Skip to content
This repository has been archived by the owner. It is now read-only.

Windows 10, default credential provider is available at logon #1

Open
jedrzejsieracki opened this Issue Jan 7, 2016 · 19 comments

Comments

Projects
None yet
9 participants
@jedrzejsieracki
Copy link

jedrzejsieracki commented Jan 7, 2016

In Win10 both the default credential provider as well as yubico cred wrapper are available on logon screen.

This defies using the yubi wrapper, as potential intruder can simply select default cred prov and authenticate without the yubi key present.

The forum post related to this issue is http://forum.yubico.com/viewtopic.php?f=23&t=2100

@klali

This comment has been minimized.

Copy link
Member

klali commented Jan 8, 2016

The security of this does not lie within the credential provider, instead a subauthentication module is installed which should be active no matter which credential provider is used. Does it work to login without the yubikey using the default credential provider?

@jedrzejsieracki

This comment has been minimized.

Copy link
Author

jedrzejsieracki commented Jan 8, 2016

Aah, interesting! Just like you implied, the default cred prov does detect yubikey missing, correctly preventing login. The issue must be how Win10 treats subauthentication modules then.

Would you like me to rewrite the original raport in this issue or should I file new one/ones? The current list of issues with Win10 is:

  • Logon screen userlist is doubled, in case of two users you get four options:

    • username1
    • username2
    • Password /which leads to authenticating username1/
    • Password /which leads to authenticating username2/

    The string "Password" is actually "Hasło" in my Windows locale pl-pl, I just presume it's "Password" in en-en locale.

  • The first two login options (those with correct usernames) do not display subauthentication module's messages:

    • "YubiKey Logon enabled for user."
    • "YubiKey Logon failed, is there a YubiKey inserted?"

    Login options three and four do display those properly.

  • Login avatars for options three and four are a simple key picture, but since those options should not be visible at all in the first place, this will be of no consequence when issue #1 is dealt with.

@klali

This comment has been minimized.

Copy link
Member

klali commented Jan 8, 2016

Well.. to me this issue is about the filtering to remove the default credential provider not working and can stay as that. I'm unsure about the other issues. This hasn't at all been tested on WIndows 10 (barely on Windows 8)..

@jedrzejsieracki

This comment has been minimized.

Copy link
Author

jedrzejsieracki commented Jan 12, 2016

So, if I understand your answer correctly, your focus here is on "filtering out" the doubled userlist entries (entry three and entry four in my example above)?

I'll file another issue for the other stuff then.

Thanks!

@ambition-consulting

This comment has been minimized.

Copy link

ambition-consulting commented Aug 31, 2016

Same issue here - logins are doubled now. Also, only on the newly created "password" accounts will a missing device lead to a correct error message. For the original account, the login won't work, but the error message shows nothing.

@jeremyn

This comment has been minimized.

Copy link

jeremyn commented Feb 19, 2017

I tried using this Windows Logon tool with a YubiKey 4 on Windows 10 Professional. I also saw double users. However, what's worse is that "both" users allowed me to log in without the YubiKey attached, using just my password. In other words, on Windows 10 this software (EDIT by @jeremyn: it actually does work, see #1 (comment) below) seems to provide security, but actually it does not. (The bold font is to make sure that text stands out, not to convey shouting.)

Both of the below links recommend using this login software with Windows 10:

https://www.yubico.com/why-yubico/for-businesses/computer-login/windows-login/
https://www.yubico.com/support/knowledge-base/categories/articles/use-yubico-windows-login-tool/

If you can't update this software, please update the text there to say it doesn't work, or at the very least that it hasn't been tested on Windows 10 as @klali wrote in #1 (comment). Providing false security is worse than nothing.

This same YubiKey provides login security on a Linux system with HMAC-SHA1 Challenge-Response enabled in slot 2, so I don't think the problem is with the YubiKey itself.

@klali

This comment has been minimized.

Copy link
Member

klali commented Feb 22, 2017

With windows 10 local accounts this should work, if the account is a domain account or a cloud account it will not work.

It's possible to turn on some rudimentary logging from the provider by setting a registry key:
set HKLM\SOFTWARE\Yubico\auth\settings\loggingEnabled to 1 and a logfile should appear as c:\yubikey_logon_log.txt that might contain clues to what's happening.

@jeremyn

This comment has been minimized.

Copy link

jeremyn commented Feb 22, 2017

This was with a local account. I've since uninstalled the login software.

Can you confirm that someone at Yubico has tested this with Windows 10 and found that it provides the intended protection?

@klali

This comment has been minimized.

Copy link
Member

klali commented Feb 23, 2017

Yes, it's been tested by people at Yubico. The duplicated credential provider apparently happens but does require the configured YubiKey to login.

@jeremyn

This comment has been minimized.

Copy link

jeremyn commented Feb 25, 2017

I installed and set up the login software again and now it seems to provide the expected protection. I was more aggressive with rebooting between steps and while testing, and maybe that made the difference. So the software is not completely broken, as it seemed to me before.

I do still see the duplicate users though. Another small issue is that when trying to log in as the "YubiKey" user without my YubiKey plugged in, after I get the login failure, my password is still shown (hidden with dots) typed into the password entry field in the login page. With the regular user, my password is erased from the entry field after a failed login. Erasing is slightly better because it doesn't reveal the approximate length of my password to anyone looking at the entry field.

@jeremyarzuaga

This comment has been minimized.

Copy link

jeremyarzuaga commented Mar 13, 2018

Is the duplicate users going to be fixed? Also will this ever work with user accounts that use a Microsoft account?

@jtsalva

This comment has been minimized.

Copy link

jtsalva commented Mar 17, 2018

I'm on Windows 10 Enterprise Version 1709 OS Build 16299.309 and was experiencing this same issue.

My duplicate listing was caused by:
1) PasswordProvider {0f33b914-4f18-4824-8880-29bbe2e05179}
2) YubiKeyWrapExistingCredentialProvider {0f33b914-4f18-4824-8880-29bbe2e05179}

In regedit I went to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers\{60b78e88-ead8-445c-9cfd-0b87f74ea6cd} made a DWORD named Disabled and set the value to 1

capture

After restarting Windows only the YubiKey credentials were listed, problem fixed, so far so good.

Is it not possible to do this automatically in YubiKey Logon Administrator? Or is there another better way of fixing this issue?

jtsalva added a commit to jtsalva/yubico-windows-auth that referenced this issue Mar 17, 2018

jtsalva added a commit to jtsalva/yubico-windows-auth that referenced this issue Mar 17, 2018

@kurci2

This comment has been minimized.

Copy link

kurci2 commented Mar 19, 2018

@jtsalva, I have tried your fix and it works.
But I have some other issues which emerged.
I have BitLocker security with long password and have enabled Auto Login on boot for my Local user account. So after I unlock BitLocker I just plug in my Yubikey and I was automatically logged in. After that i would lock my account and need both Yubikey and passord to unlock it.
After using your fix the auto login feature no longer works.
If you go: Run --> "control userpasswords2" and uncheck "Users must enter a user name and password to use this computer" and then enter your username and password after you click OK you will find that the account won't auto login, because account is not recognised at login screen.
Is there any other way to enable autologin after applying your fix?
Thank you!

@jtsalva

This comment has been minimized.

Copy link

jtsalva commented Mar 19, 2018

@kurci2 What's the exact error you're receiving? Is it possible to see a screenshot?

@kurci2

This comment has been minimized.

Copy link

kurci2 commented Mar 19, 2018

@jtsalva, thank you for your reply.
I do not acctually get any error. Windows just does not log in. Here are two examples.

  1. Your registry entry set to 0, Yubikey plugged in and auto login set.
    When start up windows logs into my account.
  2. Your registry entry set to 1, Yubikey plugged in and auto login set.
    When start up windows hangs at login screen prompting me to enter my username and password.
@jtsalva

This comment has been minimized.

Copy link

jtsalva commented Mar 19, 2018

@kurci2
If you enable the default password provider HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers\{60b78e88-ead8-445c-9cfd-0b87f74ea6cd} by deleting the Disabled key or setting the value to 0
a

Then disable the Yubikey wrapper credential HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers\{0f33b914-4f18-4824-8880-29bbe2e05179} by making a DWORD named Disabled and setting the value to 1.
b

Your auto login should work. The only downsides I've come across is the messages on the login screen such as Yubikey logon is enabled for this user aren't displayed, and the error message given the correct password but missing Yubikey will be blank.

The Yubikey is still required to login so I don't think it's much of a problem.

@kurci2

This comment has been minimized.

Copy link

kurci2 commented Mar 20, 2018

@jtsalva, thank you for proposed solution.
It is good enough for me. I know why the blank error is there if there is no Yubikey plugged in so no problem.
I hope that the problem will get a proper fix (if possible) some day.
All the best!

@pcjc2

This comment has been minimized.

Copy link

pcjc2 commented Mar 21, 2018

I noticed this on Win10 Pro too - and on my system, with Yubikey login enabled for my user - the system will NOT stop me logging in if the Yubikey is absent.

I noticed that if I set the Yubikey to require touch input, it would blink when logging on (e.g. the driver / auth module is running), but that Windows would give up and log in, even when I did not touch the device.

@4S3C

This comment has been minimized.

Copy link

4S3C commented May 1, 2018

Same problem here!

I can fix the duplicate issue , thanks2 Jsalva.

But i still can login without any Yubikey inserted. while Yubikey login is enabled and active!

Os : Windows Pro. Local Account.

Schould not be possible ;-)

Tried reinstall , wont fixed it.

Need help / advise.

Thanks!

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
You can’t perform that action at this time.