Security keys vs device biometrics as authenticators
0pass authentication works with security keys and device biometrics. Learn about the benefits and limitations of each, along with ways to implement passwordless authentication with these methods.
Security Keys
Security keys, like the YubiKey, are sleek tools that introduced a new paradigm for authenticating. When you log in to corporate services or devices, enter a PIN and tap your key—this confirms your presence with a physical touch. The private keys on a secure processor are cut off from all access and only solve the cryptographic challenge to authenticate after being unlocked by a PIN and touch. They have adjustable security settings and can be tied to a corporate chain of trust. They are ideal for the strongest authentication with enterprise governance.
Device Biometrics
Device Biometrics
Biometric authentication, like Windows Hello or Apple Touch ID, uses the unique biological characteristics of an individual to unlock a hardware security module (HSM) built into the device. The HSM houses private keys used for authenticating into services. Not only is this PKI-backed authentication a step level improvement over passwords, but storing the private key in a secure module instead of a browser or other cloud-based password vaults makes it nearly impossible to phish.
Biometric authentication, like Windows Hello or Apple Touch ID, uses the unique biological characteristics of an individual to unlock a hardware security module (HSM) built into the device. The HSM houses private keys used for authenticating into services. Not only is this PKI-backed authentication a step level improvement over passwords, but storing the private key in a secure module instead of a browser or other cloud-based password vaults makes it nearly impossible to phish.
Compare authenticators
The right authenticator to adopt depends on your use case and the environments you want to protect.
Security Keys
YubiKeys, or other models of security keys with feature parity.
Device Biometrics
Built in methods like Touch ID, Face ID, Windows Hello, Android Thumbprint
Supported protocols
FIDO2
PIV/Smart Card
SSH
Security
Verify Attestation
Phishing Resistant
Credential Theft Resistant
Tied to Certificate Authority (CA)
MFA
Can log into
SSO Web Apps
SSH
Windows
Mac
Linux
Windows RDP
Supports FIDO2 for web logins when implemented correctly.
Supports FIDO2 for web logins.
Works with smart card subsystems on all popular OSes.
Not compatible with PIV/Smart card authentication.
Works with smart card subsystems on all popular OSes.
Works with smart card subsystems on all popular OSes.
Certificates prove authentication came from an authorized YubiKey.
Passkeys lets users share and use creds on unauthorized devices.
Meets the highest standard of phishing resistance: FIDO2.
Meets the highest standard of phishing resistance: FIDO2.
Keys locked in secure processor of a security key.
Keys locked in dedicated hardware module on the device.
0pass enrolls a security key into a certificate authority.
Keypairs in biometric authentication are self signed.
Proof of knowledge (PIN), and proof of possession (touch).
Proof of self (fingerprint or face) and proof of possession (device).
Yes, via SAML or OIDC using FIDO2.
Yes, via SAML or OIDC.
Via native SSH.
No native SSH integrations with Biometrics.
Via native Smart Card subsystem, tied to certificate authority.
Windows Hello unlocks computer, credential is unmanaged (local).
Via Mac native Smart Card subsystem.
Touch ID cannot log in to Mac or unlock FileVault.
Via the pluggable authentication module.
No native biometric login functions in Linux.
Uses the same methods as Windows computer.
Only via specific implementations of Windows Hello for Business.
Compare authenticators
The right authenticator to adopt depends on your use case and the environments you want to protect.
Security Keys
YubiKeys, or other models of security keys with feature parity.
Device Biometrics
Built in methods like Touch ID, Face ID, Windows Hello, Android Thumbprint
Supported protocols
FIDO2
PIV/Smart Card
SSH
Security
Verify Attestation
Phishing Resistant
Credential Theft Resistant
Tied to Certificate Authority (CA)
MFA
Can log into
SSO Web Apps
SSH
Windows
Mac
Linux
Windows RDP
Supports FIDO2 for web logins when implemented correctly.
Supports FIDO2 for web logins.
Works with smart card subsystems on all popular OSes.
Not compatible with PIV/Smart card authentication.
Works with smart card subsystems on all popular OSes.
Works with smart card subsystems on all popular OSes.
Certificates prove authentication came from an authorized YubiKey.
Passkeys lets users share and use creds on unauthorized devices.
Meets the highest standard of phishing resistance: FIDO2.
Meets the highest standard of phishing resistance: FIDO2.
Keys locked in secure processor of a security key.
Keys locked in dedicated hardware module on the device.
0pass enrolls a security key into a certificate authority.
Keypairs in biometric authentication are self signed.
Proof of knowledge (PIN), and proof of possession (touch).
Proof of self (fingerprint or face) and proof of possession (device).
Yes, via SAML or OIDC using FIDO2.
Yes, via SAML or OIDC.
Via native SSH.
No native SSH integrations with Biometrics.
Via native Smart Card subsystem, tied to certificate authority.
Windows Hello unlocks computer, credential is unmanaged (local).
Via Mac native Smart Card subsystem.
Touch ID cannot log in to Mac or unlock FileVault.
Via the pluggable authentication module.
No native biometric login functions in Linux.
Uses the same methods as Windows computer.
Only via specific implementations of Windows Hello for Business.
Compare authenticators
The right authenticator to adopt depends on your use case and the environments you want to protect.
Security Keys
YubiKeys, or other models of security keys with feature parity.
Device Biometrics
Built in methods like Touch ID, Face ID, Windows Hello, Android Thumbprint
Supported protocols
FIDO2
PIV/Smart Card
SSH
Security
Verify Attestation
Phishing Resistant
Credential Theft Resistant
Tied to Certificate Authority (CA)
MFA
Can log into
SSO Web Apps
SSH
Windows
Mac
Linux
Windows RDP
Supports FIDO2 for web logins when implemented correctly.
Supports FIDO2 for web logins.
Works with smart card subsystems on all popular OSes.
Not compatible with PIV/Smart card authentication.
Works with smart card subsystems on all popular OSes.
Works with smart card subsystems on all popular OSes.
Certificates prove authentication came from an authorized YubiKey.
Passkeys lets users share and use creds on unauthorized devices.
Meets the highest standard of phishing resistance: FIDO2.
Meets the highest standard of phishing resistance: FIDO2.
Keys locked in secure processor of a security key.
Keys locked in dedicated hardware module on the device.
0pass enrolls a security key into a certificate authority.
Keypairs in biometric authentication are self signed.
Proof of knowledge (PIN), and proof of possession (touch).
Proof of self (fingerprint or face) and proof of possession (device).
Yes, via SAML or OIDC using FIDO2.
Yes, via SAML or OIDC.
Via native SSH.
No native SSH integrations with Biometrics.
Via native Smart Card subsystem, tied to certificate authority.
Windows Hello unlocks computer, credential is unmanaged (local).
Via Mac native Smart Card subsystem.
Touch ID cannot log in to Mac or unlock FileVault.
Via the pluggable authentication module.
No native biometric login functions in Linux.
Uses the same methods as Windows computer.
Only via specific implementations of Windows Hello for Business.
Stop the att&ck
Deploying passwordless logins with security keys or device biometrics using 0pass helps you defend against the most frequently used adversarial techniques .
Let's talk about your use case
Chat with a security engineer and see whether we can help secure your environment. You can also set up a demo and access a free 30-day trial.
Access a free trial
Advice from security engineers
See a demo
Let's talk about your use case
Chat with a security engineer and see whether we can help secure your environment. You can also set up a demo and access a free 30-day trial.
Access a free trial
Advice from security engineers
See a demo
Let's talk about your use case
Chat with a security engineer and see whether we can help secure your environment. You can also set up a demo and access a free 30-day trial.