BioPass FIDO2 is a security key from FEITIAN Technologies. If you are wondering what the hell a ‘security key’ is, you can read this article where I cover the basics of FIDO2 — the protocol that security keys run on.
In a nutshell, security keys leverage the power of Public Key Cryptography in order to secure your online accounts far better than passwords and authenticator apps (ex: Google authenticator) ever can. They provide protection against phishing, man-in-the-middle attacks and hijacking.
BioPass comes in two variants: USB-A and USB-C. In this article, I will be sharing my thoughts on the USB-A version. However, the only difference between the two is the type of USB port (and the design of the casing). Functionality wise, they are identical.
Let us get some basics out of the way. These keys are:
FIDO2 Certified: the key supports CTAP2 and U2F(CTAP1) protocols
Cost: $60 — inclusive of worldwide shipping on FEITIAN’s website (You can use the code ‘Raghul-20’ to get a 20% discount)
Verification Methods: Fingerprint, PIN
Supported Security Algorithms: ECDSA, SHA256, AES, HMAC, ECDH
Let us jump into the deets, shall we?
Setting Up & Managing your BioPass FIDO2
The first thing you need to do is setup a PIN/fingerprint. If you don’t, anyone who gets hold of your security key can impersonate you because all they have to do is plug in the key and tap it (assuming they have your username and password, of course).
You can do this by going into your Windows Settings -> Accounts -> Sign-in options -> Security Key -> Manage. Before you click on ‘Manage’, ensure that your BioPass is plugged in.
The key management console provides you with the following options:
Notice that the option to setup a fingerprint is disabled. This is because Windows requires you to set up a PIN before registering your fingerprint.
This is similar to what you see in your smartphone. You are required to setup a PIN/passcode and the fingerprint/TouchID/FaceID acts as a proxy for your PIN.
Go ahead and setup a PIN.
Once you are done with that, you have the option to register your fingerprint. Registration is quick and easy — takes 5 taps.
If you want to register multiple fingerprints, you can do so; BioPass lets you add up to 50 fingerprints.
Removing fingerprints is also easy. However, the native interface of Windows 10 does not give you granular control — you cannot choose a specific fingerprint to be removed. Hitting ‘Remove’ removes all of the stored fingerprints.
The native interface also does not let you rename any of the fingerprints you register. Neither can you see how many fingerprints you have registered so far. This can be frustrating.
However, FEITIAN has a software application that remediates some of the above issues.
BioPass FIDO2 Manager
It is a simple, straightforward application by FEITIAN that lets you manage you key better.
The app not only provides a better fingerprint management experience than the Windows 10 interface, it also provides a key management interface for OSes that do not have a native interface. If you are working with a Linux, MacOS, Windows 7 or Windows 10 1809 and below, you are going to need this app. (Download links for each OS here.)
With the app, you can:
view how many fingerprints have been registered
add or delete individual fingerprints
test fingerprint
change PIN
reset device (removes PIN and clears stored biometrics)
It does not, however, let you rename your fingerprints. It automatically assigns a name in a numerically increasing fashion.
In the Windows 10 interface, you had to setup a PIN before registering your fingerprint. The BioPass manager lets you bypass this step. When you setup the device for the first time using the app, it provides you with two options (see picture below): PIN and Fingerprint, Fingerprint Only.
If you choose ‘Fingerprint Only’, then your fingerprint is no longer a proxy for your PIN, your fingerprint is the PIN that unlocks the private key stored in the security key.
Passwordless MFA
Once you have setup your BioPass, you can use it to authenticate into your online account without having to enter a PIN. You get a prompt to ‘Touch your security key’ instead of ‘Enter PIN’.
How does Passwordless MFA feel like? This is how:
Some important numbers:
The official fingerprint Recognition Time is less than 0.6 seconds. I cannot verify this as it is too quick for measurement. However, there was near-zero lag during my use so I would say the number is pretty accurate.
The official False Rejection Rate (FRR) is less than 1%. When you try to present an already registered fingerprint, the chances of the key rejecting you (falsely) is less than 1 in a 100 attempts. I have been using this key as my daily driver for a couple of weeks and so far, zero false rejections.
The False Acceptance Rate (FAR) is less than 0.001%. This means that the chances of the key accepting a fingerprint that has not been registered is less than 1 in 100,000. In other words, it is nearly zero.
But..
How secure is your fingerprint?
BioPass has an embedded security chip that encrypts your fingerprint data.
FEITIAN states that it is impossible for someone to reverse engineer your fingerprint image from this stored data. Neither will your biometrics leave the security key. Your biometric data is only processed locally.
(However, this is standard for any device that manages biometric data.)
Hardware
I have saved this for the last because this is the least significant factor when it comes to security keys. It is important, nonetheless.
LED Indicator
The key has an LED indicator that comes in really handy during use. The below pic shows how the LED indicator works.
Size
Dimensions: 51 × 18 × 6.5 mm (K27), 0.9 × 18.5 × 7 mm (K26)
It is definitely small enough to fit in your pocket. However, it is not small enough to fit in your wallet (for example, Yubikey 5 fits in your wallet comfortably).
Build
It feels premium and sturdy thanks to its all-metal casing. The enclosure has a brushed metal finish which gives it a semi-matte look and I really dig it.
On the flip side, the casing makes the key hefty — it weighs around 11g. In comparison, the Yubikey 5 NFC weighs only 4g.
Durability
The fingerprint reader has been tested to last a minimum of 200,000 fingerprint reads. It will last for a minimum of 15 years assuming you use the reader 40 times each day. You mostly won’t be using it that much.
Should you buy it?
A fingerprint reader that enables Passwordless MFA, simple but useful LED indicators, lightweight accompanying software for key management and premium build quality —FEITIAN has checked a lot of boxes with little room for improvement.
If I had to nitpick, it would be that the key does not support OATH HOTP and there is no out-of-the-box PIV support (their website says Smartcard PIV support is optional). So, the use-cases for this key are limited.
Nontheless, BioPass FIDO2 does what it sets out to do really well which is to provide a Passwordless MFA experience with FIDO2. If you do not need OATH-HOTP or PIV, BioPass FIDO2 is definitely worth the price.
In you are interested in purchasing the BioPass FIDO2, you can purchase the key here with free worldwide shipping. Don’t forget to use the code ‘Raghul-20’ to get 20% off on your purchase!