Microsoft Live allows me to sign in to live.com with nothing else but my Yubico Security Key. That's right, I don't even need to know my username; I just plug in the key and touch it and I'm logged in. And when I write "I" you should read "anyone who has physical possession of this key".
I think that's astonishingly bad opsec for a Big Tech cloud service. If I were a sane person, I would deregister that key as a FIDO2 device, but I guess I'll be OK for now. I shouldn't have posted this in public. This comment will self-destruct in T minus 10 minutes.
Microsoft is also the jerk who won't let me use the self-same key for logging into my Windows 10 Pro notebook, no how, no way. Windows Hello does not play nice with Yubico. My notebook has no fingerprint reader, and no infrared camera, so the Windows Hello alternatives are slim pickens.
Yes, that’s resident (or “discoverable”) keys the article author is talking about.
You don’t have to do it this way. I configured my Yubikeys to be the second factor and not to use resident keys. It’s possible, although I don’t know if Microsoft allows users to roll back from “passwordless” and discoverable keys.
I want to state it explicitly: FIDO as technology allows either. It’s particular platform choice to go with discoverable keys.
> Yes, that’s resident (or “discoverable”) keys the article author is talking about.
No, I said I'm using a Yubico Security Key. This is not a Yubikey. This key has no storage. How can it possibly store resident keys? The YubiKey Manager app can't even connect to this key. It's very basic, it has no TOTP slots, it has no configuration, it only does FIDO2. How would resident keys get in there in the first place? The article cites a strict limit on the number of slots, but it has zero slots.
You can use the Yubico Authenticator app's WebAuthn feature on the desktop to see resident credentials on their Security Key product, same thing with Chrome/Chromium's security key settings pane.
Nope. I have Windows Yubico Authenticator v5.1.0, and with the Security Key plugged in, all screens blank.
In Chrome 114.0.5735.199 on Windows 10 Pro, there is no "security key settings pane". The closest thing available is "Privacy and Security -> Security -> Manage phones (control which phones you use as security keys.)"
However, in terms of resident credentials, I thank the GP and I stand corrected, because Yubico's own specs say that this key sports 25 slots. I wonder how many are currently in use, and which version of the CTAP protocol it is using...
So I just tried this with a blue Yubico Security Key with 5.4.3 firmware using Yubico Authenticator 6.2.0 on Linux, and I was successfully able to manage my resident credentials using the Authenticator after setting a PIN and saving a resident credential via https://webauthn.io.
I'd check your firmware versions, update your Authenticator, ensure you have a PIN set and ensure you're correctly saving a resident key on your device when registering with a service.
For Chrome, a visit to chrome://settings/securityKeys[1] should do it, but I just tried it in a Windows VM and it is not present in the menu, while it is present on Linux and macOS.
> It’s possible, although I don’t know if Microsoft allows users to roll back from “passwordless” and discoverable keys.
I don't know about Microsoft specifically, but it's possible to register the same FIDO2-capable security key with a service as both a passkey and a U2F token.
I think that's astonishingly bad opsec for a Big Tech cloud service. If I were a sane person, I would deregister that key as a FIDO2 device, but I guess I'll be OK for now. I shouldn't have posted this in public. This comment will self-destruct in T minus 10 minutes.
Microsoft is also the jerk who won't let me use the self-same key for logging into my Windows 10 Pro notebook, no how, no way. Windows Hello does not play nice with Yubico. My notebook has no fingerprint reader, and no infrared camera, so the Windows Hello alternatives are slim pickens.