Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]
Groups > alt.comp.os.windows-11 > #16571 > unrolled thread
| Started by | Andy Burns <usenet@andyburns.uk> |
|---|---|
| First post | 2025-01-27 16:47 +0000 |
| Last post | 2025-01-28 16:38 +0000 |
| Articles | 7 — 2 participants |
Back to article view | Back to alt.comp.os.windows-11
FIDO2 Andy Burns <usenet@andyburns.uk> - 2025-01-27 16:47 +0000
Re: FIDO2 Paul <nospam@needed.invalid> - 2025-01-27 12:49 -0500
Re: FIDO2 Andy Burns <usenet@andyburns.uk> - 2025-01-27 18:06 +0000
Re: FIDO2 Paul <nospam@needed.invalid> - 2025-01-27 14:09 -0500
Re: FIDO2 Andy Burns <usenet@andyburns.uk> - 2025-01-27 19:43 +0000
Re: FIDO2 Andy Burns <usenet@andyburns.uk> - 2025-01-27 20:06 +0000
Re: FIDO2 Andy Burns <usenet@andyburns.uk> - 2025-01-28 16:38 +0000
| From | Andy Burns <usenet@andyburns.uk> |
|---|---|
| Date | 2025-01-27 16:47 +0000 |
| Subject | FIDO2 |
| Message-ID | <lvprl2FibgvU1@mid.individual.net> |
My last couple of laptops had integrated fingerprint readers, and I used that for login, when shopping for this machine I had to choose one without fingerprint to get other features I wanted ... ho hum. Anyway, I don't like face unlock, and got quite pissed off with the number of times a day I have to enter my pretty complex password, so decided to buy a FIDO2 security key with fingerprint reader. This Kensington one seemed up to the job <https://www.kensington.com/en-gb/p/products/data-protection/fingerprint-security-keys/verimark-guard-usb-a-fingerprint-security-key-fido2-webauthnctap2-fido-u2f-cross-platform-1/> Plugged in the dongle, recognised without needing a driver, enrolled my fingerprint and set a PIN, so far so good. Locked the PC, expecting that "security key" would be added as a new method on the lock screen along with password/pin/face unlock But no, I can't logon or unlock using the key. This is a Windows11 Home PC (so can't belong to a domain) it all seems to want to use Microsoft Entra to login, is there any way to do this on a "Home" pc? Was also expecting my Password Manager (EnPass) which accepts Windows Hello would also unlock using the security key, but no dice there either Anyone get similar working?
[toc] | [next] | [standalone]
| From | Paul <nospam@needed.invalid> |
|---|---|
| Date | 2025-01-27 12:49 -0500 |
| Message-ID | <vn8gvd$13v2t$1@dont-email.me> |
| In reply to | #16571 |
On Mon, 1/27/2025 11:47 AM, Andy Burns wrote: > My last couple of laptops had integrated fingerprint readers, and I used that for login, when shopping for this machine I had to choose one without fingerprint to get other features I wanted ... ho hum. > > Anyway, I don't like face unlock, and got quite pissed off with the number of times a day I have to enter my pretty complex password, so decided to buy a FIDO2 security key with fingerprint reader. > > This Kensington one seemed up to the job > > <https://www.kensington.com/en-gb/p/products/data-protection/fingerprint-security-keys/verimark-guard-usb-a-fingerprint-security-key-fido2-webauthnctap2-fido-u2f-cross-platform-1/> > > Plugged in the dongle, recognised without needing a driver, enrolled my fingerprint and set a PIN, so far so good. > > Locked the PC, expecting that "security key" would be added as a new method on the lock screen along with password/pin/face unlock > > But no, I can't logon or unlock using the key. This is a Windows11 Home PC (so can't belong to a domain) it all seems to want to use Microsoft Entra to login, is there any way to do this on a "Home" pc? > > Was also expecting my Password Manager (EnPass) which accepts Windows Hello would also unlock using the security key, but no dice there either > > Anyone get similar working? > Was all of your setup done in a Windows Hello dialog ? From your description, you must have been in here. https://www.yubion.com/post/fido2-security-key-pin-setting-fingerprint-setting-for-windows?lang=en This isn't the ARM64 laptop is it, the Qualcomm one ? Your device is a security key (with biometric credential transmission) and it probably isn't the PIN setup option here but the security key option. The fingerprint one would be for a captive fingerprint reading device in the laptop. https://static1.xdaimages.com/wordpress/wp-content/uploads/wm/2023/09/windows-11-settings-remove-windows-hello.png?q=49&fit=crop&w=825&dpr=2 ( https://www.xda-developers.com/how-to-set-up-windows-hello/ ) Apparently, it is possible to use a third party App from the Store, to accept the security key at login, but that strikes me as poor security. You want only Windows goods, with Windows signing, in that path. Paul
[toc] | [prev] | [next] | [standalone]
| From | Andy Burns <usenet@andyburns.uk> |
|---|---|
| Date | 2025-01-27 18:06 +0000 |
| Message-ID | <lvq09dFibgvU3@mid.individual.net> |
| In reply to | #16573 |
Paul wrote: > Was all of your setup done in a Windows Hello dialog ? yes and no, the first 3 options are described as "hello" but the 4th is just "security key" without "hello" <http://andyburns.uk/misc/fido2.png> > From your description, you must have been in here. > > https://www.yubion.com/post/fido2-security-key-pin-setting-fingerprint- > setting-for-windows?lang=en I've got a couple of oldish yubikeys, but they're too fragile to leave in a machine permanently, hence going for the kensington ewith just a little stump sticking out the machine. > This isn't the ARM64 laptop is it, the Qualcomm one ? No. > Your device is a security key (with biometric credential transmission) and it > probably isn't the PIN setup option here but the security key option. The fingerprint > one would be for a captive fingerprint reading device in the laptop. the finger print (vs security key) devices seemed like the less flexible option > https://static1.xdaimages.com/wordpress/wp-content/uploads/wm/2023/09/ > windows-11-settings-remove-windows-hello.png?q=49&fit=crop&w=825&dpr=2 > > (https://www.xda-developers.com/how-to-set-up-windows-hello/ ) > > Apparently, it is possible to use a third party App from the Store, > to accept the security key at login, but that strikes me as poor > security. You want only Windows goods, with Windows signing, in > that path. It might go back to amazon ...
[toc] | [prev] | [next] | [standalone]
| From | Paul <nospam@needed.invalid> |
|---|---|
| Date | 2025-01-27 14:09 -0500 |
| Message-ID | <vn8lko$15meb$1@dont-email.me> |
| In reply to | #16574 |
On Mon, 1/27/2025 1:06 PM, Andy Burns wrote: > > It might go back to amazon ... > Does it show up in Device Manager ? Whether the device had a "push button" to send credentials or a "fingerprint button" to send credentials, you would think it would still be detected as a basic FIDO2 key. That's assuming the OS has a working subsystem for that. https://learn.microsoft.com/en-us/answers/questions/1090037/22h2-security-key-logon-not-working-version-22621 Paul
[toc] | [prev] | [next] | [standalone]
| From | Andy Burns <usenet@andyburns.uk> |
|---|---|
| Date | 2025-01-27 19:43 +0000 |
| Message-ID | <lvq5ulFk3baU1@mid.individual.net> |
| In reply to | #16578 |
Paul wrote: > Does it show up in Device Manager ? Yes, I was expecting it under "Biometric Devices" but it shows as "USB input device HID compliant FIDO" > Whether the device had a "push button" to send credentials > or a "fingerprint button" to send credentials, you would > think it would still be detected as a basic FIDO2 key. Oh, it's detected and "sort of working" as far as windows is concerned, to go into the [manage] dialogue as per my screenshot, it lights up the logo on the security key, and waits for a touch of the fingerprint sensor (doesn't need to be an enrolled finger, but you do need to know the PIN to change anything) > That's assuming the OS has a working subsystem for that. The key doesn't light-up when expected (after a reboot, or opening the lid) > https://learn.microsoft.com/en-us/answers/questions/1090037/22h2-security-key-logon-not-working-version-22621 Hmmm ... I've even added an MSA account to the machine, rather than local, but no different ... except i feel dirty now ...
[toc] | [prev] | [next] | [standalone]
| From | Andy Burns <usenet@andyburns.uk> |
|---|---|
| Date | 2025-01-27 20:06 +0000 |
| Message-ID | <lvq7avFk456U1@mid.individual.net> |
| In reply to | #16580 |
Andy Burns wrote: > Paul wrote: > >> That's assuming the OS has a working subsystem for that. > > The key doesn't light-up when expected (after a reboot, or opening the lid) Stuff does appear in the WebAuthN event log ...
[toc] | [prev] | [next] | [standalone]
| From | Andy Burns <usenet@andyburns.uk> |
|---|---|
| Date | 2025-01-28 16:38 +0000 |
| Message-ID | <lvsfglFpjoU1@mid.individual.net> |
| In reply to | #16578 |
Paul wrote: > you would think it would still be detected as a basic FIDO2 key. > That's assuming the OS has a working subsystem for that. Have tried a re-install of Win11 over-the-top, no difference. Disabling EnPass allows the security key to work for setting-up and logging-in with passkeys in web browsers, though it's a bit clunky with several dialogues per sign-in, and occasional entering of PIN as well as my fingerprint. Still no joy for signing-in to Windows itself.
[toc] | [prev] | [standalone]
Back to top | Article view | alt.comp.os.windows-11
csiph-web