
YubiKey for Windows Hello – Protect your Windows 10 login with your YubiKey - NZSmartie
http://yubi.co/yubikeywinhelloapp
======
talkingtab
Just to be clear, "Yubikey" is a _brand_ of FIDO key. See:
[https://fidoalliance.org](https://fidoalliance.org). You can find other
brands which in my experience, are just as functional but often less
expensive. I have a yubikey, one from hyperfido and most interesting is the
open source 'U2F zero'. All of them work equally well. Unless MS has a non-
standard implementation or does not use FIDO, then any FIDO would work.

~~~
j_s
This is the part I don't understand... the Yubikey U2F-only option (1/2 the
price) is not listed as supported by this application.

As best I can tell, U2F as it is used today isn't supported by Windows Hello;
this is a custom app to support the more advanced Yubikey products.

Apparently there is some v2 of U2F coming down the pike that vendors are
waiting for before implementing support; however, I couldn't find much
information on how this currently affects Windows Hello:

[https://groups.google.com/a/fidoalliance.org/forum/#!topic/f...](https://groups.google.com/a/fidoalliance.org/forum/#!topic/fido-
dev/ZSa1HZMvozM)

~~~
nickik
Windows Hallo will usr FIDO 2.0 but this is just a normal HMAC
ChallengeResponse, not FIDO.

------
chaz6
I got as far as plugging in the key, and then it said "Windows companion
devices are disabled on your system. Contact your system administrator." My
computer is a standalone desktop, not connected to a domain.

Edit:

If you run into this problem, here's how to fix it

To modify local security policy

Open the Local Group Policy Editor. To do this, press the Windows key, type R,
and then type gpedit.msc. In the Local Group Policy Editor, from the top level
Local Computer Policy, navigate to Computer Configuration > Administrative
Templates > Windows Components > Microsoft Secondary Authentication Factor. In
the right pane, click the link to Edit policy setting. (You can also double-
click the setting to Allow companion device for secondary authentication.) The
default state is Not configured. In the setting screen, select the option for
Enabled, and click OK. If this option is already selected, your policy is set
and you can click Cancel. Exit the Local Group Policy Editor and the
Management Console.

------
hannibalhorn
And apparently with macOS Sierra it's possible to once again use a Yubikey to
configure login on a Mac. I'd missed that news, will have to go dig mine out
of the drawer!

~~~
STRML
How useful is that, really, considering you couldn't possibly use a Yubikey to
configure disk encryption? Unless you actually put the unlock key on the
Yubikey somehow (I've never heard of someone attempting or succeeding at
that), anyone with physical access - which is what this is intended to protect
against - could still wreak all kinds of havoc with disk access.

It's certainly easier and may even be safer (in the case of a malfunction,
which _has happened_ on OSX) to just use a longer password.

~~~
vrdabomb5717
With FileVault, the disk won't decrypt until the user enters their login
password.

Here's Yubico's documentation on Filevault integration:
[https://www.yubico.com/support/knowledge-
base/categories/art...](https://www.yubico.com/support/knowledge-
base/categories/articles/smart-card-implementation-macos-sierra-replace-
filevault/)

It seems an attacker with physical access still requires your password to
unlock the disk. At that point, they'd need the Yubikey to login (assuming
they haven't already decrypted the disk and taken your data).

Someone on Reddit suggested saving a static password to the Yubikey and then
entering that at boot time to get around this:
[https://www.reddit.com/r/AskNetsec/comments/3dpa2q/how_do_yo...](https://www.reddit.com/r/AskNetsec/comments/3dpa2q/how_do_you_secure_os_x/ct7plbr/)?

~~~
andrewstuart2
Furthermore, just encrypt your disk with a password concatenated with said
static yubikey password and you've got effective MFA.

~~~
jrockway
I feel like a static password doesn't really count as MFA. Someone can keylog
that static password without you knowing.

~~~
andrewstuart2
If it's long and random enough to be very hard to remember, then it's MFA, in
my opinion. A private key (e.g. the one used for TOTP) is nothing more than a
quantity of random bits (with specific properties, grant you). I'll give you
that the output is certainly reusable for a statically stored key, but you're
still adding a second factor that, barring some alternate attack like
keylogging, still adds security beyond a password.

------
mark_l_watson
I don't like something that I have to plugin. What I greatly prefer is what
PacBell gave me as a consultant in the 1990s to access their secure inner
networks remotely: a device that would display a new random number every 10
seconds and I would add that number to my password when logging in. I was
given the same sort of device at Google in 2013 when I was a consultant there.

For laptop and mobile devices, I like the idea of password and biometrics
(finger print reader and/or facial recognition).

~~~
petejansson
A serious problem with biometrics is credential revocation. The best answer
I've seen to this is using the biometric to locally unlock some other
credential like a certificate that can be revoked. There are other problems
that are flashier, like spoofing and liveness, but revocation is a real show-
stopper that is frequently ignored.

~~~
nickik
The new FIDO UAF standard solves exactly this problem, all biometrics are only
unlocking a local identifier preferable on Secure Element or in a Trust Zone.

------
chrisper
I have never owned a YubiKey before. What happens if you lose it or if it gets
damaged? Can you get it replaced or is it like losing a keyfile?

~~~
Elizzy
You lose it and it's gone. You can't remove credentials on the device. This is
why you buy two, register both, and save one in a safe.

EDIT: I mean you can't copy credentials off in most cases, like this one.
Credentials can be replaced.

~~~
sasas
If you program your own keys into the Yubi, then you know them and can archive
them for reprogramming on another device. You can do this with the Yubi
Personalisation tool [1] for a few modes the device supports.

[1] [https://www.yubico.com/products/services-
software/personaliz...](https://www.yubico.com/products/services-
software/personalization-tools/)

~~~
Elizzy
Eh. Hence why I said it like I did. In most cases, the device generates the
secrets. And that's how it should be done, it guarantees that they can't be
compromised easily (vs if someone compromised wherever you backed up those
keys to).

~~~
sasas
Sure. There are also other instances where the Yubis keys maybe exposed, such
as when using their OTP protocol which requires the keys stored in a
validation server (either theirs by default, or your own [1])

[1] [https://www.yubico.com/products/services-software/open-
sourc...](https://www.yubico.com/products/services-software/open-source-
servers/)

------
qplex
Does it protect you also from the spy/ad/malware that Windows 10 is?

~~~
homakov
I'll extend the question: from what does it protect at all? (Answer: nothing,
FIDO keys is a hype)

~~~
luma
Can you expound on that a bit? It seems like a reasonable solution for a
hardware security token. What don't you like about FIDO keys?

~~~
nickik
Dont ask this troll, this article is not even about fido.

~~~
homakov
I'm not a troll, I have an article on this
[https://sakurity.com/blog/2015/07/18/2fa.html](https://sakurity.com/blog/2015/07/18/2fa.html)

