yubico-windows-auth icon indicating copy to clipboard operation
yubico-windows-auth copied to clipboard

Published 20 hours ago verified publisher icon Yubico

Windows 10, default credential provider is available at logon

Open jedrzejsieracki opened this issue 9 years ago • 19 comments

In Win10 both the default credential provider as well as yubico cred wrapper are available on logon screen.

This defies using the yubi wrapper, as potential intruder can simply select default cred prov and authenticate without the yubi key present.

The forum post related to this issue is http://forum.yubico.com/viewtopic.php?f=23&t=2100

jedrzejsieracki avatar Jan 07 '16 15:01 jedrzejsieracki

The security of this does not lie within the credential provider, instead a subauthentication module is installed which should be active no matter which credential provider is used. Does it work to login without the yubikey using the default credential provider?

klali avatar Jan 08 '16 08:01 klali

Aah, interesting! Just like you implied, the default cred prov does detect yubikey missing, correctly preventing login. The issue must be how Win10 treats subauthentication modules then.

Would you like me to rewrite the original raport in this issue or should I file new one/ones? The current list of issues with Win10 is:

  • Logon screen userlist is doubled, in case of two users you get four options:

    • username1
    • username2
    • Password /which leads to authenticating username1/
    • Password /which leads to authenticating username2/

    The string "Password" is actually "Hasło" in my Windows locale pl-pl, I just presume it's "Password" in en-en locale.

  • The first two login options (those with correct usernames) do not display subauthentication module's messages:

    • "YubiKey Logon enabled for user."
    • "YubiKey Logon failed, is there a YubiKey inserted?"

    Login options three and four do display those properly.

  • Login avatars for options three and four are a simple key picture, but since those options should not be visible at all in the first place, this will be of no consequence when issue #1 is dealt with.

jedrzejsieracki avatar Jan 08 '16 09:01 jedrzejsieracki

Well.. to me this issue is about the filtering to remove the default credential provider not working and can stay as that. I'm unsure about the other issues. This hasn't at all been tested on WIndows 10 (barely on Windows 8)..

klali avatar Jan 08 '16 09:01 klali

So, if I understand your answer correctly, your focus here is on "filtering out" the doubled userlist entries (entry three and entry four in my example above)?

I'll file another issue for the other stuff then.

Thanks!

jedrzejsieracki avatar Jan 12 '16 11:01 jedrzejsieracki

Same issue here - logins are doubled now. Also, only on the newly created "password" accounts will a missing device lead to a correct error message. For the original account, the login won't work, but the error message shows nothing.

ambition-consulting avatar Aug 31 '16 09:08 ambition-consulting

I tried using this Windows Logon tool with a YubiKey 4 on Windows 10 Professional. I also saw double users. However, what's worse is that "both" users allowed me to log in without the YubiKey attached, using just my password. In other words, on Windows 10 this software (EDIT by @jeremyn: it actually does work, see https://github.com/Yubico/yubico-windows-auth/issues/1#issuecomment-282515564 below) seems to provide security, but actually it does not. (The bold font is to make sure that text stands out, not to convey shouting.)

Both of the below links recommend using this login software with Windows 10:

https://www.yubico.com/why-yubico/for-businesses/computer-login/windows-login/ https://www.yubico.com/support/knowledge-base/categories/articles/use-yubico-windows-login-tool/

If you can't update this software, please update the text there to say it doesn't work, or at the very least that it hasn't been tested on Windows 10 as @klali wrote in https://github.com/Yubico/yubico-windows-auth/issues/1#issuecomment-169950566. Providing false security is worse than nothing.

This same YubiKey provides login security on a Linux system with HMAC-SHA1 Challenge-Response enabled in slot 2, so I don't think the problem is with the YubiKey itself.

jeremyn avatar Feb 19 '17 02:02 jeremyn

With windows 10 local accounts this should work, if the account is a domain account or a cloud account it will not work.

It's possible to turn on some rudimentary logging from the provider by setting a registry key: set HKLM\SOFTWARE\Yubico\auth\settings\loggingEnabled to 1 and a logfile should appear as c:\yubikey_logon_log.txt that might contain clues to what's happening.

klali avatar Feb 22 '17 15:02 klali

This was with a local account. I've since uninstalled the login software.

Can you confirm that someone at Yubico has tested this with Windows 10 and found that it provides the intended protection?

jeremyn avatar Feb 22 '17 17:02 jeremyn

Yes, it's been tested by people at Yubico. The duplicated credential provider apparently happens but does require the configured YubiKey to login.

klali avatar Feb 23 '17 11:02 klali

I installed and set up the login software again and now it seems to provide the expected protection. I was more aggressive with rebooting between steps and while testing, and maybe that made the difference. So the software is not completely broken, as it seemed to me before.

I do still see the duplicate users though. Another small issue is that when trying to log in as the "YubiKey" user without my YubiKey plugged in, after I get the login failure, my password is still shown (hidden with dots) typed into the password entry field in the login page. With the regular user, my password is erased from the entry field after a failed login. Erasing is slightly better because it doesn't reveal the approximate length of my password to anyone looking at the entry field.

jeremyn avatar Feb 25 '17 21:02 jeremyn

Is the duplicate users going to be fixed? Also will this ever work with user accounts that use a Microsoft account?

jeremyarzuaga avatar Mar 13 '18 16:03 jeremyarzuaga

I'm on Windows 10 Enterprise Version 1709 OS Build 16299.309 and was experiencing this same issue.

My duplicate listing was caused by: 1) PasswordProvider {0f33b914-4f18-4824-8880-29bbe2e05179} 2) YubiKeyWrapExistingCredentialProvider {0f33b914-4f18-4824-8880-29bbe2e05179}

In regedit I went to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers\{60b78e88-ead8-445c-9cfd-0b87f74ea6cd} made a DWORD named Disabled and set the value to 1

capture

After restarting Windows only the YubiKey credentials were listed, problem fixed, so far so good.

Is it not possible to do this automatically in YubiKey Logon Administrator? Or is there another better way of fixing this issue?

jtsalva avatar Mar 17 '18 21:03 jtsalva

@jtsalva, I have tried your fix and it works. But I have some other issues which emerged. I have BitLocker security with long password and have enabled Auto Login on boot for my Local user account. So after I unlock BitLocker I just plug in my Yubikey and I was automatically logged in. After that i would lock my account and need both Yubikey and passord to unlock it. After using your fix the auto login feature no longer works. If you go: Run --> "control userpasswords2" and uncheck "Users must enter a user name and password to use this computer" and then enter your username and password after you click OK you will find that the account won't auto login, because account is not recognised at login screen. Is there any other way to enable autologin after applying your fix? Thank you!

ghost avatar Mar 19 '18 17:03 ghost

@kurci2 What's the exact error you're receiving? Is it possible to see a screenshot?

jtsalva avatar Mar 19 '18 18:03 jtsalva

@jtsalva, thank you for your reply. I do not acctually get any error. Windows just does not log in. Here are two examples.

  1. Your registry entry set to 0, Yubikey plugged in and auto login set. When start up windows logs into my account.
  2. Your registry entry set to 1, Yubikey plugged in and auto login set. When start up windows hangs at login screen prompting me to enter my username and password.

ghost avatar Mar 19 '18 18:03 ghost

@kurci2 If you enable the default password provider HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers\{60b78e88-ead8-445c-9cfd-0b87f74ea6cd} by deleting the Disabled key or setting the value to 0 a

Then disable the Yubikey wrapper credential HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers\{0f33b914-4f18-4824-8880-29bbe2e05179} by making a DWORD named Disabled and setting the value to 1. b

Your auto login should work. The only downsides I've come across is the messages on the login screen such as Yubikey logon is enabled for this user aren't displayed, and the error message given the correct password but missing Yubikey will be blank.

The Yubikey is still required to login so I don't think it's much of a problem.

jtsalva avatar Mar 19 '18 22:03 jtsalva

@jtsalva, thank you for proposed solution. It is good enough for me. I know why the blank error is there if there is no Yubikey plugged in so no problem. I hope that the problem will get a proper fix (if possible) some day. All the best!

ghost avatar Mar 20 '18 14:03 ghost

I noticed this on Win10 Pro too - and on my system, with Yubikey login enabled for my user - the system will NOT stop me logging in if the Yubikey is absent.

I noticed that if I set the Yubikey to require touch input, it would blink when logging on (e.g. the driver / auth module is running), but that Windows would give up and log in, even when I did not touch the device.

pcjc2 avatar Mar 21 '18 19:03 pcjc2

Same problem here!

I can fix the duplicate issue , thanks2 Jsalva.

But i still can login without any Yubikey inserted. while Yubikey login is enabled and active!

Os : Windows Pro. Local Account.

Schould not be possible ;-)

Tried reinstall , wont fixed it.

Need help / advise.

Thanks!

4S3C avatar May 01 '18 11:05 4S3C