Yubico Forum

I live and breath by my Yubikey, and now I can add the same level of security to my desktop as I do with my Lastpass.

There is a slight hiccough though, with the state of the Yubikey Windows Login Administration, there is no remote support from the remote PC.

I would like to use RDP to connect to my remote computer, but my remote computer doesn't recognize the local yubikey.

I was just making my way to use th Yubico way of logging into a workstation. We use RDP (MSTSC) alot for remote work. So the Yubikey isn't used with the USB Keyboard device way.

Currently we use http://www.rohos.com/support/knowledge-base/windows-logon-with-yubikey/ which does work with Yubikey. It's paid software

Should it be able to use Yubikey with challenge response in the future ? When starting RDP you the 'default' for smartcards is allway's enabled? Perhaps the Yubikey should present itself as a USB SmartCard, so the RDP client can pass trough the Challenge Response over this SmartCard way of doing things.


Regards Onedutch

Challenge-response mode over RDP can never work, at least not without very major changes to yubikey or by using different client-side RDP software. Smart cards work extremely differently than yubikey OTP or C/R mode, in terms of cryptography and also interface. There's no way to make a yubikey "look like" a smart card.

Even if one day some yubico product might support public key crypto, it would essentially have to *be* a smart card, in every true sense, in order to authenticate this way using default RDP software.

The alternative if you need remote logon working is simply to use OTP mode instead of C/R mode. All the other logon solutions for yubikey support this mode. Yubico's stance (correct) is that this leads to less endpoint security since the shared secret must be stored on the workstation. But if you encrypt your drive this is somewhat mitigated.

Also in terms of security, the yubico windows logon software has a very long way to go in terms of security best practices. Right now the software is making a lot of rookie security mistakes. But I'm sure over time it will improve, as free solutions do, slowly.