Yubico Forum

...visit our web-store at store.yubico.com
It is currently Tue Jan 30, 2018 11:34 am

All times are UTC + 1 hour




Post new topic Reply to topic  [ 8 posts ] 
Author Message
 Post subject: Setting up Win10 Hello
PostPosted: Sat Jan 07, 2017 1:17 pm 
Offline

Joined: Mon Jun 27, 2016 9:25 pm
Posts: 3
Hi,

I've been waiting for this app since it was teased on Yubico's blog a few months ago. I believe it has the potential to solve many concerns about secure logon with desktop computers. The MacOS app is almost there, too (though quite not, but that's a different topic).

However, I am having trouble with the setup of this Win10 Hello app. Apparently, my Yubikey can't be used this way because I have set up a pin to protect it against unwanted modifications. This is documented as a Known Issue right on the product page:
https://www.yubico.com/support/knowledg ... hello-app/
However, the message displayed by the Hello app itself doesn't match what is described in that page; since I don't want to be locked out of my session, I am not going to try.

But most worrying is this other known issue:
Quote:
There is currently no way to require the YubiKey to unlock your system — you can always access your account using your PIN or password.

I'd love to have a time frame on this because, as I understand it, this issue renders the whole thing completely useless. I hope I am mistaken or that it will be solved very soon?

Thanks,


Top
 Profile  
Reply with quote  

Share On:

Share on Facebook FacebookShare on Twitter TwitterShare on Tumblr TumblrShare on Google+ Google+

PostPosted: Sun Jan 08, 2017 11:49 pm 
Offline
Yubico Team
Yubico Team

Joined: Thu Oct 16, 2014 3:44 pm
Posts: 349
You can't lock yourself out of your account by setting up Windows Hello - you can still log in with your password or your PIN.

Currently a Windows limitation, no ETA (up to Microsoft). Given the current limitations of the CDF, this app is for convenience.


Top
 Profile  
Reply with quote  
PostPosted: Sat Feb 11, 2017 10:25 pm 
Offline

Joined: Sat Feb 11, 2017 10:01 pm
Posts: 2
Does the Hello app use one of the two slots of a Yubikey 4? If not, where does it store its data? Will it overwrite anything on the Yubikey?

I get the message "An error has occurred. Try again. Insert one valid YubiKey, then press Continue." when I try to add a Yubikey to the app. I am using Windows 10 Home edition and I haven't used Yubico Authenticator. Is there any way to tell what the problem is?


Top
 Profile  
Reply with quote  
PostPosted: Sun Feb 12, 2017 9:46 am 
Offline
Yubico Team
Yubico Team

Joined: Thu Oct 16, 2014 3:44 pm
Posts: 349
No, it uses the OATH applet, same as Yubico Authenticator. CCID mode has to be enabled in order to register a YubiKey 4/NEO, and you have to make sure a password isn't set in Yubico Authenticator. "An error has occurred" doesn't help much, it's a generic error. The only way I can get that is if I pull the YubiKey while the app is trying to communicate with it.


Top
 Profile  
Reply with quote  
PostPosted: Sun Feb 12, 2017 7:42 pm 
Offline

Joined: Sat Feb 11, 2017 10:01 pm
Posts: 2
Thanks for the info Chris... after doing a little searching around I found that the smart card can't be used by more than one applet at once:

viewtopic.php?f=26&t=1869
viewtopic.php?f=35&t=2231

In my case, scdaemon which is used for SSH/PGP stuff was apparently blocking the app from using the OATH applet. After killing scdaemon (and adding card-timeout) I was able to register the Yubikey with the app. However it's a bit flaky. Sometimes one of the two features doesn't work, and sometimes errors like "ERR 100663404 Card error <SCD>" appear in the scdaemon log. Removing the card and re-inserting it sometimes makes it behave, but sometimes it stays broken. In any case, maybe you can get someone to add info about the usage conflict into the docs.


Top
 Profile  
Reply with quote  
PostPosted: Wed Nov 01, 2017 11:34 am 
Offline

Joined: Tue Feb 02, 2016 9:23 pm
Posts: 58
ChrisHalos wrote:
No, it uses the OATH applet, same as Yubico Authenticator.

stupid question, why doesnt it just use U2F?


Top
 Profile  
Reply with quote  
PostPosted: Thu Nov 02, 2017 4:37 am 
Offline
Yubico Team
Yubico Team

Joined: Thu Oct 16, 2014 3:44 pm
Posts: 349
My1 wrote:
ChrisHalos wrote:
No, it uses the OATH applet, same as Yubico Authenticator.

stupid question, why doesnt it just use U2F?


That would be a question for Microsoft. I have no idea why they decided to have Windows Hello support OATH and not U2F :)


Top
 Profile  
Reply with quote  
PostPosted: Thu Nov 02, 2017 7:35 am 
Offline

Joined: Tue Feb 02, 2016 9:23 pm
Posts: 58
Okay i would have thought that hello similar to in earlier versions supports arbitrary auth providers as long as the provider does its stuff, lol

Although they imo should really support either smart card ro u2f on standalone pcs.


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 8 posts ] 

All times are UTC + 1 hour


Who is online

Users browsing this forum: No registered users and 0 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group