perhaps it’s a weird capacitance or grounding issue caused by having my elbow in contact with the bed and the laptop wedged into my stomach. I don’t know.

A non-biometric Yubikey will work 100% of the time in both scenarios. This is something to consider before you march in and set up the u2f pam module for biometric system login.

It’s not all doom and gloom, though, I use the Yubikey Bio with my Alienware workstation every single day, authenticating multiple GitHub pushes and achieving dozens of successful authentications.

Setting up

While you can set up your Yubikey Bio using a browser, I chose the Yubico Authenticator desktop app. You can set up and name multiple fingerprints and it helps to play around until you get good accuracy and repeatability.

You can find Yubico’s onboarding flow here- https://www.yubico.com/to/setup/yubikey-bio-series/ – it’s surprisingly good, with accompanying video tutorials, suggesting Yubico are aiming at mass market appeal for Bio and not just us geeks.

It took me a few fingerprint re-assignments until I got something I was happy with, but it’s worth putting in the effort.

GitHub & SSH Resident Keys

I swear every time I try a new Yubikey I get slightly closer to perfection with my SSH workflow. On my first Yubikey – the 5Ci – I used GPG to provide my SSH keys in what is perhaps the most contrived, and yet seemingly most compatible with Windows 10/WSL 1, method available. On my second Yubikey – the NFC – I discovered pkcs11 and the Yubico-flavored ykcs11. This was a slight improvement in workflow, requiring only the right “pkcs11” module to be installed, followed by a somewhat contrived ssh-add invocation like: ssh-add -s /usr/lib/x86_64-linux-gnu/libykcs11.so. If you’re thinking “woah, that’s a lot of tappety tap to add an SSH key” then, yes, you’re right. This is compounded by pkcs11’s somewhat finicky nature, enough to make this approach somewhat grating. Eventually you’ll write a script that removes/re-adds the module because you’ll do it a couple of times a week and forget the filepaths, or you’ll be on another device and forget to even add it at all. It’s… inconvenient.

Enter Yubikey Bio and my discovery of resident keys. Resident keys are supported on any Yubikey with FIDO2/U2F support, so I could have used this method all along and saved myself the headache. Hindsight is 20/20. I always find myself lodged in the grove of whatever method I’ve set up on an existing key and unwilling to spend the time researching new ones. New Yubikeys give me an opportunity to change that.

To generate a resident key for a Yubikey Bio just run:

ssh-keygen -t ed25519-sk -O resident -f ~/.ssh/yubikey_bio

Enter your PIN and touch your Yubikey.

This will create ~/.ssh/yubikey_bio (your private key) and ~/.ssh/yubikey_bio.pub (your public key).

To add your new key to SSH you can then run:

ssh-add -K

And enter your PIN.

This, you might notice, is a lot easier to type and remember than the wordy pkcs11 method. It’ll also work on any computer, adding your Yubikey to SSH without your private key being accessible.

To authenticate to GitHub you can either copy the contents of your ~/.ssh/yubikey_bio.pub or- if you’re on another computer- run ssh-add -L and copy the output. Go to https://github.com/settings/keys to add your new SSH key to your account.

GitHub & Two-factor Authentication

While you’re plumbing about in your GitHub account you should also – if you haven’t already – set your Yubikey Bio up as a two-factor authentication method. You can do that at https://github.com/settings/two_factor_authentication/configure

The protocols that Yubikey Bio supports are integrated right into most browsers (I use Firefox on Linux) so you can just hit “Register new security key” and away you go.

Unplug To Lock

Whether or not you plan to use the Yubikey Bio – or any other Yubikey for that matter – as a method of logging into your computer it’s very effective as a way of logging out. At least if you’re running Linux.

By using udev – the subsystem responsible for device events – you can detect when your Yubikey Bio is unplugged and run a script. If that script happens to enumerate and lock your system sessions and hang up remote terminals… you’ve got a one-pull-log-off.

This is useful because it helps you form the habit of removing your Yubikey and carrying it with you, rather than locking your screen manually or via keyboard shortcut.

So how do we set it up? It’s fairly straight-forward and these steps worked for me in Linut Mint on my Star Lite:

Let’s use the power of nicking-ideas-from-a-GitHub-gist. In this case, we’ll follow https://gist.github.com/seanlinmt/2530b60e108a0d60d0faed4277e86595 and modify for the Yubikey Bio accordingly.

First create a new file: /usr/sbin/u2f-screen-lock.sh

And stick the following into it:

!/bin/bash
user=`ps aux | grep -v root | grep session | head -n 1 | awk '{print $1}'`
sessionids=`loginctl list-sessions | grep ${user} | awk '{print $1}'`
for sessionid in $sessionids
do
        loginctl lock-session $sessionid
        echo "U2F locked sessionid $sessionid  ($user)" | systemd-cat -p info -t udev
done

# close any other tty sessions
ttys=`who | grep tty | grep -v \(:0\) | awk '{print $2}'`
for tty in $ttys
do
        pkill --signal HUP -t $tty
        echo "U2F killed $tty ($user)" | systemd-cat -p info -t udev
done

This magic script is responsible for locking your system. It will lock all non-root sessions and is rather complete. You can use journalctl -t udev to see the log entries it generates.

If this is a little foreboding, you might find a simple:

!/bin/bash
xdg-screensaver lock

Or similar abridged lock script would work for you.

Next we need to tell udev to run this script when the Yubikey Bio is removed. That’s pretty straight-forward.

Create a new file: /etc/udev/rules.d/85-u2f-screen-lock.rules

And stick the following into it:

ACTION=="remove", ENV{SUBSYSTEM}=="usb", ENV{PRODUCT}=="1050/402/*", RUN+="/usr/sbin/u2f-screen-lock.sh"

Apart from the obvious RUN entry for running the script, the crucial part of this line is 1050/402/* which the astute reader might notice bears an uncanny resemblance to the Yubikey VID/PID when you lsusb:

Bus 001 Device 046: ID 1050:0402 Yubico.com Yubikey 4 U2F

If you need to adapt this for a different device you can also run udevadm monitor --property and unplug/replug your device to figure out what this snippet should look like. You’ll see something like:

UDEV  [594288.152629] remove   /devices/pci0000:00/0000:00:15.0/usb1/1-6 (usb)
ACTION=remove
DEVPATH=/devices/pci0000:00/0000:00:15.0/usb1/1-6
SUBSYSTEM=usb
DEVNAME=/dev/bus/usb/001/046
DEVTYPE=usb_device
PRODUCT=1050/402/556
TYPE=0/0/0
BUSNUM=001
DEVNUM=046
SEQNUM=87792
USEC_INITIALIZED=593784966621
ID_PATH=pci-0000:00:15.0-usb-0:6
ID_PATH_TAG=pci-0000_00_15_0-usb-0_6
MAJOR=189
MINOR=45

Finally you can prompt udev to load your new rules using:

sudo udevadm control --reload-rules

Logging In

If you find your Yubikey Bio reliable enough you can use it to speed up your log in. You can set it up as a “sufficient” level of authentication in “pam” so that you always have your system password in case you – or someone trying to access your system – gets to the magic number of three unsuccessful attempts and locks out your key.

Yubico have their own PAM module, but development seems to have stalled. The last commit was in April (over 7 months ago at time of writing) and there are no active development branches.

I posted very brief instructions for setting up a u2f-capable Yubikey (this includes Bio) in a yubico-pam module GitHub issue requesting Bio series support. It looks like that support might not come to “yubico-pam” but since “u2f” is supported anyway and works well (as long as you don’t have full disk encryption!!) it’s a little academic. Find it at https://github.com/Yubico/yubico-pam/issues/232 or follow Yubico’s own instructions at https://developers.yubico.com/pam-u2f/.

Overall

I really mean it when I say that Yubikey Bio is the key I’ve been waiting for. It’s finally practical as a system login method without the risk of being an instant easy password bypass if I leave it plugged into my computer. SSH resident keys – while not new to this key – have made my workflow of jumping between computers effortless – and the fingerprint reader has been much more reliable (apart from in one particular circumstance) than I’d expected. It’s not quite the integrated-into-my-laptop solution that would be ideal but with small, device-edge fingerprint readers being a thing how long will it be before Yubico produce a tiny, plug-and-forget Bio?

If you don’t need to use your key with a mobile device (there’s 5Ci or NFC for that) then Bio is by far my favorite of the bunch so far. I’d recommend it as the go-to for new users looking for a solid GitHub workflow. You wont be spoiled by the effortless touch-without-biometrics that might otherwise put a user off the modicum of effort required to set up biometrics. While its ostensibly a *professional serious business* key its usefulness for even casual developers and web users with a need for 2FA across multiple accounts cannot be discounted. Sick of typing in those 2FA codes? Yeah. So was I. A Yubikey to hand basically puts a stop to that madness.

I should note: The Yubikey Bio *does not* support many of the more advanced Yubikey 5 series (5Ci/NFC etc) functions – ie: it *does not* support: Smart card, Yubico OTP, OATH, Open PGP or the Secure Static Password protocols. In practice this means that some service do not support the Yubikey Bio as a second factor… yet. LastPass – for example – is noticeably absent from the Yubikey C Bio store page but present in the specs of the Yubikey 5C This also means no GPG support, so you can’t use your Yubikey Bio to – for example – sign .deb packages or GitHub commits. Since these things are a little advanced for your average user- and usually even out of my league -, I don’t see it as a problem.

Microsoft accounts, Google accounts, Twitter, Facebook, Bitwarden (Premium :/), Dropbox, YouTube and many, many other services do, however, support the Bio’s FIDO2 and/or U2F protocols. Outliers such as Twitch, which don’t, will probably be dragged kicking and screaming into the future… eventually.