How to set up a YubiKey with an account
Windows 10
How to set up YubiKey to protect Windows 10 accounts?
With hardware security keys, you can get the additional protection of two-factor authentication to make your login procedure secure. Follow these step-by-step instructions to easily set up a U2F security key to work with Windows 10 accounts.
Requirements
- Microsoft Windows 10 Home, Pro, or Enterprise.
- Requires version 1607 with build number 14393.321 or later.
- To find out which version of Windows you are using, press the key Windows along with the button R, in the “Open” field, enter Winver and click OK. The About Windows dialog box displays information on the version and build number of Windows 10.
- YubiKey.
- CCID mode must be enabled on your YubiKey.
- User account (local or in the cloud).
- Your local security policy set to allow companion devices for secondary authentication.
- A PIN must be set for the user who will use the YubiKey (mandatory).
Downloading and Installing the YubiKey for Windows Hello App
- From the Windows app store, locate the YubiKey for Windows Hello app.
- Click Get.
- When installation is completed, click Launch.
How to access the YubiKey app for Windows Hello
- From the Start menu selectAll Apps >Start > YubiKey for Windows Hello.
How to uninstall the YubiKey app for Windows Hello
Be sure you have unregistered any YubiKeys before you uninstall the app.
- From the Start menu, navigate to the YubiKey for Windows Hello app.
- Hover over the application, right-click to open the context menu and select Uninstall.
- Follow the instructions on the screen. If necessary, restart your computer.
Local Security Policy Settings for Permission to Use Assistive Devices
For systems running Windows Pro or Windows Enterprise, you need to enable the “Allow an assistive device for secondary authentication” option in the Local Security Policy settings. If your security policy is managed by your organization, contact your system administrator and request that you change your local security policy settings prior to installing the application. On systems running Windows Home, local security policy settings cannot be changed, but this option is enabled by default.
How to make changes to the local security policy
- Open «Local Group Policy Editor». To do this, press the key Windows and press R, and then type gpedit.msc and click OK.
- In the Local Group Policy Editor, navigate to Computer configuration —> Administrative Templates —> Windows Components —> Microsoft Additional Authentication Factor.
- Click the link in the right pane «Edit policy setting». (Alternatively, you can double-click on the “Allow an assistive device for secondary authentication” option.) By default, this option is set to Not Configured.
- If the option is displayed as «Not Set» or «Enabled», then no change is required. Click «Cancel».
- If the option is displayed as «Disabled», continue with the next step.
- On the settings screen, select the «Enabled» option and click «ОК».
- Close the «Local Group Policy Editor» and «Administration».
Notes
- This app is used to unlock your system only — it will not work with login (waking from sleep/hibernating requires a login).
- This app allows you to register a maximum of four YubiKeys per account.
- You cannot register the same YubiKey to more than one account on the same system.
- We recommend using this app only on single-user Windows systems; this app does not currently support multiple users.
Known Issues
- Yubico Authenticator with password set. Your YubiKey will not work for unlocking your system if you use Yubico Authenticator and have a password set. However, you can register YubiKey if Yubico Authenticator is open and you have already confirmed the password.
- Requiring the YubiKey. At the moment, there is no way to use the YubiKey to unlock the system — you can always access the system with your PIN or password.
- Removing all keys. If you have removed all YubiKeys but have not uninstalled the app, you are still prompted to use the YubiKey to unlock your system. To work around this issue, uninstall the app.
- Removing a key. If you try to remove a YubiKey and the key is not inserted into your system, two OATH credentials will be present. You will need to remove them using an earlier version of Yubico Authenticator (2.3.0 or earlier), or reset the OATH applet settings (using the ykneomgr command line utility or opensc-tool).
- Resetting the OATH applet on the YubiKey. If you use the opensc-tool or ykneomgr utilities on the command line to reset the OATH applet on the YubiKey, you will erase all credentials registered for the YubiKey for Windows Hello application.
Frequently Asked Questions
- Why am I getting an error when trying to register a YubiKey using the YubiKey for Windows Hello app?
This may be because your local security policy settings do not allow the use of assistive devices (this only applies to systems running Windows Pro or Windows Enterprise). To change your local security policy to allow companion devices, see the steps in the previous section.