Windows 10: Securely Login to Local Accounts with YubiKey Security Key in Windows

How to: Securely Login to Local Accounts with YubiKey Security Key in Windows

How to Securely Login to Local Accounts with YubiKey Security Key in Windows 7, Windows 8, and Windows 10


Yubico Login for Windows application provides a simple and secure way for YubiKey users to securely access their local accounts on Windows computers.

The primary benefits of Yubico Login for Windows include:

• Highly secure and easy-to-use multi-factor authentication (MFA) for login using local accounts to Windows workstations
• Simple configuration for up to 10 individual users
• Fast enrollment for backup YubiKeys
• Easy recovery mechanisms for lost YubiKeys

Yubico Login for Windows is designed to provide strong MFA for logging into local accounts on Windows 7, Windows 8.1 or Windows 10 computers. It is not suited for logging into any of the following accounts: Azure Active Directory (AAD), Active Directory (AD), Microsoft accounts.

See also: Yubico Login for Windows Configuration Guide | Yubico support

Once you have Yubico Login setup and configured for a local account on the computer, the user will be required to connect the YubiKey security Key before typing their user name and password credentials to log in to Windows.

This tutorial will show you how to set up Yubico Login to login to a local account with a YubiKey security key in Windows 7, Windows 8, and Windows 10.

Local accounts can be accessed remotely via methods such as remote desktop software, SSH, or authentication via the Microsoft Server Message Block (SMB) protocol. Yubico Login for Windows does not secure those non-local forms of login to local accounts.


You must be signed in as an administrator to install and configure Yubico Login for Windows for any local accounts (standard user or administrator) on the computer.

Uninstalling Yubico Login for Windows will undo and remove the YubiKey security key requirements for all local accounts on the Windows computer.


EXAMPLE: Yubico Login for Windows













Here's How:

1 Download and install the same 32-bit or 64-bit version of 32-bit or 64-bit Windows. (see screenshot below)

You will be required to restart the computer after installing Yubico Login for Windows.




2 Open the Yubico Login Configuration app. (see screenshot below)



3 Click/tap on Next. (see screenshot below)



4 Make any changes you want to the settings, and click/tap on Next. (see screenshot below)

Slots: Select the slot where the challenge-response secret will be stored. All YubiKeys that have not been customized come pre-loaded with a credential in slot 1, so if you are using Yubico Login for Windows to configure YubiKeys that are already being used for logging into other accounts, do not overwrite slot 1.

Challenge/Response Secret: This item enables you to specify how the secret will be configured and where it will be stored. The options are:

Use existing secret if configured - generate if not configured: The key’s existing secret will be used in the specified slot. If the device has no existing secret, the provisioning process will generate a new secret.
Generate new, random secret, even if a secret is currently configured: A new secret will be generated and programmed to the slot, overwriting any previously configured secret.
Manually input secret: For advanced users: During the provisioning process, the application will prompt you to input manually an HMAC-SHA1 secret (20 bytes - 40 characters hex-encoded).

Generate Recovery Code: For each user provisioned, a new recovery code will be generated. This recovery code enables the end-user to log in to the system if they have lost their YubiKey. For more information, refer to the description of the Recovery Code above.

Note: If you select to save a recovery code while provisioning a user for a second key, any previous recovery code becomes invalid, and only the new recovery code will work.

Create Backup Device for Each User: Use this option to have the provisioning process register two keys for each user, a primary YubiKey and a backup YubiKey. If you do not want to provide recovery codes to your users, it is good practice to give each user a backup YubiKey. For more information, refer to the Primary and Backup Keys section above.




5 Select (check) the local account for the user you want to configure, and click/tap on Next. (see screenshot below)

Local accounts that currently have YubiKeys registered and are enabled for Yubico Login for Windows have an asterisk (*) next to the respective usernames. You can add additional YubiKeys for users already configured by selecting the users here.




6 When prompted, insert (connect) a YubiKey security key to the computer to configure it for this user account. (see screenshot below)

[/INDENT

7 Click/tap on Next. (see screenshot below)

The Programming Device page displays the progress of programming each YubiKey. The Device Confirmation page shown below displays the details of the YubiKey detected by the provisioning process, including the device serial number (if available) and the configuration status of each One-Time Password (OTP ) slot. If there are conflicts between what you have set as defaults and what is possible with the detected YubiKey, a warning symbol is displayed. If everything is good to go, a check mark will be shown. If the status line shows an error icon, the error is described and instructions for fixing it are displayed on the screen.




8 When programming the YubiKey has finished for the user account, you will be prompted to remove (disconnect) the Yubikey from the computer.



9 Click/tap on Finish. (see screenshot below)

The selected local account can no longer be accessed without this corresponding YubiKey connected while logging in to Windows.





That's it,
Shawn


Related Tutorials

• How to Set Up Security Key to Log into Apps in Windows 10
• How to Sign in to Windows 10
• How to Enable or Disable Secure Sign-in with Ctrl+Alt+Delete in Windows 10
• How to Automatically Sign in to User Account at Startup in Windows 10
• How to Turn On or Off Require Sign-in on Wakeup in Windows 10

:)​

 

Yubico Login for Windows Now Generally Available

New tutorial: *Smile

Securely Login to Local Accounts with YubiKey Security Key in Windows

 

Windows Security pop up for YubiKey authentication on local webserver

I've been making a website that allows you authenticate your account using a yubikey. Before the 1903 feature update, I would login into the local website and insert the security key with no problem. Now when I do it, I get this "Windows Security Making
sure it's you. Please authenticate for https://192.168.1.200.. Please insert the correct security key" pop up. I'll attach an image to get a better picture.

I've looked at several posts about what to do such as this one with no luck adding the ip address in the local intranet or Trusted sites tab under internet options. Disable "These files might be harmful to your computer" warning?





I'd like to either disable Windows Security or somehow make some sort of exception for this website that's on my local network on my windows 10 device.

 

Yubico Login for Windows Now Generally Available

Source: Yubico Login for Windows Now Generally Available | Yubico

How to Set Up Security Key to Log into Apps in Windows 10

How to Set Up Security Key to Sign in to Microsoft Account in Microsoft Edge

 

Security Key Blocked

I have a problem with setting up security key with windows and microsoft account. During adding a key to microsoft account it asked me for pin. I entered PIN (for just testing I am using default pin for my yubikey). After couple tries it blocked. I do
not know what to do. Yubikey Manager works fine and logins for other sites to.

 

Security Key

Some tentative suggestions -
1 Perhaps you mean the 'Security key' for a WiFi network?
2 Perhaps you mean the 'Security key' for your router's Admin functions that is controlling your WiFi network?
3 Perhaps you mean your Windows user account login 'password' or a 'PIN' that you have set it up to accept instead?

Denis