Yubico Forum

...visit our web-store at store.yubico.com
It is currently Tue Jan 30, 2018 11:27 am

All times are UTC + 1 hour




Post new topic Reply to topic  [ 4 posts ] 
Author Message
PostPosted: Fri Nov 20, 2015 2:03 am 
Offline

Joined: Fri Nov 20, 2015 1:48 am
Posts: 1
Hello all,

Maybe I'm missing something here.
I have successfully set up OTP Windows Logon on my Windows 10 machine and now, every time I log on, Windows gives me two options:

1.) Logon with username + password
2.) Logon with username + password + YubiKey plugged in

With both methods I log in to the same account.
I would understand if the OTP would *replace* my password, but as it is I need it anyway.
So, again, why should I bother?


Top
 Profile  
Reply with quote  

Share On:

Share on Facebook FacebookShare on Twitter TwitterShare on Tumblr TumblrShare on Google+ Google+

PostPosted: Thu Jan 07, 2016 3:30 pm 
Offline

Joined: Thu Jan 07, 2016 1:41 pm
Posts: 2
wkleinschmit wrote:
every time I log on, Windows gives me two options:

1.) Logon with username + password
2.) Logon with username + password + YubiKey plugged in

With both methods I log in to the same account.

Yeah, the latest yubico-windows-auth-3.3.7.exe does not disable default Windows 10 credential provider for logon, hence the two login options.

To list providers' GUIDs head to:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers

The default one is PasswordProvider with GUID (for Win8 and Win10) {60b78e88-ead8-445c-9cfd-0b87f74ea6cd}

You can read up on disabling cred-providers through GP here: http://softwarefileprotection.com/how-t ... -interface

BTW, it's not OTP, it's HMAC-SHA1 Challenge-Response mode we're using with yubico windows auth.


Top
 Profile  
Reply with quote  
PostPosted: Fri Jan 08, 2016 11:55 am 
Offline

Joined: Thu Jan 07, 2016 1:41 pm
Posts: 2
Plot thickens :)

I was corrected that the default credential provider should not be disabled, as yubico-windows-auth registers a subauthentication module that provides yubikey authentication.

For now in Win10 the userlist is indeed doubled but BOTH LOGIN OPTIONS need Yubikey.
It doesn't matter that the first option does not display the "YubiKey Logon enabled for user" message - it's still correctly required for logon.

So, the basic functionality is there - what remains for full Win10 support is being discussed here: https://github.com/Yubico/yubico-windows-auth/issues/1


Top
 Profile  
Reply with quote  
PostPosted: Thu Feb 04, 2016 2:19 pm 
Offline

Joined: Tue Feb 02, 2016 9:23 pm
Posts: 58
in w8 the user list is doubled as well.
if you are not using a pro version I can recommend EIDAuthenticate. it uses a smartcard for login (as we remember the yubi does smartcard and what's better, it doesnt need a config slot)
and when you use smartcard login you use a "pin" to access your acc so you can use some superstrong megapassword to get in your account in case you dont have your yubi with you.

and what's better, that just leverages some windows stuff since smartcard logon is a native windows function, albeit being usually domain-only.


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 4 posts ] 

All times are UTC + 1 hour


Who is online

Users browsing this forum: No registered users and 1 guest


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group