Hi everybody,
I bought 2 nitrokey fido2 instances and after upgrading from 2.0 to 2.4 firmware they started working with google and microsoft accounts. My wife would like to secure her Win10 pro PC with those keys but I cannot figure out how to do this. There seems to be some software from Yubikey that does the trick. But I can only find hints on the use of AD or AAD tools to allow PC sign-in. But her machine is a standalone PC.
Does anybody know how to do this?
Thanks in advance,
Regards,
Walter
Hi @walter_kriha!
Native OS support for the FIDO2-supported login is only for the Windows 10 machines being configured in the AD/AAD (e.g. [2]). The confusion comes from the wording used (login vs Windows Hello), as well as initial Microsoft claims to support that without AD, while developing the first versions of the solution.
For the feature you mentioned at the moment we offer Nitrokey Pro / Nitrokey Storage instead, which through embedded smart card allow proper certificate-based authentication:
Regarding Yubikey, I have found such guide as described at [1]. As far as I see it is based on a proprietary solution using OTP, which Nitrokey FIDO2 does not support unfortunately. Since OTP is a shared secret-based solution, it’s less secure than signature verification ones using FIDO2 or smart card.
On the bright side, the coming Nitrokey 3 is planned to have both smart card and FIDO2, which would allow to deploy many solutions with a single device, including Windows 10 login without AD.
There might be some 3rd party solutions I am not aware of, but I cannot find anything like that at the moment.
[1] https://support.yubico.com/hc/en-us/articles/360013708460-Yubico-Login-for-Windows-Configuration-Guide
[2] https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/how-to-password-less-fido2-security-key-sign-in-to-windows-10/ba-p/1434583