Hands On: YubiKey and Windows Hello

Windows Hello is one of my favorite features in Windows 10.

Having the ability to use biometrics to validate my identity for access to my Windows 10 devices is not only a whiz bang neat feature but it is also very secure. By providing my fingerprint or face for scanning I associate those unique personal features to my Windows 10 log in account for an added level of security whether I am on my machines at home or on the road for work.

No one can watch me type a password over my shoulder and there is no need to write down a password somewhere to remember it either.

Last week Microsoft bragged a little bit about Windows Hello and the fact that almost 100 biometric devices are now available in the marketplace for Windows 10 which means there are many options available. Personally, I have used both facial recognition and fingerprint readers to use Windows Hello on all of my Windows 10 based devices and the convenience of easily logging into my systems can not be overstated.

Plus, as I mentioned earlier, it is a very secure method of identity verification that is unique to you.

However, one of the many options that Microsoft mentioned last week in their blog post was Yubico's YubiKey. Curiosity about how this solution would work with Windows Hello and for other multi-factor authentication purposes got the best of me and I ordered one for testing. I decided on the YubiKey NEO, which retails for $50, because it supports both USB and NFC as connection options and for further testing.

YubiKey NEO

Yubico explained how their keys worked with Windows Hello last September in a company blog post right after the Windows 10 Anniversary Update, which implemented more user verification options and standards-based authentication, was released:

"In Windows 10 language, Microsoft will support both key-based and certificate-based authentication. Key-based authentications are equal to the FIDO model of public key cryptography; while certificate-based authentication relates to smart cards and PKI. Enterprises that don’t use PKI, or want to minimize reliance on certificates, are prime converts for key-based Windows 10 authentication credentials. With a design focused on ease-of-use, it’s a natural place for end users to finally duck behind the protection of strong authentication.

The YubiKey is a versatile authentication device that is built for this environment. Our strategy around strong authentication includes supporting many standards-based authentication protocols for host-based and cloud-based services. Today, users of services such as Google, Dropbox, and GitHub have access to FIDO-based strong authentication with the YubiKey."

In order to use YubiKey as a Windows Hello authentication device you do not actually use the Windows Hello settings in Windows 10 but download a separate app from the Windows Store called YubiKey for Windows Hello.

This app will take you step by step to getting your YubiKey working with Windows Hello so that when you walk up to your device and plug in the key it will authenticate your identity and log you into Windows 10.

After testing this one two desktops running Windows 10 Version 1607, aka the Anniversary Update and an HP Spectre x360 running Windows 10 Redstone 2 Fast Ring builds, I do have a few observations.

1. The YubiKey NEO key is slow to log you into Windows 10 unless you swipe on the screen, or tap any key, to open up the log in page.   Yubico knows this is an issue with the NEO key versus the YubiKey 4 a USB only device.

2. I fully expected to be logged off my Windows 10 system when I pulled the YubiKey NEO out of the USB port however, that does not happen. You either have to lock the system yourself or let the settings on the OS itself dictate when the screen is locked. By default, I think removal of the YubiKey, which was used to validate my identity to the system, should result in the system being locked.

3. Once you setup a YubiKey with your Windows 10 device, which does require your system PIN, password, or even your face if it is setup to be paired, you are not asked to provide that second factor on subsequent uses of the key to log into Windows 10. This means anyone with the key could use it to log into your device. This could be of concern for some but if you do lose your YubiKey removal of the YubiKey for Windows Hello app will disable the use of that key for logging into the system.

4. As I mentioned earlier, I have setup the same YubiKey to log into three different devices plus I associated it with my LastPass account and designated it as my multi-factor authentication tool. Although use of the YubiKey can only be tied to one account on each set of hardware, using it on multiple devices or for multiple services does not appear to be a problem. That is a lot of flexibility for sure.

In the attached gallery you will see the setup screens for the YubiKey for Windows Hello App from the Windows Store and how validation works with LastPass. By the way, I tried it with the LastPass extension for the Edge, IE, Chrome, and Firefox browsers. It worked just as expected without the need for SMS or app verifications. You will find screenshots in the gallery of that process as well.

YubiKey's can be purchased on Amazon:

YubiKey 4 by Yubico for $40.00

YubiKey NEO by Yubico for $50.00

YubiKey 4 Nano by Yubico for $50.00

Additional reading from Yubico:

YubiKey Works With Windows Hello

Start Using Your YubiKey Today

How to Use Your YubiKey With the YubiKey for Windows Hello App

Windows 10 Anniversary Edition

But, wait...there's probably more so be sure to follow me on Twitter and Google+.