YubiClicker

YubiClicker is a game where you climb a public leaderboard by out-tapping your opponents on a physical security key. YubiKey, Titan, Feitian, Solo, and Nitrokey all qualify. It’s Cookie Clicker, except every click is a FIDO2 assertion from a physical key tap.

Ways to top the leaderboard

Assuming the implementation and assumptions here are correct, the only ways to win should be to:

• Tap fast.
• Automate the tap to a physical key.
• Exploit a hardware vulnerability like EUCLEAK.

You might find another way though. Each of the following would be a bug somewhere, whether in this code, in my assumptions, in the WebAuthn spec, in MDS3, or in vendor firmware:

• Pass attestation checks with a non-hardware key.
• Move a hardware-backed credential into software.
• Import a software-known credential into supported hardware.

Email security@yubiclicker.com with any info or just to say hi.

Leaderboard rules

Though you’ll need a physical security key to get on the leaderboards, anyone with a passkey can register and play. Software passkeys from 1Password, Bitwarden, iCloud Keychain, Google Password Manager, and Windows Hello should work, but they don’t require a physical tap per click the way a hardware key does, so the experience isn’t quite right.

Register sets attestation: "direct", asking the authenticator to return a signed attestation statement. Browsers prompt for extra consent because attestation can be a cross-site fingerprint; here it’s just the leaderboard’s ticket. The server chain-verifies the statement’s x5c against the per-vendor attestationRootCertificates that the FIDO Metadata Service v3 (MDS3) publishes for that AAGUID, then checks the AAGUID against an allowlist that requires at least one FIDO_CERTIFIED* statusReport and no ATTESTATION_KEY_COMPROMISE, USER_VERIFICATION_BYPASS, or REVOKED entries. The attestation statement is verified at registration and dropped. The server keeps only the AAGUID, the credential public key, a SHA-256 fingerprint of the leaf certificate, and the metadata fields that appear on the leaderboard. The MDS3 allowlist is baked at build time, so compromised AAGUIDs flagged by FIDO land on the next refresh and deploy.

YubiClicker requires user presence (UP), not user verification (UV). UP is a flag the authenticator firmware sets in the assertion. On allowlisted hardware that flag means a touch, no PIN or biometric read. Discoverable (resident) credentials are required, and there are no usernames, no cookies, and no cross-site identity.

Prior art

In 2021, Cloudflare experimented with a CAPTCHA replacement called Cryptographic Attestation of Personhood that verified humans with a physical user presence check on a security key. The main criticism then was that the touch could be automated. Here though, for a game, that’s fine.

If registration says you’re ineligible

The accepted hardware:

• YubiKey 5 series, every variant including 5 NFC, 5C, 5C NFC, 5Ci, 5C Nano, 5 FIPS, and the 5.7 generation
• YubiKey Bio, FIDO and Multi-protocol editions
• Security Key by Yubico, USB and NFC
• Google Titan T1, T2, and legacy Bluetooth
• Feitian ePass FIDO2 USB-A and USB-C, K9, K40
• SoloKey 2
• Nitrokey 3, USB-A, USB-C, NFC

If you’re trying to use one of these but attestation comes back as fmt: "none", likely a software passkey provider such as 1Password handled registration instead of your hardware key. The credential is stored and you can sort of play, but it won’t appear on any leaderboard.

Three ways to route the next registration to your security key:

• Dismiss the provider’s popup. Once it’s gone the browser’s native security-key picker takes over.
• Pick the security key inside that popup. 1Password on Chrome has a button for it.
• Turn off the provider’s WebAuthn intercept in its settings.

If your device should be on the list and isn’t, or you’re having any other trouble, email security@yubiclicker.com.