Yubico Forum

...visit our web-store at store.yubico.com
It is currently Tue Jan 30, 2018 10:05 am

All times are UTC + 1 hour




Post new topic Reply to topic  [ 6 posts ] 
Author Message
PostPosted: Fri Sep 16, 2016 12:25 pm 
Offline

Joined: Mon Sep 05, 2016 7:30 am
Posts: 11
Does pressing the YubiKey button on YubiKey NEO cause the smart card to be removed momentarily?

If the policy on Windows is set to "lock workstation on smart card removal", pressing the YubiKey button causes workstation to lock. This is a huge caveat and practically makes all OTP functionality unusable. Tested on Windows 10 and Windows 7.

Letting the user remove smart card without locking the workstation is not possible due to policy reasons and I believe most smart card deployments use this policy.

Is there any workaround to use the OTP functionality on YubiKey NEO with smart card removal policy set?


Last edited by maggis on Fri Sep 16, 2016 1:23 pm, edited 1 time in total.

Top
 Profile  
Reply with quote  

Share On:

Share on Facebook FacebookShare on Twitter TwitterShare on Tumblr TumblrShare on Google+ Google+

PostPosted: Fri Sep 16, 2016 12:39 pm 
Offline
Site Admin
Site Admin

Joined: Mon Dec 08, 2014 2:52 pm
Posts: 314
Hello,

You are correct. No, there is no workaround if you want to use HID interface.

If you use TOTP or HOTP you can use the Yubico Authenticator that shouldn't eject the card
https://developers.yubico.com/yubioath-desktop/


Top
 Profile  
Reply with quote  
PostPosted: Fri Sep 16, 2016 1:36 pm 
Offline

Joined: Mon Sep 05, 2016 7:30 am
Posts: 11
Disappointing. Thanks for the link, will definitely check it out, I hope it is a feasible workaround.

Do you happen to know if there is any way to use other certificate slots than 9a for things like logon on Windows? I would like to use more than the slot 9a for logon to different AD realms. Where are the slots defined? Probably in the standard but it sounds painful to find & read it all so looking for some pointers here. Will do a separate thread if no reply.


Top
 Profile  
Reply with quote  
PostPosted: Fri Sep 16, 2016 4:20 pm 
Offline
Yubico Team
Yubico Team

Joined: Thu Oct 16, 2014 3:44 pm
Posts: 349
Just as an FYI, the YubiKey 4 doesn't disconnect/reconnect like the NEO (it was designed as a monolithic firmware, so if you send an OTP it doesn't eject the smart card). It also allows certificates up to 3049 bytes (compared to 2025 bytes with the NEO, although generally not an issue unless you're using a larger private key for the CA, or your environment is very complex).

9a is for authentication, so no, you can't use other slots for domain authentication. It's possible on some other smart card manufacturers' offerings, but there is currently no vendor-specific minidriver for the YubiKey. making this impossible. You would essentially need middleware to map multiple certificates to 9a.


Top
 Profile  
Reply with quote  
PostPosted: Sun Sep 18, 2016 1:45 pm 
Offline

Joined: Mon Sep 05, 2016 7:30 am
Posts: 11
Thanks, useful information.


Top
 Profile  
Reply with quote  
PostPosted: Wed Jan 17, 2018 10:48 am 
Offline

Joined: Mon Sep 05, 2016 7:30 am
Posts: 11
For the record, I am linking to viewtopic.php?f=25&t=2764 that implements the aforementioned minidriver, with support for multiple certificates.

With important drawbacks, see for example viewtopic.php?f=26&t=2739 , by the way!


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 6 posts ] 

All times are UTC + 1 hour


Who is online

Users browsing this forum: Google [Bot] and 7 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group