PowerShell · tgauth · Sep 22, 2025 · Sep 18, 2025
diff --git a/sk-usbhid.c b/sk-usbhid.c
@@ -774,9 +774,6 @@ static int
 key_lookup(fido_dev_t *dev, const char *application, const uint8_t *user_id,
     size_t user_id_len, const char *pin)
 {
-#ifdef HAVE_FIDO_DEV_IS_WINHELLO
-	return FIDO_OK;
-#else
 	fido_assert_t* assert = NULL;
 	uint8_t message[32];
 	int r = FIDO_ERR_INTERNAL;
@@ -830,7 +827,6 @@ key_lookup(fido_dev_t *dev, const char *application, const uint8_t *user_id,
 	fido_assert_free(&assert);
 
 	return r;
-#endif  /* HAVE_FIDO_DEV_IS_WINHELLO */
 }
 
 int
@@ -897,6 +893,9 @@ sk_enroll(uint32_t alg, const uint8_t *challenge, size_t challenge_len,
 		goto out;
 	}
 	skdebug(__func__, "using device %s", sk->path);
+	// Windows: can skip key_lookup() as it will not be overwritten regardless, per above comment:
+	// Don't overwrite existing credentials on FIDO authenticators.
+#ifndef WINDOWS
 	if ((flags & SSH_SK_RESIDENT_KEY) != 0 &&
 	    (flags & SSH_SK_FORCE_OPERATION) == 0 &&
 	    (r = key_lookup(sk->dev, application, user_id, sizeof(user_id),
@@ -910,6 +909,7 @@ sk_enroll(uint32_t alg, const uint8_t *challenge, size_t challenge_len,
 		}
 		goto out;
 	}
+#endif /* !WINDOWS */
 	if ((cred = fido_cred_new()) == NULL) {
 		skdebug(__func__, "fido_cred_new failed");
 		goto out;