Yes. That's one of the primary use cases of a YubiKey (or other FIDO 2 hardware keys).

Please note that there are 2 types of passkeys:

- resident keys: Actually stored on the hardware key

- non-resident keys: Keys that are recalculated on the fly based on a secret seed value, the domain that the service is for and the username. The advantage is that these don't take up any storage space

Resident keys have the advantage that they remember the username. But there is only a limited number of keys (about 100 on new YubiKeys but there are still a lot of older hardware tokens being used) that you can store on a hardware token. Non-resident keys have the advantage that you can "store" an infinite number of them on your hardware token.

See https://fy.blackhats.net.au/blog/2024-04-26-passkeys-a-shatt...

> Please note that there are 2 types of passkeys

This is not really correct. Non-resident keys are not passkeys.

The two types of passkeys are synced and device-bound. Synced passkeys are typically stored in software-based credential managers, while device-bound passkeys are typically stored in hardware security keys or hardware-based credential managers.

That's all it does.

This "passkey" business has been so confusing.

I have had an HSM for years. I thought "Passkey" was that stupid Windows thing where they want you to use a 4-digit or 5-digit PIN.

If a "passkey" means an HSM, I'm already onboard. If it means PINs and TPMs, I'm not onboard

HSM can store a passkey that you optionally can use a touch + pin/password to unlock.

A TPM is an HSM.

Nope, TPM secures your computer from you. HSM offloads sensitive tasks to a trusted device while letting you fiddle with the computer any way you want.

An HSM stores private keys securely. A TPM does this to implement secure boot and disk encryption. And for some reason a lot of people are afraid of disk encryption.

> And for some reason a lot of people are afraid of disk encryption.

I can answer that.

Disk encryption is a risk factor. If my desktop fails and it is unencrypted, I can take the disk and put it into another desktop and it will work.

With encryption, I am less sure. I do encrypt my desktop with LUKS but I vaguely remember that setting up an encrypted disk in Linux is tricky, there is a loop device involved for the decryption layer, some LVM config. And the kernel has to support all that, which it probably does, but again. It's been a long time since I tried.

So while my desktop and my laptops have encrypted partitions, the server running my archives and backup is not, because I value simplicity and access more than the extra security.

People using Windows or Apple hardware should be even more afraid of disk encryption, as they understand it way less than me.

Not one that works across devices/browsers.

A Yubikey is a "device".

Not one that can store an arbitrary number of passkeys that work across different browsers/computers.

I don't think you understand how FIDO2 works.

If you are using non-discoverable keys, the type where you input your username to login and then it asks for the passkey, there is no limit because they are calculated from a single master key and seeded with the url.

If you are using discoverable keys when you don't even input a username to login, the latest Yubikey has a limit of 100 but other vendors hold more.

Physical hardware keys work across most devices and browsers as long as you have the key with you.

Passkey is a security key used as password. Yubikey implements security key in hardware, it can store passkeys. Password managers implement security key in software, they can store passkeys.