windows hello yubikey

(Working) Windows Hello for Business Yubikey Login

Patrick Grubbs Consumer Protection

(Working) Windows Hello for Business Yubikey Login

Windows Hello is one of the easiest ways to add biometric security to your authentication protocols, and if you’re already using other common components of the Microsoft ecosystem for authentication (AD or Azure AD), integration is a cinch.

One of the most useful features of Windows Hello is the ability to use FIDO2 security keys, such as the Yubikey, in addition to (or as a replacement for) the primary device’s biometric hardware. It’s particularly useful in situations where devices don’t have an inbuilt biometric scanner – such as is the case in most managed device deployments.

Unfortunately, there’s two big problems with the current state of the Yubikey-Windows Hello solution. The first is that only the Yubikey 4 series keys are compatible, not the vastly superior series 5.

But that’s a moot point because of the second, much bigger, issue: Yubikey removed their Windows Hello solution from the Microsoft store in September of 2019. Because Microsoft deprecated their Companion Device Framework for Windows Hello, the integration no longer worked.

However, Windows Hello does still support FIDO2. And, in our capacity as an official Yubico Partner, SecureW2 has developed a solution for enrolling Yubikey 5 series keys for digital certificates. So, yes, it’s still possible to use Yubikeys to access Windows Hello (and Windows Hello for Business) with our solution – and our implementation comes with some significant upgrades.

Advantages of using Certificates on Yubikeys

PIV-Backed security keys like the Yubikey are an excellent tool for hardening your security because they offer an additional factor of authentication – “something you have”.

Passwords and PINs are another form of authentication – “something you know”. Since a Yubikey uses both a PIN and the physical authentication token, it has two factors of authentication, making it 2FA in and of itself.

Adding digital certificates to a Yubikey with our software adds the third and final factor of authentication – “something you are”. A digital certificate is like a photo ID: it’s tied to the identity of the user or device and can’t be transferred. It also doesn’t add any burden to the end user like a password does, preserving the user experience.

Having all three factors of authentication on a Yubikey make it a supremely secure MFA tool. Limiting network access to those with a properly configured security key makes your network virtually impenetrable.

PIV vs FIDO2 Authentication

Most enterprises prefer PIV Certificate YubiKey authentication security over FIDO2. It’s significantly simpler to manage and ties in easily with existing infrastructure.

FIDO2, on the other hand, requires you to configure your security key with each application individually. This is an especially terrible user experience when a security key gets lost, as the user has to individually set up every application all over again.

Using certificates with security keys negates all of these issues, while allowing the security key to be used for various other applications that FIDO2 doesn’t support, like VPN or Wi-Fi authentication.

Easily Install Certificates via Windows Hello on PIV-Backed Smartcards

windows hello yubikeyThere is a downside to using PIV-backed certificate authentication with a security key: it’s not easy to enroll and install a certificate. Yubikey does support digital certificate enrollment, but it needs to be done manually via command line for each security key. That’s a huge burden on IT, and it’s not just an upfront cost. Each key would need to be reconfigured individually to reflect changes in ownership, network access policy, etc.

Our Yubikey solution allows end users to easily self-enroll and configure their security keys for certificates. It also enables admins to set up group policies to manage user access and dynamically segment network resources. Certificate management is easily handled through our intuitive management portal.

Our management portal also supports security key attestation, as our software client can attest to the location a private key has been generated on a security key, or any other device with a TPM.

These same certificates can be enrolled to existing credentials, as SecureW2 integrates with any Identity Provider (Azure AD, Okta, G-Suite, etc.) so you can ensure that only your users have access to your critical applications.

Yubikey 5 Windows Hello for Business Login Configuration

Configuring your Yubikey for Windows Hello for Business authentication is also a breeze. You just have to push the configuration payload to each device, then have the user run Windows Hello normally. They will be prompted to enter a PIN, after which their inserted Yubikey will be enrolled for a certificate automatically.

Future login attempts will require a PIN or biometric authentication for the Yubikey, whichever the user sets up. In the background, however, it will also authenticate the certificate without hassling the user for more input.

This solution is ideal for enterprises and large organizations that have issued Yubikeys to their employees for secure access to email, web apps, and other services. It allows you to more fully integrate your Microsoft ecosystem with your network security. Issuing certificates to your Yubikeys with our platform also opens up other Yubikey integrations – Wi-Fi, desktop login, and VPN to name a few.

Ready to enhance your Windows Hello for Business? Click here to see our pricing.


Learn About This Author

Patrick Grubbs

Patrick is the SEO guy at SecureW2, but he enjoys writing a little too much to give it up entirely. He got his start blogging about his ever-expanding collection of succulents and cacti. His hobbies include running, gardening, playing video games, and buying tools he will never use. Special skills: 5th grade chess champion, ultra-specific color identification, clapping with one hand