Yubico Forum

Hello all,

Maybe I'm missing something here.
I have successfully set up OTP Windows Logon on my Windows 10 machine and now, every time I log on, Windows gives me two options:

1.) Logon with username + password
2.) Logon with username + password + YubiKey plugged in

With both methods I log in to the same account.
I would understand if the OTP would *replace* my password, but as it is I need it anyway.
So, again, why should I bother?

Yeah, the latest yubico-windows-auth-3.3.7.exe does not disable default Windows 10 credential provider for logon, hence the two login options.

To list providers' GUIDs head to:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers

The default one is PasswordProvider with GUID (for Win8 and Win10) {60b78e88-ead8-445c-9cfd-0b87f74ea6cd}

You can read up on disabling cred-providers through GP here: http://softwarefileprotection.com/how-t ... -interface

BTW, it's not OTP, it's HMAC-SHA1 Challenge-Response mode we're using with yubico windows auth.

Plot thickens

I was corrected that the default credential provider should not be disabled, as yubico-windows-auth registers a subauthentication module that provides yubikey authentication.

For now in Win10 the userlist is indeed doubled but BOTH LOGIN OPTIONS need Yubikey.
It doesn't matter that the first option does not display the "YubiKey Logon enabled for user" message - it's still correctly required for logon.

So, the basic functionality is there - what remains for full Win10 support is being discussed here: https://github.com/Yubico/yubico-windows-auth/issues/1

in w8 the user list is doubled as well.
if you are not using a pro version I can recommend EIDAuthenticate. it uses a smartcard for login (as we remember the yubi does smartcard and what's better, it doesnt need a config slot)
and when you use smartcard login you use a "pin" to access your acc so you can use some superstrong megapassword to get in your account in case you dont have your yubi with you.

and what's better, that just leverages some windows stuff since smartcard logon is a native windows function, albeit being usually domain-only.