Windows 10, default credential provider is available at logon #1
Comments
The security of this does not lie within the credential provider, instead a subauthentication module is installed which should be active no matter which credential provider is used. Does it work to login without the yubikey using the default credential provider? |
Aah, interesting! Just like you implied, the default cred prov does detect yubikey missing, correctly preventing login. The issue must be how Win10 treats subauthentication modules then. Would you like me to rewrite the original raport in this issue or should I file new one/ones? The current list of issues with Win10 is:
|
Well.. to me this issue is about the filtering to remove the default credential provider not working and can stay as that. I'm unsure about the other issues. This hasn't at all been tested on WIndows 10 (barely on Windows 8).. |
So, if I understand your answer correctly, your focus here is on "filtering out" the doubled userlist entries (entry three and entry four in my example above)? I'll file another issue for the other stuff then. Thanks! |
Same issue here - logins are doubled now. Also, only on the newly created "password" accounts will a missing device lead to a correct error message. For the original account, the login won't work, but the error message shows nothing. |
I tried using this Windows Logon tool with a YubiKey 4 on Windows 10 Professional. I also saw double users. However, what's worse is that "both" users allowed me to log in without the YubiKey attached, using just my password. In other words, on Windows 10 this software (EDIT by @jeremyn: it actually does work, see #1 (comment) below) seems to provide security, but actually it does not. (The bold font is to make sure that text stands out, not to convey shouting.) Both of the below links recommend using this login software with Windows 10: https://www.yubico.com/why-yubico/for-businesses/computer-login/windows-login/ If you can't update this software, please update the text there to say it doesn't work, or at the very least that it hasn't been tested on Windows 10 as @klali wrote in #1 (comment). Providing false security is worse than nothing. This same YubiKey provides login security on a Linux system with HMAC-SHA1 Challenge-Response enabled in slot 2, so I don't think the problem is with the YubiKey itself. |
With windows 10 local accounts this should work, if the account is a domain account or a cloud account it will not work. It's possible to turn on some rudimentary logging from the provider by setting a registry key: |
This was with a local account. I've since uninstalled the login software. Can you confirm that someone at Yubico has tested this with Windows 10 and found that it provides the intended protection? |
Yes, it's been tested by people at Yubico. The duplicated credential provider apparently happens but does require the configured YubiKey to login. |
I installed and set up the login software again and now it seems to provide the expected protection. I was more aggressive with rebooting between steps and while testing, and maybe that made the difference. So the software is not completely broken, as it seemed to me before. I do still see the duplicate users though. Another small issue is that when trying to log in as the "YubiKey" user without my YubiKey plugged in, after I get the login failure, my password is still shown (hidden with dots) typed into the password entry field in the login page. With the regular user, my password is erased from the entry field after a failed login. Erasing is slightly better because it doesn't reveal the approximate length of my password to anyone looking at the entry field. |
Is the duplicate users going to be fixed? Also will this ever work with user accounts that use a Microsoft account? |
I'm on Windows 10 Enterprise Version 1709 OS Build 16299.309 and was experiencing this same issue. My duplicate listing was caused by: In regedit I went to After restarting Windows only the YubiKey credentials were listed, problem fixed, so far so good. Is it not possible to do this automatically in YubiKey Logon Administrator? Or is there another better way of fixing this issue? |
@jtsalva, I have tried your fix and it works. |
@kurci2 What's the exact error you're receiving? Is it possible to see a screenshot? |
@jtsalva, thank you for your reply.
|
@jtsalva, thank you for proposed solution. |
I noticed this on Win10 Pro too - and on my system, with Yubikey login enabled for my user - the system will NOT stop me logging in if the Yubikey is absent. I noticed that if I set the Yubikey to require touch input, it would blink when logging on (e.g. the driver / auth module is running), but that Windows would give up and log in, even when I did not touch the device. |
Same problem here! I can fix the duplicate issue , thanks2 Jsalva. But i still can login without any Yubikey inserted. while Yubikey login is enabled and active! Os : Windows Pro. Local Account. Schould not be possible ;-) Tried reinstall , wont fixed it. Need help / advise. Thanks! |
In Win10 both the default credential provider as well as yubico cred wrapper are available on logon screen.
This defies using the yubi wrapper, as potential intruder can simply select default cred prov and authenticate without the yubi key present.
The forum post related to this issue is http://forum.yubico.com/viewtopic.php?f=23&t=2100
The text was updated successfully, but these errors were encountered: