So, I received a generous gift of another YubiKey from [REDACTED] and wanted to configure one of my Windows machines to require YubiKey authentication – after having already done so on my Ubuntu machine.
I used the YubiKey Personalization Tool to set-up the HMAC-SHA1 on Slot 2 (as required for this to work) and then used the YubiKey Logon Administration tool to configure Windows to require the YubiKey for logon.
This worked but there was a problem…
You see, I now how two logon options, one to logon with the YubiKey and one to logon without (meaning only with the password) – both under the same Username because they were different logon providers pointing to the same NT account.
Well, this is no good. The whole point to creating a layer that’s difficult duplicate is because the password-only option allows brute-force over ‘x’ amount time to eventually win (the logic, here, being that given enough time, any combination of characters can eventually be guessed successfully).
So, how can we prevent this from being a plausible attack surface? Well… The answer lied buried in a bug filed on GitHub for the YubiKey Logon Administration tool:
Alright, I fired-up regedit and went to:
I created a DWORD key called Disabled and set it to Enabled (1). Then, I locked my desktop and, as expected, only the YubiKey login provider is now offered.
So, since it took so long to find, I figured a blog post was worth writing over it.
Thanks for coming to this NERDTalk™ and happy Windowsing!