Yubico security keys can now be used to log into Windows computers

Yubico security keys can now be used to log into Windows computers
Yubico releases app that lets users configure YubiKeys to work on top of local Windows OS accounts
October 17, 2019
https://www.zdnet.com/article/yubico-security-keys-can-now-be-used-to-log-into-windows-computers/

Yubico: Yubico Login for Windows Application Now Available in Public Preview

 

Thanks, of course using a Yubikey for Windows login has worked for a long while using the HMAC challenge-response, but I think this is a different mechanism now as they are talking about enrolment of backup keys. One of the nice things about the HMAC approach is that you keep a record of the HMAC secret and can program as many keys as you like with that, or create a recovery one on the fly, which means physical backup isn't needed in the same way. But the HMAC software hasn't been supported for a while, and not on W10.

 

anybody tried it on windows 7?
No problems with the sofware experienced?

I have a yubikey for gmail fastmail dropbox but not alot else supports it.

 

Been using the old version of the software on W7 account authentication for 5 years now! The new version is - new! I'll be taking a look shortly, but mainly for W10. I see no reason to change from the HMAC system, especially since that's useful for things like 2fa on some password managers, for example.

Website account support, whether for U2F or Fido 2 has been frankly glacial. This is, in my view, because it is relatively privacy respectful in comparison with handing over your phone# - hence why they don't want to support it. However, because Fido 2 is being wrapped up with Hello and instant sign-on, I suspect the market may have to change.

 

hmm are you saying that you can only have one system on windows?

I have 2fa on keepassxc password manager and the yubikey

 

Not at all, but if you've got the HMAC setup on slot 2 for things like Keepassxc, then it's no imposition to also use it for W7 login authentication. Of course, that doesn't preclude using the new software, but I'd need to evaluate it to see if it's worth it for me - the HMAC has the advantage that the backup can be logical (records of the hmac secret) rather than physical (a backup key) which the new software seems to imply.

 

okay thanks.
looks like I need to look for the old software if it works for win7. no point having 2 systems.

I don't suppose you have win xp drivers for yubikey?
none on the website

 

Sorry, I never used it on xp. I can try to see if the current (old) version for W7 works on XP and report back. I think it may have some dependencies that preclude that.

 

okay thanks.
I have seen while googling that yubikey 2 did used to work on xp

 

@trott3r - unfortunately, the YubiKeyLogon.exe 1677336 bytes signed by Yubico AB 4/4/2013, crashes out immediately on XP SP3, it seems it does a check before going forward, with the message that it only supports Windows 7. Sorry.

I've got a feeling that the logon hooks it uses were only introduced starting with Vista, but even that wouldn't be supported.

 

ok thanks for trying
maybe I will try archive.org

 

An update on this topic: have just downloaded the new version (not installed yet). But read the documentation.

The software is applicable to windows login for LOCAL accounts (not networked authenticated ones including ones with Hello etc). It works on YK4+ and neo, and relies on the HMAC secret (default slot 2) - just as before. It's applicable to W7-W10.

So, basically, this is a re-write/update of the old software and works, seemingly, in the same way with the HMAC secret and challenge response. You can even use it password-less, they say.

For me, this is good news in that it's minimal change, supported software and relies on secrets I can backup logically elsewhere (rather than having multiple keys). Of course, I also have admin accounts with a long-strong password and no Yubikey to make recovery easy.