Choosing the correct FIDO2 keys

During previous blogs, I already talked about my love for passwordless. I really love the concept behind it and love it extensively.

As a consultant, I have about 15 days Azure AD accounts which I use frequently. Each one of these has a randomly generated password of 128 characters stored in LastPass (That’s all fun until you have to log into a physical device with that account :D). On top of that, each account is also protected through Multifactor Authentication which is saved in my Authenticator app.

Things can get pretty complex what such a big number of accounts, that’s why I tend to lean towards FIDO2 keys.

If you are in the market for a FIDO2 key, you’ll notice they come in all shapes and forms. You have choice between a ton of vendors, different connectors (USB A/C/Lightning), different protocols (Bluetooth/NFC) or different form factors.
Throughout my search for the perfect FIDO2 key, I have tried a ton of them. This blog will walk you through the differences and my personal recommendations. There is no rocket science behind this blog, this is just me spitting out my opinion. In this blog we will go over the following:

• Authentication method
• Connection methods
• Form factor
• Setup and ease of use (includes vendor software and documentation)

Authentication method

The authentication method is the most important choice while looking for a FIDO2 key. While most of the keys used a PIN code 2 years, biometric authentication through fingerprint is omnipresent now.

It’s obvious that biometric authentication is recommended above using a PIN code as it can’t be passed along or shoulder surfaced. Off course, there is a price difference (30$ for a non-biometric and 50-60$ for a biometric one), but that price difference is worth it in my opinion. If you are already looking for a FIDO2 keys, it means you want to implement strong authentication. Why not do it right from the start and use biometric authentication?

Most vendors already have biometric options. While companies like Feitian and Authentrend have supported them for a while, Yubico recently come out with their biometric Yubikey as well. It’s important to note that a PIN is still required to be configured when using biometric keys, it can be compared to the process for Windows Hello for Business. A PIN code can still be used when biometric authentication is not available (when you are wearing gloves or your fingers are wet). While a fallback is great, it still means a strong PIN code is recommended. Unlike Windows Hello for Business, we cannot setup policies to require strong PIN codes, this comes down to the requirements set by the vendor of the key. So an end-user still have the choice between a PIN from 4 or 6 numbers.

Connection methods

The previous few years, USB A was omnipresent in FIDO2 keys. Nowadays, a ton of different connectors are available: from USB C, to Lightning and wireless protocols such as Bluetooth and NFC. There is no ‘best’ connection method as this greatly depends on your own use cases. If you are only going to be using it on your primary work device, a USB A key is probably fine. But if you are going to be using this on different Notebooks and mobile devices, a different connector might be recommended.

Besides the regular USB connections, manufacturers have been creating FIDO2 keys which use Bluetooth or NFC. The advantage of this is that they don’t require you to plug in the key when you want to authenticate. This is great when you have your device hidden away in a docking station and don’t have immediate physical access to it. Both Authentrend and Feitian have a plethora of choices and I really like the idea behind it. The enrollment process is a little bit trickier as the devices need to connect with Bluetooth before they can be setup. That enrollment process greatly depends between vendors, while the process from Authentrend is a little bit tricky with lots of flashing lights, I found connecting a Feitian K43 pretty seamless. Once they are connected, logging it with FIDO2 works great although there is some delay between turning on your FIDO2 key and a successful connection with Bluetooth.

I prefer a wireless capable, USB-C FIDO2 key like the Feitian K43. This means I can use Bluetooth connection when I don’t a USB port available. But when Bluetooth is or the battery of the key has died, I can still connect using a USB-C port. Because I am using an Android device, this means I can also connect it using the USB-C cable.

Form factor

Besides the choices in different connectors (both wired and wireless), there are a ton of different form factors out there, while the ATKey.Card from is pretty large, the ATKey.Pro or Yubikey Nano are compact.

The choice of form factor is a personal one, but extremely important. If you are connecting accounts to the FIDO2 key, you need to ensure you will always take the key with you. At first, I connected the key to my car keys as I was using it when I was on site at a customer, but due to the ongoing pandemic I have been working from home most of the time, with my car keys in another place. Nowadays, I just leave it on my desk and put it in my pocket when I move. That’s why a medium sized FIDO2 key is the winner for me. It’s not that small that I will lose it, but it’s not too big to be a hassle.

Besides the size of the key, it’s also important to check how the key fits into your computer. Regular USB keys, like the Yubikey, are the most common and fit in almost any computer. The downside to those is that they have quite a bit of ‘flex’ and can move down when you touch them. Another alternative is the ATKey.Pro from Authentrend which is much smaller. The downside is that they are pretty thick and can be too large for really thin laptops such as the new Macbook Pro.

There is no good or bad choice here, it’s just important that you use think about the choice you are making.

Setup and ease of use

With each vendor, comes a different user experience. This difference surfaces in the way of connecting, the software app of the vendor and the documentation.

If you are using a recent Windows 1x build (1903 or higher) the setup of your FIDO2 key can be done from the settings menu. This makes the setup relatively easy and equal across different hardware vendors. While all of the vendors have a separate application to manage the keys and configure fingerprints, I find it most convenient to use the built-in settings app.

Where the setup experience really differs between vendors is with wireless devices. These kinds of devices need to connect with Bluetooth and have multiple LED’s to provide a status. All of these flashing lights can be pretty confusing. While most vendors have documentation, this is not an ideal end-user experience. That’s why I would only recommend wireless FIDO2 keys for your administrators and IT personnel and provide USB keys to your end-users.

A clear distinction between vendors can be observed in documentation. Authentrend had some great, easy to find documentation, while the documentation of Feitian was a little bit hidden away and not as extensive. But once you got it going, I really enjoyed the experience of the Feitian K43. The card itself is really nicely built and the flashing LED’s are logical and provide some clear instructions. This comes into comparison with Feitian where the card itself doesn’t feel ‘as good’ and the flashing lights can be extremely confusing.

Conclusion

While the market for FIDO2 keys is always expanding, new vendors and keys are being constantly being created, the choice for a FIDO2 key is personal. I would suggest looking into biometric FIDO2 keys. The vendor, form factor and connection method really depend on your preferences and use cases.

Whether you prefer a wired USB-C FIDO2 key for simplicity or a wireless Bluetooth one for convenience is all up to you. It’s important to think in what use cases you will be using the key and what devices you are connecting to. Just remember to always buy two keys. One should be your primary device and one as a backup, as you don’t want to lose access to your accounts when you lose your key.

A quick poll on Twitter and LinkedIn, showed me that Yubikeys are still the most popular key out there. They are the steadiest company and have been out there the longest. While they are an easy choice, I do recommend checking out vendors like Authentrend and Feitian as they have a bigger range of products.

But what is my daily driver? I have chosen to use the Feitian K43 as it’s a biometric key that supports both Bluetooth and USB-C. This ensures it’s secure and can be used wired and wireless. I am looking into the Feitian K33, as it’s essentially the same key but in a smaller form factor. As my backup key, I have chosen the Yubikey Bio USB-C. Yubico is still the biggest vendor out there and is trusted but many. A ton of applications have native support for Yubikeys. By using a different vendor for my backup key, I ensure I am not vendor locked in a specific product.

I have an IDMelon on the way too, which looks like an extremely interesting device!

What do you look for in a FIDO2 key? Leave a comment and let’s have a chat.