I have been trying to set up Yubikey (5 NFC) + Yubikey PIN for low friction, secure Windows 11 Pro logon. Let's call this YPIN.
This is no easy thing: There is no unified front-end that exposes setting this up, with feedback on errors. Instead, there are multiple workflows with unique limitations and requirements and little, often fragmented and outdated information.
Over the past week, I tried and then eventually abandoned:
1 ) Plug and play YPIN in Windows 11 Pro.
Not a thing. There is no out of the box support.
2 ) YPIN using YubiKey for Windows Hello, an MS Store applet from Yubico itself.
This was abandoned several years ago. It is still floating about the net, but now with certifications signed by unknown third parties. No, thank you.
3 ) YPIN using a Microsoft Account (MSA).
Only for institutional accounts, as it relies on MS cloud infrastructure. So, if you've got a personal MSA, you're out of luck.
4 ) Yubico Login for Windows app for local accounts.
That is for username + password + Yubikey as mandatory 2FA. So, same as normal login but with a Yubikey as an additional logon requirement. Arguably higher friction, certainly not lower.
5 ) YPIN using Yubikeys as a smart card.
IIUC, this is limited to Pro and various institutional variations. There is no front-end to handle the entire process. Setting this up, in practice, is a manual workflow of apps and command line actions, with a deep, miserable dive to figure where the issues are if any of the requirements are not configured exactly right, either by you or out of the box. And everything, being highly controlled of course, is naturally very, very fragile.
I'm stuck on 5, which seems the only option.
Rather than enumerating the exact procedure I have gone through, trying to troubleshoot it, has anyone here set up Yubikey/Smart Card for Win 11 Pro Logon? I've restored Windows to a clean state, and if you've got a procedure that works, I'd love to hear it.
Question
mfessler 0
This is no easy thing: There is no unified front-end that exposes setting this up, with feedback on errors. Instead, there are multiple workflows with unique limitations and requirements and little, often fragmented and outdated information.
Over the past week, I tried and then eventually abandoned:
1 ) Plug and play YPIN in Windows 11 Pro.
Not a thing. There is no out of the box support.
2 ) YPIN using YubiKey for Windows Hello, an MS Store applet from Yubico itself.
This was abandoned several years ago. It is still floating about the net, but now with certifications signed by unknown third parties. No, thank you.
3 ) YPIN using a Microsoft Account (MSA).
Only for institutional accounts, as it relies on MS cloud infrastructure. So, if you've got a personal MSA, you're out of luck.
4 ) Yubico Login for Windows app for local accounts.
That is for username + password + Yubikey as mandatory 2FA. So, same as normal login but with a Yubikey as an additional logon requirement. Arguably higher friction, certainly not lower.
5 ) YPIN using Yubikeys as a smart card.
IIUC, this is limited to Pro and various institutional variations. There is no front-end to handle the entire process. Setting this up, in practice, is a manual workflow of apps and command line actions, with a deep, miserable dive to figure where the issues are if any of the requirements are not configured exactly right, either by you or out of the box. And everything, being highly controlled of course, is naturally very, very fragile.
I'm stuck on 5, which seems the only option.
Rather than enumerating the exact procedure I have gone through, trying to troubleshoot it, has anyone here set up Yubikey/Smart Card for Win 11 Pro Logon? I've restored Windows to a clean state, and if you've got a procedure that works, I'd love to hear it.
Cheers.
Link to comment
Share on other sites
0 answers to this question
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.