The problem is that your fingerprint is really just a set of information attached your body, similar to a long static password. Not very secure and you can't change it if it was compromised.
The fingerprint on the yubikey is really just a possession check for the yubikey in case it was stolen. The main protection comes from the asymmetric cryptography inside the yubikey.
> The fingerprint on the yubikey is really just a possession check for the yubikey in case it was stolen.
And one that only depends on the tamper-resistance of the hardware.
It's possible to use error correcting codes to extract deterministic secrets from fuzzy data like fingerprints, but no one (virtually no one?) implements that.
Instead, the fingerprinte reader has some cleartext fingerprint fingerprints that it compares the fingerprint to and just makes an accept/reject decision. Extract that data and you can make an acceptable input, or glitch the processing and you can just bypass it.
Presumably it's better than the button that literally any touch activates, but I think a conservative security analysis would pretty much just treat it like a button.
It is interesting to compare the security of a yubikey+pin vs yubikey+fingerprint. Both provide similar and really good security compared to popular authentication mechanisms like static password, sms, and even authenticator apps.
But a sophisticated attack could still use your credentials if the yubikey was stolen, and the attacker had your fingerprint (plausible with the OPM personal info leak) or had captured your pin (maybe from a keylogger installed on a compromised device you had used).
It seems like the most secure method (albeit impractical) would be to have a "what you know" challenge built into the yubikey, like a pin pad or dial. At that point though, one would probably have to worry about other attacks, like physical intrusion and kidnapping as well.
> It seems like the most secure method (albeit impractical) would be to have a "what you know" challenge built into the yubikey, like a pin pad or dial. At that point though, one would probably have to worry about other attacks, like physical intrusion and kidnapping as well.
This isn't uncommon for Bitcoin hardware wallets, fwiw.
But the problem is that the short what you know challenge isn't very secure if the edge device is compromised and can't impose rate limiting or maximum-try limits.
I think for auth I'd rather have yubi/fingerprint + password. Yes, the host could still the password, but even if the yubi is completely backdoored you still have a credible amount of security.
It would be better still if the fingerprint mechanism were cryptographic. But it's probably pretty hard to fit a lot of fancy code in such a small device, -- and security is something of a lemon market (see also zoom's "end to end").
I think people should be extremely wary of efforts to turn U2f devices into single factor authentication. If intelligence agencies haven't compromised yubico or at least developed a good program to substitute devices in the mail-- then they ought to be fired.
Personally I prefer just using multiple Yubikeys, one left permanently in each device, never carry one a loose key around, and if one is stolen, just deactivate that key from all services.
Having to carry a loose key around is a liability.
The fingerprint on the yubikey is really just a possession check for the yubikey in case it was stolen. The main protection comes from the asymmetric cryptography inside the yubikey.