Windows 10, default credential provider is available at logon

[jedrzejsieracki]

In Win10 both the default credential provider as well as yubico cred wrapper are available on logon screen.

This defies using the yubi wrapper, as potential intruder can simply select default cred prov and authenticate without the yubi key present.

The forum post related to this issue is http://forum.yubico.com/viewtopic.php?f=23&t=2100

[klali]

The security of this does not lie within the credential provider, instead a subauthentication module is installed which should be active no matter which credential provider is used. Does it work to login without the yubikey using the default credential provider?

[jedrzejsieracki]

Aah, interesting! Just like you implied, the default cred prov does detect yubikey missing, correctly preventing login. The issue must be how Win10 treats subauthentication modules then.

Would you like me to rewrite the original raport in this issue or should I file new one/ones? The current list of issues with Win10 is:

• Logon screen userlist is doubled, in case of two users you get four options:

  • username1
  • username2
  • Password /which leads to authenticating username1/
  • Password /which leads to authenticating username2/

  The string "Password" is actually "Hasło" in my Windows locale pl-pl, I just presume it's "Password" in en-en locale.

• The first two login options (those with correct usernames) do not display subauthentication module's messages:

  • "YubiKey Logon enabled for user."
  • "YubiKey Logon failed, is there a YubiKey inserted?"

  Login options three and four do display those properly.

• Login avatars for options three and four are a simple key picture, but since those options should not be visible at all in the first place, this will be of no consequence when issue Windows 10, default credential provider is available at logon #1 is dealt with.

[klali]

Well.. to me this issue is about the filtering to remove the default credential provider not working and can stay as that. I'm unsure about the other issues. This hasn't at all been tested on WIndows 10 (barely on Windows 8)..

[jedrzejsieracki]

So, if I understand your answer correctly, your focus here is on "filtering out" the doubled userlist entries (entry three and entry four in my example above)?

I'll file another issue for the other stuff then.

Thanks!

[ambition-consulting]

Same issue here - logins are doubled now. Also, only on the newly created "password" accounts will a missing device lead to a correct error message. For the original account, the login won't work, but the error message shows nothing.

[jeremyn]

I tried using this Windows Logon tool with a YubiKey 4 on Windows 10 Professional. I also saw double users. However, what's worse is that "both" users allowed me to log in without the YubiKey attached, using just my password. In other words, on Windows 10 this software (EDIT by @jeremyn: it actually does work, see #1 (comment) below) seems to provide security, but actually it does not. (The bold font is to make sure that text stands out, not to convey shouting.)

Both of the below links recommend using this login software with Windows 10:

https://www.yubico.com/why-yubico/for-businesses/computer-login/windows-login/
https://www.yubico.com/support/knowledge-base/categories/articles/use-yubico-windows-login-tool/

If you can't update this software, please update the text there to say it doesn't work, or at the very least that it hasn't been tested on Windows 10 as @klali wrote in #1 (comment). Providing false security is worse than nothing.

This same YubiKey provides login security on a Linux system with HMAC-SHA1 Challenge-Response enabled in slot 2, so I don't think the problem is with the YubiKey itself.

[klali]

With windows 10 local accounts this should work, if the account is a domain account or a cloud account it will not work.

It's possible to turn on some rudimentary logging from the provider by setting a registry key:
set HKLM\SOFTWARE\Yubico\auth\settings\loggingEnabled to 1 and a logfile should appear as c:\yubikey_logon_log.txt that might contain clues to what's happening.

[jeremyn]

This was with a local account. I've since uninstalled the login software.

Can you confirm that someone at Yubico has tested this with Windows 10 and found that it provides the intended protection?

[klali]

Yes, it's been tested by people at Yubico. The duplicated credential provider apparently happens but does require the configured YubiKey to login.

[jeremyn]

I installed and set up the login software again and now it seems to provide the expected protection. I was more aggressive with rebooting between steps and while testing, and maybe that made the difference. So the software is not completely broken, as it seemed to me before.

I do still see the duplicate users though. Another small issue is that when trying to log in as the "YubiKey" user without my YubiKey plugged in, after I get the login failure, my password is still shown (hidden with dots) typed into the password entry field in the login page. With the regular user, my password is erased from the entry field after a failed login. Erasing is slightly better because it doesn't reveal the approximate length of my password to anyone looking at the entry field.

[jeremyarzuaga]

Is the duplicate users going to be fixed? Also will this ever work with user accounts that use a Microsoft account?

[jtsalva]

I'm on Windows 10 Enterprise Version 1709 OS Build 16299.309 and was experiencing this same issue.

My duplicate listing was caused by:
1) PasswordProvider {0f33b914-4f18-4824-8880-29bbe2e05179}
2) YubiKeyWrapExistingCredentialProvider {0f33b914-4f18-4824-8880-29bbe2e05179}

In regedit I went to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers\{60b78e88-ead8-445c-9cfd-0b87f74ea6cd} made a DWORD named Disabled and set the value to 1

After restarting Windows only the YubiKey credentials were listed, problem fixed, so far so good.

Is it not possible to do this automatically in YubiKey Logon Administrator? Or is there another better way of fixing this issue?

[ghost]

@jtsalva, I have tried your fix and it works.
But I have some other issues which emerged.
I have BitLocker security with long password and have enabled Auto Login on boot for my Local user account. So after I unlock BitLocker I just plug in my Yubikey and I was automatically logged in. After that i would lock my account and need both Yubikey and passord to unlock it.
After using your fix the auto login feature no longer works.
If you go: Run --> "control userpasswords2" and uncheck "Users must enter a user name and password to use this computer" and then enter your username and password after you click OK you will find that the account won't auto login, because account is not recognised at login screen.
Is there any other way to enable autologin after applying your fix?
Thank you!

[jtsalva]

@kurci2 What's the exact error you're receiving? Is it possible to see a screenshot?

[ghost]

@jtsalva, thank you for your reply.
I do not acctually get any error. Windows just does not log in. Here are two examples.

1. Your registry entry set to 0, Yubikey plugged in and auto login set.
   When start up windows logs into my account.
2. Your registry entry set to 1, Yubikey plugged in and auto login set.
   When start up windows hangs at login screen prompting me to enter my username and password.

[jtsalva]

@kurci2
If you enable the default password provider HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers\{60b78e88-ead8-445c-9cfd-0b87f74ea6cd} by deleting the Disabled key or setting the value to 0

Then disable the Yubikey wrapper credential HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers\{0f33b914-4f18-4824-8880-29bbe2e05179} by making a DWORD named Disabled and setting the value to 1.

Your auto login should work. The only downsides I've come across is the messages on the login screen such as Yubikey logon is enabled for this user aren't displayed, and the error message given the correct password but missing Yubikey will be blank.

The Yubikey is still required to login so I don't think it's much of a problem.

[ghost]

@jtsalva, thank you for proposed solution.
It is good enough for me. I know why the blank error is there if there is no Yubikey plugged in so no problem.
I hope that the problem will get a proper fix (if possible) some day.
All the best!

[pcjc2]

I noticed this on Win10 Pro too - and on my system, with Yubikey login enabled for my user - the system will NOT stop me logging in if the Yubikey is absent.

I noticed that if I set the Yubikey to require touch input, it would blink when logging on (e.g. the driver / auth module is running), but that Windows would give up and log in, even when I did not touch the device.

[4S3C]

Same problem here!

I can fix the duplicate issue , thanks2 Jsalva.

But i still can login without any Yubikey inserted. while Yubikey login is enabled and active!

Os : Windows Pro. Local Account.

Schould not be possible ;-)

Tried reinstall , wont fixed it.

Need help / advise.

Thanks!