Review: YubiKey Security Key Series Firmware 5.7 - Promises vs. Reality

Dr. Emin Huseynov
3 min readJun 3, 2024

--

YubiKey (v5.7) package

Yubico’s latest release, the YubiKey 5 Series with firmware version 5.7, promised a plethora of enhancements aimed at strengthening security and improving user experience across various applications. While the anticipation was high, our hands-on testing revealed a mixed bag of results.

Disclaimer: I am affiliated with a project that some think is Yubico’s competitor, but I am trying to be as objective as possible — so I will only judge by my test experiments and nothing else.

Before diving into my review of the YubiKey 5 Series with firmware 5.7, it’s worth mentioning that I have previously reviewed the FIDO security key from Google, the Titan v2. You can find that detailed review here. This background gives me a solid foundation for comparing these leading security keys in the market and evaluating their features and performance objectively.

Order process

The order process was straightforward, directly on Yubico’s website, and the delivery was impressively quick. The YubiKey arrived within 2–3 days, shipped from Sweden to France, showcasing efficient logistics and customer service.

What’s Promised in Firmware 5.7

The blog post on Yubico’s website lists all the improvements, but as I am only reviewing the Security Key series (which does not have TOTP, PIV, and PGP), the improvements mainly consist of two aspects: increased passkey capacity and PIN complexity. I reviewed both features:

100 device-bound passkey

Yes, tested and confirmed. The ability to manage 100 fully manageable passkeys (unlike Titan’s 250 non-removable passkeys) is a huge improvement compared to the previous limit of 25 passkeys.

New YubiKey (fw 5.7) showing 100 passkey storage available. Verified using fido2-manage.ps1 tool.

PIN Complexity

Not confirmed. I was able to set a simple PIN like 1111. After reading through the documentation, I found out that as per the specs, PIN complexity will be enabled by default only in the Enterprise series (that are a lot more expensive). For regular Security Keys (similar to the one I tested), it needs to be specifically enabled, implying that the complexity is lost after a factory reset.

Enforcing user verification

I discovered one additional enhancement that the previous keys did not have. The new key uses the FIDO2.1.Final specs, which means you can leverage additional features, the main one being the possibility to enforce user verification at the hardware level. This was not possible with the previous version of the key I had in my possession, fw 5.4.3, running FIDO2.1.Pre.

fw 5.4.3 vs fw 5.7.1

More info about enforcing user verification can be found here.

Summary

The YubiKey 5 Series is a step up from Google’s Titan, offering 100 fully manageable passkeys compared to Titan’s 250 unmanageable passkeys. However, the PIN complexity feature, which is crucial for enterprise customers, is not available with the cheapest option. This feature may be accessible to YubiKey Enterprise customers, but it comes with a different price tag.

--

--

Dr. Emin Huseynov

IT researcher focusing on multifactor authentication technologies. Academic affiliations: University of Geneva & Azerbaijan Technical University