[tialaramex]

Going FIDO-SSH can perhaps be cheaper than PIV, especially if, as we very much want, FIDO is popular which will tend to drive down prices.

Cheaper/ simpler FIDO2 products (from Yubico) exist if this feature is the only thing you want from a Yubikey. I don't know if that's a future Yubico are enthusiastic about, but I don't see much reason to hate it as an end user.

Even cheaper and even simpler FIDO products (from many vendors) exist if you only ever actually want this from one or two systems (e.g. a laptop and then one desktop workstation) so you don't need resident keys because the "non-resident" part lives on your workstation.

[simias]

I always assumed that the relatively high price of the Yubikey had more to do with it being a relatively niche product than the cost of production, after all it's not much more than a cheap microcontroller underneath all that.

Was I wrong to make this assumption? Why would FIDO tokens be significantly cheaper and/or more popular?

If anything it seems like at first it's going to fragment the market even more.

[tialaramex]

A full-blown Yubikey has modifiable firmware and a relatively large amount of rewritable Flash storage. I assume those features aren't free.

A FIDO authenticator has no modifiable state beyond maybe some sort of counter, it has a random secret key which makes it unique from its siblings, and that's it. No firmware update feature, no storage.

The crypto hardware is also simpler. FIDO was defined in terms of these nice compact elliptic curve schemes. The keys are small, the operations are simple, I'd be surprised if dedicated silicon to implement this isn't cheaper, and if you're just running it on a cheap microcontroller I'd be surprised if you can't get away with a cheaper microcontroller than you would need to implement RSA encryption and whatever else a Yubikey can do.

Finally in terms of volume, it makes sense to give all your 5000 staff a FIDO key. "Go to the enrollment page we built by this Friday. Enrol your FIDO key. Call the help desk if you have problems. From next Monday these are mandatory". You can lock down common corporate web SSO solutions with it for example, outfits like Duo will let you just check one box and you can now answer "Yes" to pages of questions your CISO is supposed to fill out every year.

It doesn't make sense to give out 5000 traditional Yubikeys. A dozen to a dev team for PIV? Maybe. But the lady who does 2.5 days per week in the accounts department? She doesn't need PIV. She can use a FIDO key to sign into the accounts web app though.

[crote]

That's not really true anymore. Yubikeys haven't supported firmware modification for years due to security reasons, and FIDO2 keys often have storage in order to support Resident Keys.

[tialaramex]

I was not aware that Yubikeys no longer can be firmware updated. My impression was that they just don't permit user firmware modification by policy but that is clearly wrong.

FIDO Security Keys are cheaper than FIDO2 Security Keys which is what I'd expect from what I wrote, they don't need any storage.