Everything you wanted to know about YubiKey for Windows Hello

Abhishek Baxi

Looking for more How To posts? Check out our How To Page for all the latest tips on Windows, Microsoft Teams, LinkedIn, and more!

Windows Hello is one of the understated highlights of Windows 10. The ability to use biometrics to validate my identity for access to my Windows 10 devices is what my science fiction dreams were made of.

I use both iris recognition as well as fingerprint recognition in conjunction with Windows Hello on my Windows 10 devices. It’s seamless, and secure. Also, there’s no need to remember complex passwords or worry about someone watching me typing the password over my shoulder.

What is a YubiKey?

Last year, Windows 10 Anniversary Update introduced expanded user verification options and standards-based authentication with Windows Hello. Windows 10 supports both key-based and certificate-based authentication.

Key-based authentication is equal to the FIDO model of public key cryptography while certificate-based authentication relates to public key infrastructure (PKI). The former is a great proposition for enterprises that don’t use PKI or want to minimize reliance on certificates.

Founded in 2007, Yubico introduced YubiKey, a versatile authentication device. It supports many standards-based authentication protocols for host-based and cloud-based services, like Dropbox for example. Now, YubiKey enables the FIDO ecosystem for Windows 10 users.

YubiKey for Windows Hello

Interestingly, to use a YubiKey for Windows Hello authentication, you don’t need to use the built-in Windows Hello settings but download a separate app – YubiKey for Windows Hello – from the Windows Store.

Built on the Windows Companion Device Framework, it’s a pretty straightforward app that takes you step by step to register your YubiKey, and get it working with Windows Hello. Once done, you can just walk up to your device and plug in your YubiKey. It will authenticate your identity and log you into Windows 10. The app allows you to register a maximum of four YubiKeys per account.

While registering for Windows Hello, the CCID mode must be enabled on the YubiKey. CCID is enabled by default on all YubiKey 4 devices. Some older YubiKey NEOs do not have it enabled, and you can enable the CCID mode using the YubiKey NEO Manager.

Using YubiKey on Windows 10 devices

Once set up, YubiKey is recognized as a companion device for Windows Hello. So, it doesn’t just work for logging on to Windows, but also for apps that use Windows Hello authentication, like OneDrive or Enpass. It’s pretty neat, really. It’s also quite handy to allow a friend or colleague temporary access to your machine without sharing the password.

While a YubiKey can be tied to only one account on a device, however, I could use it on multiple devices with multiple accounts. I could use the same YubiKey on my Surface with my Microsoft account as well as on my wife’s laptop with her account.

There are some limitations though. The Windows 10 device doesn’t log off the user if the YubiKey is pulled out. It’s not incorrect to assume that since the key is used to validate my identity on Windows 10, removing it should lock one out. However, that doesn’t happen, and you’d have to lock the system manually or let the Windows 10 lock itself as is configured.

Also, there is no way to compulsorily require YubiKey to unlock the system. You can always access your account using your PIN or password.

Summary

There are several YubiKey variants available. I got the YubiKey 4 ($40) as well the YubiKey 4 Nano ($50). While the Nano variant is obviously smaller in size, and almost doesn’t protrude once it’s inserted in the USB port, it’s a tad inconvenient to pull out. The YubiKey 4 is similar to any slim pen drive out there, and fits just right amongst a bunch of keys in a key ring.

There’s also another YubiKey NEO ($50) that is slower than the YubiKey 4. It’s a known issue, and Yubico recommends users to swipe the screen or press any key rather than tapping the YubiKey.

YubiKey is a very handy device to enable Windows Hello on your Windows 10 devices. The setup is easy, and getting started is seamless. While organizations can sure deploy YubiKeys for their employees, it’s also an affordable and useful authentication device for regular users.