Yubico has long been the biggest player in the world of security keys for multi-factor authentication (MFA), helping to shape not only the hardware but also the underlying standards on which all such devices rely. After being teased several years ago, the company's long-awaited foray into biometric security has finally arrived in the form of the $85 YubiKey C Bio. While expensive, this small device uses biometric MFA to make it much harder for bad guys to take over your accounts. It's missing the advanced authentication features found in other YubiKeys and won't work with an iPhone without a dongle, but it's the best biometric MFA experience we've yet seen—earning it a Technical Excellence award.
What Is Multi-Factor Authentication?
MFA—sometimes called two-factor authentication or 2FA—refers to confirming your identity using at least two of a possible three factors: Something you know, like a password; something you have, like a security key; and something you are, like a fingerprint scan or some other form of biometrics.Our Experts Have Tested 120 Products in the Security Category in the Past YearSince 1982, PCMag has tested and rated thousands of products to help you make better buying decisions. (See how we test.)
With MFA, even if an attacker has your password, they won't be able to take over your account because they don't have the other necessary factors. This has been proven by Google, which reported that after implementing mandatory MFA for employees, account takeovers effectively vanished.
With a hardware security key, you present the key when prompted and then tap it to confirm. This setup is excellent since most hardware keys don't require a network connection or battery, the way a phone with an authenticator app does. Most are dedicated devices that are harder to attack than multipurpose devices like your phone or computer, too.4.5Outstanding$55.00 See Itat AmazonRead Our Yubico YubiKey 5C NFC Review 4.0Excellent$45.00See Itat AmazonRead Our Yubico YubiKey 5 NFC Review 3.5Good$69.99See Itat KensingtonRead Our Kensington VeriMark Guard USB-C Fingerprint Key Review 3.5GoodVisit SiteSee Itat NitrokeyRead Our Nitrokey FIDO2 Review3.5Good$25.00See Itat AmazonRead Our Security Key NFC by Yubico Review 3.5GoodRead Our Yubico YubiKey 5Ci Review 3.5Good$80.00See Itat YubicoRead Our Yubico YubiKey Bio Review 3.0Average$35.00See Itat Google StoreRead Our Google USB-C/NFC Titan Security Key Review
Time-limited one-time passcodes (TOTP) generated by an app are another excellent option, and they tend to be free. You can also receive verification codes via SMS, although we recommend against this MFA method until the FCC completes new rules to make sim-swapping attacks more difficult.
Enrolling in MFA is the best way to safeguard your accounts, but that doesn't mean you can slack off in other areas of cyber hygiene. We strongly recommend using a password manager to create unique, complex passwords for each site and service you use, as well as running antivirus software on your computer.(Photo: Max Eddy)
In the Key of C Bio
From the back, the C Bio looks nearly identical to the $55 Editors' Choice winner YubiKey 5C NFC: a slim, black rectangle with a USB-C connector at one end and a metal-reinforced keyring at the top. The C Bio measures just 1.77 by 0.71 by 0.15 inches (45 by 18 by 3.75 millimeters, HWD). Flip it over, and it's starkly different. Instead of Yubico's trademark circular, gold tap-sensitive disc, the C Bio has a large, black circle with a raised metal frame.
This circle is the fingerprint reader. Yubico didn't provide any information on the reader's construction, so I'm not sure how well it would hold up on a key ring. Rubbing it with a piece of metal didn't make a mark, but we'll have to see. The silver ring is capacitive, like the gold disc on other YubiKeys, and ensures it's being touched by human skin and not accidentally or part of an automated attack.
Two tiny LEDs near the USB-C connector let you know when the device accepts or rejects your fingerprint and when it's requesting biometric authentication. Fast flashing green LEDs means biometric authentication is in use, but slow pulsing green LEDs mean you can tap with any finger—just like any other non-biometric security key. Whether biometrics is used depends on the site or service you're authenticating with. I really like that the C Bio communicates this distinction. The Kensington VeriMark Guard USB-C Fingerprint Key also seamlessly moves between biometric and tap-to-authenticate modes, but it doesn't have a means of communicating this to the user.
In your hand, the C Bio feels extremely sturdy. Bend and twist all you want, it won't give an inch. It's a bit heftier than other YubiKey models, but that only makes it feel sturdier. Still, it weighs only 0.72 ounces (5g). Note that the YubiKey Bio sports a USB-A connector and at $80 costs slightly less than the C Bio but is otherwise identical to it. Yubico states that both devices are crush resistant and also water and dust resistant to the industry standard maximum (IP68).The YubiKey Bio has an unshielded USB-A connector while the C Bio, reviewed here, uses USB-C. (Photo: Max Eddy)
MFA Support and Compatibility
What you're paying for with the C Bio (and its USB-A sibling) is biometrics, as it lacks the additional authentication features found in other YubiKey devices. The Bio series supports the FIDO 2, WebAuthn, and FIDO U2F standards—the most widely used methods for MFA. Yubico's least expensive offering, the $24.50 Security Key NFC, supports the same collection of standards, though naturally it lacks biometrics.
That's a short list compared to the devices in the YubiKey 5 series, which also work as smart cards (PIV standard), support OpenPGP, can work with a companion app to generate TOTP codes, use Yubico's own one-time passcode (OTP) solution, and can be configured to spit out static passwords on command. These are somewhat obscure features, to be sure, but when you consider that both the YubiKey Bio keys cost more than the most expensive YubiKey 5 series device—the YubiKey 5Ci, which goes for $70—not getting all the features is a bit disappointing.
With its USB-C connector, the C Bio plays nice with most modern devices. The notable exception is the iPhone, which still relies on Apple's proprietary Lightning connector. Other security keys, including many of Yubico's offerings, use NFC to communicate with mobile devices that have incompatible connectors, but neither Bio key supports wireless communications. The aleady-mentioned 5Ci also lacks NFC but makes up for it with an admittedly odd double-headed USB-C/Lightning connector.
Note that while the YubiKey C Bio can be used for password-less authentication to your Microsoft account, it can't be used to unlock your PC.
What's the Point of Biometrics?
The YubiKey C Bio's main selling point is its fingerprint reading ability, so it's fair to ask whether it's worth the hefty price. To my mind, there are two big reasons why a having biometric security key justifies the extra cost.
The first reason is theft. Colleagues and loved ones skeptical of security keys have portrayed their physicality as a potential flaw. Unlike a password or a smartphone (locked with biometrics, PIN, or password), anyone could use a stolen security key. Granted, it's extremely unlikely someone is going to track you down and steal your security key so they can break into your email account, but it's not impossible. A biometric key only works for you—or someone willing to dismember you.(Photo: Max Eddy)
The second and more practical reason is truly password-less authentication. Some sites and services are beginning to embrace authentication schemes that don't require you to enter a password. All those I have seen do require some kind of hardware (something you have) and sometimes a PIN (something you know). With biometrics, you can have two factors (the key you have and the fingerprint you are) and be securely authenticated without having to type a thing.
One concern with biometrics is that the data could somehow be extracted or intercepted. Yubico tells me that biometric data never leaves the C Bio because it is stored within an onboard secure element chip. This, the company says, should also help protect against physical attacks to the device.
Setting Up the YubiKey C Bio
Yubico has overhauled its onboarding process for new key owners with excellent results. After finding my key's model on the company's site, I was directed to a variety of ways to enroll fingerprints on the YubiKey C Bio. You can do this from directly within the Windows security settings or through the Security settings in the Chrome browser. This last option is notable for being a multi-platform solution; you can set up your C Bio anywhere Chrome supports the feature.I used the Yubico Authenticator app to enroll fingerprints onto the C Bio.(Photo: Max Eddy)
These enrollment options are available to any biometric security key, such as the previously mentioned Kensington VeriMark Guard. Yubico goes a step further by allowing you to configure the C Bio using the Yubico Authenticator app. I used the Authenticator app on my 2020 MacBook Pro and had no trouble setting a PIN and enrolling fingerprints on the C Bio key. Note, however, that the primary function of the Yubico Authenticator is to generate TOTP—a feature not supported by the C Bio. The app is available for mobile and desktop, but you can only use it to configure fingerprints on Linux, macOS, or Windows.
Hands-On With the YubiKey C Bio
Once I'd enrolled a few fingerprints, I set up the C Bio as my security key on a Twitter account. I had no trouble using the key to log in to Twitter with Chrome in macOS or through the Twitter Android app. When attempting to login using a fingerprint I had not enrolled, the C Bio flashed amber LEDs. In Chrome, this was accompanied by a warning that I had two more attempts before it would lock me out. It also prompted me to enter the PIN I had set for the key.
Using Firefox, I didn't receive the countdown warning when using the wrong finger—that seems to be browser dependent—but the C Bio did flash its error lights at me. After a third attempt with the wrong finger, the amber LED pulsed continuously. This means the device had biometrics locked out and would instead only accept a PIN and the normal tap confirmation. That's a smart way to maintain security while keeping the C Bio usable. I was able to unlock biometrics by following the steps on Yubico's site with the Chrome browser. The same unlocking process did not work with Firefox.
I wasn't aware of the biometric lockout feature prior to encountering it. Fortunately, the ominous orange LEDs were enough of a clue that something was wrong, and I quickly found a solution. I think most users would have a similarly easy time figuring it out. Still, it wouldn't hurt if Yubico included complete documentation with the device.(Photo: Max Eddy)
To test the YubiKey C Bio in a password-less context, I enrolled it as an authenticator for a Microsoft account. When logging in via the Chrome browser on macOS, I clicked the small print option for password-less login, tapped the C Bio, and logged in password-lessly. I didn't even have to enter a PIN, as I did with the Nitrokey FIDO2. Again, the C Bio correctly rejected any login attempt using an unenrolled fingerprint.
The Best in Biometrics
The YubiKey C Bio is an excellent melding of Yubico's design philosophy and biometric authentication. It's sleek and durable, while also supporting the latest in MFA standards ensuring it will work just about everywhere that supports biometric MFA. We are especially impressed with its onboarding and smart lock-out features. It's the best implementation of biometric MFA we've yet seen, earning it a Technical Excellence award for its design and execution.
While an excellent device, the limitations and pricing of the YubiKey C Bio make it hard to endorse unreservedly. It costs significantly more than the cheapest YubiKey 5 series, but lacks that device's versatile authentication features, as well as NFC. Yubico seems aware of the Bio line's unusual positioning, and kind of warns off consumers in its press release by suggesting the Bio is ideal for shared workstations, "restricted environments," and cloud-first contexts. That doesn't sound like the average consumer.
Newcomers to MFA keys would be best served with lower-cost options like the open-source NitroKey FIDO2 or Yubico's Security Key NFC, both of which are less than a third the price of the C Bio. Those already familiar with MFA should look to the Editors' Choice winner YubiKey 5C NFC, as it is a near-perfect balance of cost and capabilities.
If you must have the best in biometrics and have it right now, the YubiKey C Bio is the sleek, dependable choice. Keep in mind, however, that varying support across platforms and browsers will mean differences in how any biometric security key works.4.0See It$85.00 at YubicoMSRP $85.00View More
The YubiKey C Bio puts biometric multi-factor authentication on your keyring. While somewhat limited in features, it is an excellent implementation of biometric technology that's very easy to use day-to-day.
Sign up for Security Watch newsletter for our top privacy and security stories delivered right to your inbox.Email
Your subscription has been confirmed. Keep an eye on your inbox!