Using YubiKey Bio MPE

Do This First

Security key support for HYPR RP Applications must first be enabled in the Control Center under Workstation Settings.

API Calls

Calls for pairing (registering) a security key/passkey with an RP Application, including updating Recovery PINs, are described under RP Applications > Workstation > Security Keys in the HYPR Passwordless API.

This document describes how to manage security keys for the HYPR Passwordless client.

Definitions

Acronym	Definition
PIN	A personal identification number (PIN) is a set of characters used to unlock the smart card for use. The PIN is a decentralized secret the user should not share. The PIN is bound and used to unlock an authenticator. In the case of a hardware security key, such as a Yubico YubiKey, the PIN resides on the key and unlocks the authenticator that uses public/private key encryption to perform authentication. See the `securityKeyPinCharacters` configuration parameter description in Installing Manually.
PUK	A PIN unblocking key (PUK) is a code that is used by users or applications to reset a PIN that has been lost, forgotten, or locked because of too many failed attempts. The PUK is part of the PIV standard that the key follows.
PIV	Personal Identity Verification - or frequently associated together as a PIV Card - is commonly the reference to United States Federal smart card or security key that contains the necessary data for the holder to be granted to Federal facilities and information systems and assure appropriate levels of security for all applicable Federal uses. It is also a general means of reference for such devices and associated protocols and standards used for authenticating users securely.

Passwordless for Windows

Registration - Windows

Browser Registration - Windows

Once you have been instructed to follow the prompts to complete pairing, the following dialog will occur:
Click OK on the Continue setup dialog to grant permission to see the make and model of the key.
Type the key's PIN and click OK.

If you mistype the PIN, try again.
Type the PIN you want to use, then type it again to confirm it.
Touch the contact(s) on the security key.
Your security key is now registered with the app in question, and you are returned to the Device Manager.

Workstation Registration - Windows

Open the HYPR Passwordless client.
Click Start Pairing. You will be given a choice of pairing a Smartphone or pairing with a Security Key.
Select Security Key to continue.

Connect First
Make sure you are connected to your secure network, or a warning will appear upon clicking Start Pairing. If this occurs, just connect to your secure network and click Try again.
You will be asked to set a PIN for the key. Type the PIN once, then confirm it by typing it again in the second field. Click Pair.

PIN Sharing
YubiKey Bio MPE security keys feature a device PIN that is shared between the PIV and FIDO2 protocols. The PIN you set during the HYPR Passwordless registration will apply for both desktop authentication (PIV) and web access (FIDO2/WebAuthN).
PIN Requirements
- The PIN must be between 6 and 8 characters
- Users are not allowed to choose repeating digits in PINs, such as 111111
- The PIN may not be left as the default value of 123456
A browser dialog will ask you to touch the fingerprint sensor on your key. If you wish to bypass fingerprint registration, click Skip Fingerprint Registration.
You will have to touch it several times with the same finger to generate a good image.
Name the fingerprint. When you are satisfied with the name, click Set Name. To bypass naming your fingerprint, click Skip Name.
Click Finish. Wait for enrollment to complete. You may be asked to authenticate to the workstation.
The HYPR Passwordless client returns to the main screen. The paired security key now appears here with Edit (pencil icon) and Delete (trash can icon) options.

Authentication - Windows

Browser Authentication - Windows

When the browser prompt appears, enter your security key PIN.
Touch the contacts point(s) on your security key.
You are logged into the application.

Workstation Authentication - Windows

Insert your paired YubiKey Bio MPE into the USB port of the computer. Windows will offer the smart card icon as an additional login option. Click the smart card icon.
The YubiKey Bio Login dialog appears. Depending on your environment and configuration, you will be prompted to type your security key PIN or, on the key, touch the fingerprint sensor. To switch between methods, click Use [YubiKey Bio PIN/Fingerprint] instead.
Provided you have entered a correct PIN and/or used a registered fingerprint, HYPR Passwordless logs you in.

Deregistration - Windows

When unpairing a method from HYPR Passwordless, make sure you have another means of logging in. If you do not, we recommend pairing another method, such as the HYPR Mobile App, before unpairing your last method.

Browser Deregistration - Windows

HYPR handles unpairing the YubiKey Bio MPE from the RP application; no browser dialogs appear when this action is taken.

Workstation Deregistration - Windows

Partial Reset

Because the PIN on a YubiKey Bio MPE is shared, a PIN reset will also remove the FIDO2 credentials in the security key.

As a result HYPR does not fully reset the key during de-registration of a YubiKey Bio MPE and instead just removes the certificate and its corresponding private key.

Open the HYPR Passwordless client.
Click the trash can icon under the key you wish to remove.
Confirm the deregistration request.
Enter the security key PIN to confirm unpairing, then click Unpair.
HYPR informs you when unpairing is complete, then returns to the Device Manager.

Changing the Fingerprint and PIN - Windows

Open the HYPR Passwordless client.
Click the pencil icon under the key you wish to update. The Update Biometric Key dialog opens.
Choose the value you wish to update.
- Change PIN: You will be prompted to enter the PIN and confirm with with a second entry. When you are finished, click Finish to save the values.
- Manage Fingerprints: You may be asked to enter the PIN to access Fingerprint Management. A list of registered prints displays, including the name entered earlier (this will be blank if that part was skipped) and buttons to Save changes to the key, Cancel making changes, and Delete the key. Here you may also Delete All fingerprints or Add Fingerprint (repeats the pairing process described in Workstation Registration).
When you are finished making updates, click Go Back to return to the Update Biometric Key dialog; then click Cancel to return to the HYPR Passwordless Device Manager.

If a user cannot recall the key's PIN, they will have the option to reset the YubiKey Bio MPE; this will cause some of the credentials to return to factory defaults.

Partial Reset

Because the PIN on a YubiKey Bio MPE is shared, a PIN reset will also remove the FIDO2 credentials in the security key.

If the PIN is entered incorrectly too many times, the following message displays. Click Reset Device to initiate a factory reset.
A confirmation dialog displays. Click Reset to continue.
Once the key has been reset, a confirmation dialog appears. Since the PIN has been reset, the key must be paired again with HYPR. Click Pair Again to open the HYPR Passwordless Start Pairing dialog; see the Workstation Registration section in this article.

Passwordless for macOS

YubiKey Bio MPE is only supported for use on macOS via Web channel RP applications.

Browser Registration - macOS

Prompts given by a browser (Chrome) in this case to register a YubiKey Bio MPE key.

Choose how to manage your passkeys. Click Open 'Password Options".
Choose a location to save the passkey; in this instance, choose Use a phone, tablet, or security key.
Enter the PIN for the key, then click Next.
Repeatedly touch your finger to the Touch ID until your fingerprint has been successfully captured.
Touch your key once more.
Allow the site to see your key.