Windows Hello for Business Security Keys are Microsoft’s name to FIDO2-based security keys, when you use them with Windows Hello for Business on a Windows 10-based device.
As the FIDO alliance strives to develop and promote authentication standards, FIDO2-based security keys work in many passwordless scenarios.
Yubico, one of the founding members of the FIDO Alliance, offers great Windows Hello for Business security keys with many options: YubiKeys. By default, all protocols are enabled by default. Depending on the type of YubiKey, this ranges from FIDO2 and YubiOTP to PIV.
When looking at managing Yubikeys, and disabling some of these protocols on them, there are two tools available:
While many (old) documentation would point out how to achieve certain tasks with regards to your YubiKeys using the YubiKey Personalization Tool, using the YubiKey Manager is the preferred way to do things.
The YubiKey Personalization Tool has a couple of drawbacks:
- The YubiKey Personalization Tool is no longer actively maintained or improved.
- You cannot manage Yubico Security Keys with the YubiKey Personalization Tool. The FIDO2-only Security Key is perfect for Windows Hello for Business, but it cannot be managed using the YubiKey Personalization Tool. There is not a lot to manage (obviously), but Yubico Manager’s command-line interface (ykman) does offer some granular options specifically suited to Yubico’s FIDO2-only Security Keys.
If you have the YubiKey Personalization Tool installed, uninstall it and install the YubiKey Manager instead.
Choosing the right Passwordless sign-in method for your colleagues
HOWTO: Enable Windows Hello for Business FIDO2 Key sign-in without Intune
Why Everyone’s talking about Hybrid Cloud Trust
Please can you advise how I would change the configuration and randomize the secrets if I don't use the Personalization tool? Thanks.
This seems to be another drawback.
The Yubico Manager seems to lack this functionality, currently.