Hands On: YubiKey and Windows Hello

Richard Hay, Senior Content Producer

January 18, 2017

13 Slides
Hands On: YubiKey and Windows Hello

 

Windows Hello is one of my favorite features in Windows 10.

Having the ability to use biometrics to validate my identity for access to my Windows 10 devices is not only a whiz bang neat feature but it is also very secure. By providing my fingerprint or face for scanning I associate those unique personal features to my Windows 10 log in account for an added level of security whether I am on my machines at home or on the road for work.

No one can watch me type a password over my shoulder and there is no need to write down a password somewhere to remember it either.

Last week Microsoft bragged a little bit about Windows Hello and the fact that almost 100 biometric devices are now available in the marketplace for Windows 10 which means there are many options available. Personally, I have used both facial recognition and fingerprint readers to use Windows Hello on all of my Windows 10 based devices and the convenience of easily logging into my systems can not be overstated.

Plus, as I mentioned earlier, it is a very secure method of identity verification that is unique to you.

However, one of the many options that Microsoft mentioned last week in their blog post was Yubico's YubiKey. Curiosity about how this solution would work with Windows Hello and for other multi-factor authentication purposes got the best of me and I ordered one for testing. I decided on the YubiKey NEO, which retails for $50, because it supports both USB and NFC as connection options and for further testing.

YubiKey NEO

Yubico explained how their keys worked with Windows Hello last September in a company blog post right after the Windows 10 Anniversary Update, which implemented more user verification options and standards-based authentication, was released:

"In Windows 10 language, Microsoft will support both key-based and certificate-based authentication. Key-based authentications are equal to the FIDO model of public key cryptography; while certificate-based authentication relates to smart cards and PKI. Enterprises that don’t use PKI, or want to minimize reliance on certificates, are prime converts for key-based Windows 10 authentication credentials. With a design focused on ease-of-use, it’s a natural place for end users to finally duck behind the protection of strong authentication.

The YubiKey is a versatile authentication device that is built for this environment. Our strategy around strong authentication includes supporting many standards-based authentication protocols for host-based and cloud-based services. Today, users of services such as Google, Dropbox, and GitHub have access to FIDO-based strong authentication with the YubiKey."

In order to use YubiKey as a Windows Hello authentication device you do not actually use the Windows Hello settings in Windows 10 but download a separate app from the Windows Store called YubiKey for Windows Hello.

This app will take you step by step to getting your YubiKey working with Windows Hello so that when you walk up to your device and plug in the key it will authenticate your identity and log you into Windows 10.

After testing this one two desktops running Windows 10 Version 1607, aka the Anniversary Update and an HP Spectre x360 running Windows 10 Redstone 2 Fast Ring builds, I do have a few observations.

1. The YubiKey NEO key is slow to log you into Windows 10 unless you swipe on the screen, or tap any key, to open up the log in page.   Yubico knows this is an issue with the NEO key versus the YubiKey 4 a USB only device.

2. I fully expected to be logged off my Windows 10 system when I pulled the YubiKey NEO out of the USB port however, that does not happen. You either have to lock the system yourself or let the settings on the OS itself dictate when the screen is locked. By default, I think removal of the YubiKey, which was used to validate my identity to the system, should result in the system being locked.

3. Once you setup a YubiKey with your Windows 10 device, which does require your system PIN, password, or even your face if it is setup to be paired, you are not asked to provide that second factor on subsequent uses of the key to log into Windows 10. This means anyone with the key could use it to log into your device. This could be of concern for some but if you do lose your YubiKey removal of the YubiKey for Windows Hello app will disable the use of that key for logging into the system.

4. As I mentioned earlier, I have setup the same YubiKey to log into three different devices plus I associated it with my LastPass account and designated it as my multi-factor authentication tool. Although use of the YubiKey can only be tied to one account on each set of hardware, using it on multiple devices or for multiple services does not appear to be a problem. That is a lot of flexibility for sure.

In the attached gallery you will see the setup screens for the YubiKey for Windows Hello App from the Windows Store and how validation works with LastPass. By the way, I tried it with the LastPass extension for the Edge, IE, Chrome, and Firefox browsers. It worked just as expected without the need for SMS or app verifications. You will find screenshots in the gallery of that process as well.

YubiKey's can be purchased on Amazon:

YubiKey 4 by Yubico for $40.00

YubiKey NEO by Yubico for $50.00

YubiKey 4 Nano by Yubico for $50.00

Additional reading from Yubico:

YubiKey Works With Windows Hello

Start Using Your YubiKey Today

How to Use Your YubiKey With the YubiKey for Windows Hello App

Windows 10 Anniversary Edition

But, wait...there's probably more so be sure to follow me on Twitter and Google+.

 

About the Author

Richard Hay

Senior Content Producer, IT Pro Today (Informa Tech)

I served for 29 plus years in the U.S. Navy and retired as a Master Chief Petty Officer in November 2011. My work background in the Navy was telecommunications related so my hobby of computers fit well with what I did for the Navy. I consider myself a tech geek and enjoy most things in that arena.

My first website – AnotherWin95.com – came online in 1995. Back then I used GeoCities Web Hosting for it and WindowsObserver.com is the result of the work I have done on that site since 1995.

In January 2010 my community contributions were recognized by Microsoft when I received my first Most Valuable Professional (MVP) Award for the Windows Operating System. Since then I have been renewed as a Microsoft MVP each subsequent year since that initial award. I am also a member of the inaugural group of Windows Insider MVPs which began in 2016.

I previously hosted the Observed Tech PODCAST for 10 years and 317 episodes and now host a new podcast called Faith, Tech, and Space. 

I began contributing to Penton Technology websites in January 2015 and in April 2017 I was hired as the Senior Content Producer for Penton Technology which is now Informa Tech. In that role, I contribute to ITPro Today and cover operating systems, enterprise technology, and productivity.

https://twitter.com/winobs

Sign up for the ITPro Today newsletter
Stay on top of the IT universe with commentary, news analysis, how-to's, and tips delivered to your inbox daily.

You May Also Like