Yubico security keys can now be used to log into Windows computers

Discussion in 'privacy technology' started by mood, Oct 17, 2019.

  1. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    20,115
    Yubico security keys can now be used to log into Windows computers
    Yubico releases app that lets users configure YubiKeys to work on top of local Windows OS accounts
    October 17, 2019

    https://www.zdnet.com/article/yubico-security-keys-can-now-be-used-to-log-into-windows-computers/
    Yubico: Yubico Login for Windows Application Now Available in Public Preview
     
  2. deBoetie

    deBoetie Registered Member

    Joined:
    Aug 7, 2013
    Posts:
    1,801
    Location:
    UK
    Thanks, of course using a Yubikey for Windows login has worked for a long while using the HMAC challenge-response, but I think this is a different mechanism now as they are talking about enrolment of backup keys. One of the nice things about the HMAC approach is that you keep a record of the HMAC secret and can program as many keys as you like with that, or create a recovery one on the fly, which means physical backup isn't needed in the same way. But the HMAC software hasn't been supported for a while, and not on W10.
     
  3. trott3r

    trott3r Registered Member

    Joined:
    Jan 21, 2010
    Posts:
    1,157
    Location:
    UK
    anybody tried it on windows 7?
    No problems with the sofware experienced?

    I have a yubikey for gmail fastmail dropbox but not alot else supports it.
     
  4. deBoetie

    deBoetie Registered Member

    Joined:
    Aug 7, 2013
    Posts:
    1,801
    Location:
    UK
    Been using the old version of the software on W7 account authentication for 5 years now! The new version is - new! I'll be taking a look shortly, but mainly for W10. I see no reason to change from the HMAC system, especially since that's useful for things like 2fa on some password managers, for example.

    Website account support, whether for U2F or Fido 2 has been frankly glacial. This is, in my view, because it is relatively privacy respectful in comparison with handing over your phone# - hence why they don't want to support it. However, because Fido 2 is being wrapped up with Hello and instant sign-on, I suspect the market may have to change.
     
  5. trott3r

    trott3r Registered Member

    Joined:
    Jan 21, 2010
    Posts:
    1,157
    Location:
    UK
    hmm are you saying that you can only have one system on windows?

    I have 2fa on keepassxc password manager and the yubikey
     
  6. deBoetie

    deBoetie Registered Member

    Joined:
    Aug 7, 2013
    Posts:
    1,801
    Location:
    UK
    Not at all, but if you've got the HMAC setup on slot 2 for things like Keepassxc, then it's no imposition to also use it for W7 login authentication. Of course, that doesn't preclude using the new software, but I'd need to evaluate it to see if it's worth it for me - the HMAC has the advantage that the backup can be logical (records of the hmac secret) rather than physical (a backup key) which the new software seems to imply.
     
  7. trott3r

    trott3r Registered Member

    Joined:
    Jan 21, 2010
    Posts:
    1,157
    Location:
    UK
    okay thanks.
    looks like I need to look for the old software if it works for win7. no point having 2 systems.

    I don't suppose you have win xp drivers for yubikey?
    none on the website
     
  8. deBoetie

    deBoetie Registered Member

    Joined:
    Aug 7, 2013
    Posts:
    1,801
    Location:
    UK
    Sorry, I never used it on xp. I can try to see if the current (old) version for W7 works on XP and report back. I think it may have some dependencies that preclude that.
     
  9. trott3r

    trott3r Registered Member

    Joined:
    Jan 21, 2010
    Posts:
    1,157
    Location:
    UK
    okay thanks.
    I have seen while googling that yubikey 2 did used to work on xp
     
  10. deBoetie

    deBoetie Registered Member

    Joined:
    Aug 7, 2013
    Posts:
    1,801
    Location:
    UK
    @trott3r - unfortunately, the YubiKeyLogon.exe 1677336 bytes signed by Yubico AB 4/4/2013, crashes out immediately on XP SP3, it seems it does a check before going forward, with the message that it only supports Windows 7. Sorry.

    I've got a feeling that the logon hooks it uses were only introduced starting with Vista, but even that wouldn't be supported.
     
  11. trott3r

    trott3r Registered Member

    Joined:
    Jan 21, 2010
    Posts:
    1,157
    Location:
    UK
    ok thanks for trying
    maybe I will try archive.org
     
  12. deBoetie

    deBoetie Registered Member

    Joined:
    Aug 7, 2013
    Posts:
    1,801
    Location:
    UK
    An update on this topic: have just downloaded the new version (not installed yet). But read the documentation.

    The software is applicable to windows login for LOCAL accounts (not networked authenticated ones including ones with Hello etc). It works on YK4+ and neo, and relies on the HMAC secret (default slot 2) - just as before. It's applicable to W7-W10.

    So, basically, this is a re-write/update of the old software and works, seemingly, in the same way with the HMAC secret and challenge response. You can even use it password-less, they say.

    For me, this is good news in that it's minimal change, supported software and relies on secrets I can backup logically elsewhere (rather than having multiple keys). Of course, I also have admin accounts with a long-strong password and no Yubikey to make recovery easy.
     
Loading...
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.