Yubico announced on its blog on May 21st that they will soon offer YubiKeys with the latest 5.7 firmware.
Reference) Yubico Blog
I recently received a YubiKey 5C NFC with the latest 5.7 firmware, so I'd like to try it out and see what has changed.
YubiKey Appearance
The YubiKey I obtained this time has a Type-C USB connection.
Opened the blister pack.
It looks the same as the previous YubiKey 5.
Only the firmware was updated, so this is to be expected.
Changes in the firmware update
From Yubico's blog, here are the changes in this firmware update:
Expanded passkey and passwordless storage capabilities – accommodating up to 100 device-bound passkeys (up from 25), 64 OATH seeds (up from 32), 24 PIV certificates, and 2 OTP seeds at once for a total of 190 credentials.
Expansion and enhancement of public key algorithms, including support for larger RSA keys (RSA-3072 and RSA-4096), Ed25519, and X25519 key types enhances key management functions and flexibility for organizations, aligning with DoD memo requirements on stronger public key algorithms. Migration to Yubico’s own cryptographic library that performs the underlying cryptographic operations (decryption, signing, etc.) for RSA and ECC.
Enterprise attestation facilitates the retrieval of unique identifiers during FIDO2 registration and streamlining asset tracking by allowing identity providers to read the serial number from the YubiKey during FIDO2 registration.
Enhanced PIN complexity settings across all YubiKey applications, including FIDO2, PIV, and OpenPGP.
FIDO Client to Authenticator Protocol (CTAP) 2.1 implementation brings improvements around the FIDO2 PIN, including Force PIN Change and Minimum PIN Length, addressing PIN requirements in “enroll on behalf” scenarios.
About 1:
The number of passkeys that can be registered has been increased from 25 to 100, and the storage capacity for OATH and PIV certificate seeds has been increased.
Compared to before, some more services and products support passkeys, so it seems that the number that can be registered has been increased with an eye to the future.
At the moment, just a few people use more than the 25 passkeys limit, but considering the future, it's probably helpful to have more storage space.
About 2:
Algorithms with larger key lengths are now supported.
Originally, multiple key types were supported, but the number of algorithms with higher security strength is steadily increasing.
About 3:
During FIDO registration, the ID provider can read the serial number of the YubiKey and identify the YubiKey, making it possible to manage it by preventing personal YubiKeys from being registered.
However, to use this function, it seems that separate customization is required at the Yubico factory, so this function is not available on YubiKeys that have already been shipped.
About 4:
It is now possible to set the complexity of PIN used for FIDO2, PIV, etc.
However, this also requires separate customization at the Yubico factory, so it seems that this function is not available on YubiKeys that have already been shipped.
About 5:
It is now possible to restrict PIN settings, such as forcing PIN changes and minimum PIN length restrictions.
This function allows administrators to specify how PINs should be used before distributing YubiKeys to end users. So they can impose restrictions such as a minimum number of characters for PINs and make users change the PIN the first time, just like traditional password requirements.
This is a useful feature for system administrators who want to enforce security policies because if a company has a security policy, they can operate YubiKeys following that policy.
It seems that these PIN restriction settings can be tried using commands, so I would like to try them out right away.
Trying out PIN restriction settings
Since the settings are usually done by the administrator, let's assume the following as an example.
You are an administrator and you distribute YubiKeys to employees for FIDO authentication.
You want to meet the company security policy of a PIN of 10 digits or more.
You want each employee to set their PIN.
To carry out the above assumptions, we will try the following two settings on the YubiKey:
Set the minimum number of digits for the PIN.
Always change the PIN when using the device.
Now, let's get to the practical part.
Preparation for setting up
To change the PIN settings, you need to run commands using a tool called YubiKey Manager CLI.
※ Please note that this does not seem to be possible with the GUI YubiKey Manager.
Also, the command is compatible with YubiKey Manager CLI version 5.4.0 and later. So please download 5.4.0.
Go to the site and download 5.4.0.
Since my test environment is Windows, I'll download the Windows installer and run the installation.
Once the installation is complete, run the command prompt.
※ The command prompt must be launched with administrator privileges.
The commands were taken from the page pushed by Yubico.
Check the version of the command.
ykman -v
You can see that YubiKey Manager version 5.4.0 is installed.
Setting the default PIN
To restrict the PIN, it is necessary to set a default PIN beforehand.
※ If you try to set restrictions without setting a PIN, you will get the error "ERROR: No PIN is set."
The default PIN can be set from the Windows system settings or the GUI version of YubiKey Manager.
FIDO2 Security Key PIN Setting / Fingerprint Setting - for Windows
This time, I will set it using the CLI command.
Set a 6-digit PIN (123456) with the following command.
ykman fido access change-pin -n 123456Now that the settings are complete, I will try setting PIN restrictions.
Set the minimum PIN length
Set the minimum PIN length to 10 digits with the following command.
ykman fido access set-min-length 10When setting up, you will be asked for your current PIN. So enter the PIN (123456) you have already set.
The settings have been changed.
Let's try changing the PIN to one shorter than 10 digits.
Execute the following command, specifying an 8-digit PIN.
ykman fido access change-pin -n 12345678
Because the PIN is shorter than the specified 10 digits, an error was displayed and the change failed.
This is expected.
[Additional Information]
If you enter a short PIN when changing it from Windows system settings, you will see an error message saying "Try creating a PIN that 's more complex."
Please note that this message is not about the PIN length and can be confusing.
Next, try setting a 10-digit PIN.
ykman fido access change-pin -n 1234567890
This was successful without any errors.
One thing to note is that once you change the minimum PIN length, you can set a longer number of digits than you set it to, but you will not be able to set a shorter number of digits.
For example, after setting 10 digits, you can increase it to 12 digits, but you cannot decrease it to 8 digits.
If you set it incorrectly, you will need to reset the FIDO information.
Setting to force a PIN change
Next, let's try forcing the user to change their PIN before using the device.
Run the following command:
ykman fido access force-changeEnter your current PIN.
The setup is complete.
To check if the settings are correct, I will try to use FIDO authentication in this state.
To test FIDO, I will try logging in to the YubiOn FIDO Logon management screen using FIDO.
I will check the operation on a Windows 11 computer.
When I selected the security key, I received a message saying "PIN must be changed before using security key."
After a short while, the window for changing the PIN will appear.
You can change your PIN by entering your current PIN and your new PIN twice and clicking the OK button.
This operation is very easy for users to understand.
It looks like it will be possible to prevent users from using the YubiKey until they change their PIN at least once.
[Additional Information]
The behaviors are different on Windows 10.
When I entered the PIN for FIDO authentication, the attempt failed with a message saying that the PIN was incorrect, even though I was sure I entered the correct PIN.
Is this as expected?
In the case of Windows 10, it does not automatically move on to the PIN change sequence as when I tried it on Windows 11. It seems that the YubiKey will not treat the PIN as correct unless you simply change it.
Since the only message you get is that the PIN is incorrect, it's difficult to tell whether you need to change your PIN or you simply entered the wrong PIN. So it's important to be careful about this.
The PIN change window does not appear automatically. So you will need to change your PIN separately.
※ This time, the PIN was changed using a command, but for general users, it is easier to change the PIN from the Windows system.
FIDO2 Security Key PIN Setting / Fingerprint Setting - for Windows
When I tried entering the changed PIN to perform FIDO authentication in the same way, I was asked to touch the key without getting an error.
If users are using Windows 10 computers, administrators who are considering operation should be aware of these differences.
Summary
YubiKey with firmware version 5.7 is now available.
There are no particular changes in appearance, but several functions have been added.
The PIN management function can be used by installing the YubiKey Manager CLI (version 5.4.0) and executing commands.
The PIN restriction function does not have any particular impact on general users, but it does expand the options for company administrators who distribute YubiKeys to their employees.
However, some behaviors change depending on the Windows OS used. So when administrators distribute YubiKeys to employees, they will likely need to create a detailed initial setup manual.
The YubiKeys we sell will also be available with firmware 5.7. So please contact us if you are looking for an authenticator.
CONTACT
We also offer solutions that use security keys. So if you are interested, please take a look at our solutions and blogs.
Thanks for reading to the end.
