Reviewed: BioPass FIDO2 Security Key
Thoughts on a security key by FEITIAN that sports a fingerprint reader
BioPass FIDO2 is a security key from FEITIAN Technologies. If you are wondering what the hell a ‘security key’ is, you can read this article where I cover the basics of FIDO2 — the protocol that security keys run on.
In a nutshell, security keys leverage the power of Public Key Cryptography in order to secure your online accounts far better than passwords and authenticator apps (ex: Google authenticator) ever can. They provide protection against phishing, man-in-the-middle attacks and hijacking.
BioPass comes in two variants: USB-A and USB-C. In this article, I will be sharing my thoughts on the USB-A version. However, the only difference between the two is the type of USB port (and the design of the casing). Functionality wise, they are identical.
Let us get some basics out of the way.
These keys are:
- FIDO2 Certified: the key supports CTAP2 and U2F(CTAP1) protocols
- Cost: $60 — inclusive of worldwide shipping on FEITIAN’s website (You can use the code ‘Raghul-20’ to get a 20% discount)
- Verification Methods: Fingerprint, PIN
- Supported Security Algorithms: ECDSA, SHA256, AES, HMAC, ECDH
The key does not support:
- OATH HOTP
- PIV support is optional
Let us jump into the deets, shall we?
Setting Up & Managing your BioPass FIDO2
The first thing you need to do is setup a PIN/fingerprint. If you don’t, anyone who gets hold of your security key can impersonate you because all they have to do is plug in the key and tap it (assuming they have your username and password, of course).
You can do this by going into your Windows Settings -> Accounts -> Sign-in options -> Security Key -> Manage. Before you click on ‘Manage’, ensure that your BioPass is plugged in.
The key management console provides you with the following options:
Notice that the option to setup a fingerprint is disabled. This is because Windows requires you to set up a PIN before registering your fingerprint.
This is similar to what you see in your smartphone. You are required to setup a PIN/passcode and the fingerprint/TouchID/FaceID acts as a proxy for your PIN.
Go ahead and setup a PIN.
Once you are done with that, you have the option to register your fingerprint. Registration is quick and easy — takes 5 taps.
If you want to register multiple fingerprints, you can do so; BioPass lets you add up to 50 fingerprints.
Removing fingerprints is also easy. However, the native interface of Windows 10 does not give you granular control — you cannot choose a specific fingerprint to be removed. Hitting ‘Remove’ removes all of the stored fingerprints.
The native interface also does not let you rename any of the fingerprints you register. Neither can you see how many fingerprints you have registered so far. This can be frustrating.
However, FEITIAN has a software application that remediates some of the above issues.
BioPass FIDO2 Manager
It is a simple, straightforward application by FEITIAN that lets you manage you key better.
The app not only provides a better fingerprint management experience than the Windows 10 interface, it also provides a key management interface for OSes that do not have a native interface. If you are working with a Linux, MacOS, Windows 7 or Windows 10 1809 and below, you are going to need this app. (Download links for each OS here.)
With the app, you can:
- view how many fingerprints have been registered
- add or delete individual fingerprints
- test fingerprint
- change PIN
- reset device (removes PIN and clears stored biometrics)
It does not, however, let you rename your fingerprints. It automatically assigns a name in a numerically increasing fashion.
In the Windows 10 interface, you had to setup a PIN before registering your fingerprint. The BioPass manager lets you bypass this step. When you setup the device for the first time using the app, it provides you with two options (see picture below): PIN and Fingerprint, Fingerprint Only.
If you choose ‘Fingerprint Only’, then your fingerprint is no longer a proxy for your PIN, your fingerprint is the PIN that unlocks the private key stored in the security key.
Once you have setup your BioPass, you can use it to authenticate into your online account without having to enter a PIN. You get a prompt to ‘Touch your security key’ instead of ‘Enter PIN’.
How does Passwordless MFA feel like? This is how:
Some important numbers:
- The official fingerprint Recognition Time is less than 0.6 seconds. I cannot verify this as it is too quick for measurement. However, there was near-zero lag during my use so I would say the number is pretty accurate.
- The official False Rejection Rate (FRR) is less than 1%. When you try to present an already registered fingerprint, the chances of the key rejecting you (falsely) is less than 1 in a 100 attempts. I have been using this key as my daily driver for a couple of weeks and so far, zero false rejections.
- The False Acceptance Rate (FAR) is less than 0.001%. This means that the chances of the key accepting a fingerprint that has not been registered is less than 1 in 100,000. In other words, it is nearly zero.
How secure is your fingerprint?
BioPass has an embedded security chip that encrypts your fingerprint data.
FEITIAN states that it is impossible for someone to reverse engineer your fingerprint image from this stored data. Neither will your biometrics leave the security key. Your biometric data is only processed locally.
(However, this is standard for any device that manages biometric data.)
I have saved this for the last because this is the least significant factor when it comes to security keys. It is important, nonetheless.
The key has an LED indicator that comes in really handy during use. The below pic shows how the LED indicator works.
Dimensions: 51 × 18 × 6.5 mm (K27), 0.9 × 18.5 × 7 mm (K26)
It is definitely small enough to fit in your pocket. However, it is not small enough to fit in your wallet (for example, Yubikey 5 fits in your wallet comfortably).
It feels premium and sturdy thanks to its all-metal casing. The enclosure has a brushed metal finish which gives it a semi-matte look and I really dig it.
On the flip side, the casing makes the key hefty — it weighs around 11g. In comparison, the Yubikey 5 NFC weighs only 4g.
The fingerprint reader has been tested to last a minimum of 200,000 fingerprint reads. It will last for a minimum of 15 years assuming you use the reader 40 times each day. You mostly won’t be using it that much.
Where can you use the BioPass FIDO2?
You can use it as a replacement for password (password-less) with your Microsoft personal account.
You can use it as a strong 2nd factor in a bunch of websites to protect your online accounts. Few websites which let you add a security key are (non-exhaustive list): Google, Dropbox, GitHub, Twitter and Facebook.
You can also use it to secure your password manager. For example, LastPass (premium), DashLane and 1Password let you add a security key.
Security key support is limited as of today but the number of apps/websites that let you use a security key is only going to increase in the coming years. So, by purchasing a security key, you can be future-proof.
I found this webpage on Yubico’s website that lists many websites/apps that support security keys.
Should you buy the BioPass FIDO2?
A fingerprint reader that enables Passwordless MFA, simple but useful LED indicators, lightweight accompanying software for key management and premium build quality —FEITIAN has checked a lot of boxes with little room for improvement.
The downsides are that the lack of OATH HOTP support and lack of out-of-the-box PIV support. You also cannot use it with mobile devices due to lack of NFC.
Nontheless, BioPass FIDO2 does what it sets out to do really well which is to provide a Passwordless MFA experience with FIDO2. If you do not need OATH-HOTP, PIV or NFC, BioPass FIDO2 is definitely worth the price.
If you are interested in purchasing the BioPass FIDO2, you can purchase the key here with free worldwide shipping. Don’t forget to use the code ‘Raghul-20’ to get 20% off on your purchase!