Yubico Forum

There are good starting points:

http://msdn.microsoft.com/en-us/library/aa380543(VS.85).aspx

But are GINA DLLs ignored in Windows Vista?

How promising is pGINA? http://www.pgina.org/

Typically we just need to implement a CSP for a device and Windows login promot should be able to pick it up from there, will that work for YubiKey?

_________________
The YubiKey Server Guy

One note here is that if you use a yubikey in "static OTP" mode, which is possible from firmware v1.3, it will be possible to use with any existing password-based Windows login. Just change your Windows password to the static OTP.

/Simon

My company has done this:

http://AuthLite.com

Thanks! This is exactly the kind of efforts that we from Yubico wants to encourage, companies should be able to develop applications or integration components and bundle them with yubikeys as a value-added service. Yubico isn't a integration company, so this co-operation is excellent for us. We have many potential customers asking for Windows login, and if you or someone else develops a solution for it, we'll send these customers your way.

/Simon

Yeah well we are also happy to let the customers get keys directly from Yubico, and just license the software. A better value for end users since they don't have to pay a percentage to us for the hardware.

Simon (et al) could you post any details about requests you've received? "log in to windows" is a very broad thing. I'm assuming most people want to do this in an organization and log in to active directory. But also some people may want to do this on their home (standalone) machines... I'm sure my fellow "Security Now" listeners probably fall into this "enthusiast" category..

So any details will be very helpful as we do development.

In general it is like using a PC similar to using an ATM machine. Plug in the token, enter a simple/short PIN then you are in.

The requests on Windows login go into 2 camps as you may already knew:

* Secure an enterprise PC:

2nd-factor strong auth is the selling point. The PC can be online connected to a corp AD as well as off-line when you are travelling.

* Secure a personal PC:

Convenience is the driver. People do not want to leave the PC w/o a password
but do not like the hassle of remmebering & typing the password.

_________________
The YubiKey Server Guy

The only ways I can think of to allow offline access would be:

1) Have the AES key in the machine's TPM store, and log on with local validation. Neat but it's hard to administer because it requires a secure authority to visit each laptop and commit the AES key to storage.

2) Just look at the public ID of the yubikey since we can't decrypt it without access to the AD server.

3) The default-- don't require yubikey to log in locally, but when we get back to the domain and try to access net resources, do the OTP then.
----

This is the reason I want to have these discussions here. Using symmetric encryption can be tricky because storage of the secret becomes important, and because it's impossible to evaluate the identity without knowledge of the secret or connection to (in this case) the domain.

Or, were you talking about having the OTP validation connect out to a publically available server such as the Yubico one? But I bet enterprises will not want to trust their identity security to an external company.

I look forward to responses; trying to generate some good ideas and discussion so the product is as good as possible.

Right. I suspect that our "static OTP" yubikey will be a simpler solution for this camp.

I've asked the people who want "windows login" what they mean, but it seems there are soo many things they can mean that I lose track. I'm not a windows expert. Some are using Active Directory, which if I understand correctly, would mean that it is the server that needs to become yubikey-aware and not the client (or possibly both).

Doesn't windows support radius for login authentication? If so, getting it to work should be relatively easy, at least for demonstration purposes, via our Pam module and FreeRadius.

/Simon

That is certainly an easy solution. I'm interested to see if the AES key can be pushed into the TPM chip and that way use the key in OTP mode.



For logon to AD workstations, it's definitely both. The interface needs to change on the client, and there needs to be quite a lot of infrastructure code on the domain side.

But there are other scenarios. The first simple one we are supporting is to use the yubikey as a second factor to log in to the extranet, preventing remote password attacks and access. This solution would not change the way authentication to the workstations happens, only remote web authentication and VPN.

I'm just trying to get a feel for what the priorities are of the community (potential customers)

Simon if you don't want to field questions about Windows directly feel free to forward them to me at greg@collectivesoftware.com

Cheers!