Reviewed: BioPass FIDO2 Security Key

Thoughts on a security key by FEITIAN that sports a fingerprint reader

Raghul Chandrasekar
Feb 23 · 7 min read

BioPass FIDO2 is a security key from FEITIAN Technologies. If you are wondering what the hell a ‘security key’ is, you can read this article where I cover the basics of FIDO2 — the protocol that security keys run on.

In a nutshell, security keys leverage the power of Public Key Cryptography in order to secure your online accounts far better than passwords and authenticator apps (ex: Google authenticator) ever can. They provide protection against phishing, man-in-the-middle attacks and hijacking.

BioPass comes in two variants: USB-A and USB-C. In this article, I will be sharing my thoughts on the USB-A version. However, the only difference between the two is the type of USB port (and the design of the casing). Functionality wise, they are identical.

Top to bottom: BioPass K27 (USB Type A), BioPass K26 (USB Type C)

Let us get some basics out of the way.

These keys are:

  • FIDO2 Certified: the key supports CTAP2 and U2F(CTAP1) protocols
  • Cost: $60 — inclusive of worldwide shipping on FEITIAN’s website (You can use the code ‘Raghul-20’ to get a 20% discount)
  • Verification Methods: Fingerprint, PIN
  • Supported Security Algorithms: ECDSA, SHA256, AES, HMAC, ECDH

The key does not support:

  • NFC
  • OATH HOTP
  • PIV support is optional

Let us jump into the deets, shall we?

Setting Up & Managing your BioPass FIDO2

The first thing you need to do is setup a PIN/fingerprint. If you don’t, anyone who gets hold of your security key can impersonate you because all they have to do is plug in the key and tap it (assuming they have your username and password, of course).

You can do this by going into your Windows Settings -> Accounts -> Sign-in options -> Security Key -> Manage. Before you click on ‘Manage’, ensure that your BioPass is plugged in.

Native key management interface on Windows 10

The key management console provides you with the following options:

Key Management

Notice that the option to setup a fingerprint is disabled. This is because Windows requires you to set up a PIN before registering your fingerprint.

This is similar to what you see in your smartphone. You are required to setup a PIN/passcode and the fingerprint/TouchID/FaceID acts as a proxy for your PIN.

Go ahead and setup a PIN.

Setting up a new PIN

Once you are done with that, you have the option to register your fingerprint. Registration is quick and easy — takes 5 taps.

If you want to register multiple fingerprints, you can do so; BioPass lets you add up to 50 fingerprints.

Registering your fingerprint

Removing fingerprints is also easy. However, the native interface of Windows 10 does not give you granular control — you cannot choose a specific fingerprint to be removed. Hitting ‘Remove’ removes all of the stored fingerprints.

Fingerprint management on Windows 10

The native interface also does not let you rename any of the fingerprints you register. Neither can you see how many fingerprints you have registered so far. This can be frustrating.

However, FEITIAN has a software application that remediates some of the above issues.

It is a simple, straightforward application by FEITIAN that lets you manage you key better.

The app not only provides a better fingerprint management experience than the Windows 10 interface, it also provides a key management interface for OSes that do not have a native interface. If you are working with a Linux, MacOS, Windows 7 or Windows 10 1809 and below, you are going to need this app. (Download links for each OS here.)

With the app, you can:

  • view how many fingerprints have been registered
  • add or delete individual fingerprints
  • test fingerprint
  • change PIN
  • reset device (removes PIN and clears stored biometrics)
BioPass FIDO2 Manager Interface

It does not, however, let you rename your fingerprints. It automatically assigns a name in a numerically increasing fashion.

In the Windows 10 interface, you had to setup a PIN before registering your fingerprint. The BioPass manager lets you bypass this step. When you setup the device for the first time using the app, it provides you with two options (see picture below): PIN and Fingerprint, Fingerprint Only.

When you click on ‘Add Fingerprint’, you get two options

If you choose ‘Fingerprint Only’, then your fingerprint is no longer a proxy for your PIN, your fingerprint is the PIN that unlocks the private key stored in the security key.

Passwordless MFA

Once you have setup your BioPass, you can use it to authenticate into your online account without having to enter a PIN. You get a prompt to ‘Touch your security key’ instead of ‘Enter PIN’.

Prompt for verifying user presence

How does Passwordless MFA feel like? This is how:

Courtesy: Imgflip

Some important numbers:

  • The official fingerprint Recognition Time is less than 0.6 seconds. I cannot verify this as it is too quick for measurement. However, there was near-zero lag during my use so I would say the number is pretty accurate.
  • The official False Rejection Rate (FRR) is less than 1%. When you try to present an already registered fingerprint, the chances of the key rejecting you (falsely) is less than 1 in a 100 attempts. I have been using this key as my daily driver for a couple of weeks and so far, zero false rejections.
  • The False Acceptance Rate (FAR) is less than 0.001%. This means that the chances of the key accepting a fingerprint that has not been registered is less than 1 in 100,000. In other words, it is nearly zero.

But..

BioPass has an embedded security chip that encrypts your fingerprint data.

FEITIAN states that it is impossible for someone to reverse engineer your fingerprint image from this stored data. Neither will your biometrics leave the security key. Your biometric data is only processed locally.

(However, this is standard for any device that manages biometric data.)

Hardware

I have saved this for the last because this is the least significant factor when it comes to security keys. It is important, nonetheless.

The key has an LED indicator that comes in really handy during use. The below pic shows how the LED indicator works.

LED Indicator on BioPass K27

Dimensions: 51 × 18 × 6.5 mm (K27), 0.9 × 18.5 × 7 mm (K26)

It is definitely small enough to fit in your pocket. However, it is not small enough to fit in your wallet (for example, Yubikey 5 fits in your wallet comfortably).

It feels premium and sturdy thanks to its all-metal casing. The enclosure has a brushed metal finish which gives it a semi-matte look and I really dig it.

On the flip side, the casing makes the key hefty — it weighs around 11g. In comparison, the Yubikey 5 NFC weighs only 4g.

The fingerprint reader has been tested to last a minimum of 200,000 fingerprint reads. It will last for a minimum of 15 years assuming you use the reader 40 times each day. You mostly won’t be using it that much.

Purchase Decision

You can use it as a replacement for password (password-less) with your Microsoft personal account.

You can use it as a strong 2nd factor in a bunch of websites to protect your online accounts. Few websites which let you add a security key are (non-exhaustive list): Google, Dropbox, GitHub, Twitter and Facebook.

You can also use it to secure your password manager. For example, LastPass (premium), DashLane and 1Password let you add a security key.

Security key support is limited as of today but the number of apps/websites that let you use a security key is only going to increase in the coming years. So, by purchasing a security key, you can be future-proof.

I found this webpage on Yubico’s website that lists many websites/apps that support security keys.

A fingerprint reader that enables Passwordless MFA, simple but useful LED indicators, lightweight accompanying software for key management and premium build quality —FEITIAN has checked a lot of boxes with little room for improvement.

The downsides are that the lack of OATH HOTP support and lack of out-of-the-box PIV support. You also cannot use it with mobile devices due to lack of NFC.

Nontheless, BioPass FIDO2 does what it sets out to do really well which is to provide a Passwordless MFA experience with FIDO2. If you do not need OATH-HOTP, PIV or NFC, BioPass FIDO2 is definitely worth the price.

If you are interested in purchasing the BioPass FIDO2, you can purchase the key here with free worldwide shipping. Don’t forget to use the code ‘Raghul-20’ to get 20% off on your purchase!

Nerd For Tech

From Confusion to Clarification

Nerd For Tech

NFT is an Educational Media House. Our mission is to bring the invaluable knowledge and experiences of experts from all over the world to the novice. To know more about us, visit https://www.nerdfortech.org/. Don’t forget to check out Ask-NFT, a mentorship ecosystem we’ve started

Raghul Chandrasekar

Written by

P(A|B) = [P(A)*P(B|A)]/P(B), all the rest is commentary — Scott Alexander

Nerd For Tech

NFT is an Educational Media House. Our mission is to bring the invaluable knowledge and experiences of experts from all over the world to the novice. To know more about us, visit https://www.nerdfortech.org/. Don’t forget to check out Ask-NFT, a mentorship ecosystem we’ve started

Medium is an open platform where 170 million readers come to find insightful and dynamic thinking. Here, expert and undiscovered voices alike dive into the heart of any topic and bring new ideas to the surface. Learn more

Follow the writers, publications, and topics that matter to you, and you’ll see them on your homepage and in your inbox. Explore

If you have a story to tell, knowledge to share, or a perspective to offer — welcome home. It’s easy and free to post your thinking on any topic. Write on Medium

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store