Can be used Security Key NFC by Yubico for Windows Desktop Logon ?

or I need YubiKey 5 ? I'm not sure, which can be used with AAF.

Thanks for advice.

David

  • 0  

    Hello David,

    I think any device that is FIDO2 compatible is fine, but how exactly are you planning to use AAF (so I can double check)?

    Thanks.

    Regards,

    Luciano Testa

  • 0   in reply to   

    Customer is planning to use AAF with Windows 10/11 plus OES client, GroupWise, Filr, ZenWorks Service Desk etc. Second factor probably TOTP.

    David

  • 0   in reply to   

    Then the Windows client supports the FIDO2 and FIDO U2F methods.

  • 0

    Hey David,
    I can confirm that the YubiKey (5) NFC works fine with U2F or FIDO2. In addition to your request, I would like to know if I can use U2F or FIDO2 without inserting the YubiKey physically, but instead using NFC. Does anyone have any experience with this?

    Regards,
    Jens

  • 0   in reply to 

    Hello Jens,

    How exactly do these devices work, with a phone? Or where are these placed? I need more details to get an answer to your question, thanks.

    Regards,

    Luciano Testa

  • 0 in reply to   

    Dear Luciano,

    I would like to know if anyone has experience with the following scenario:

    Requirements:
    - YubiKey 5 NFC
    - Laptops with integrated NFC reader
    - Windows 10 or Windows 11
    - MFA protocol U2F or FIDO2

     Current process:
    - In the Windows login window, select the appropriate MFA event after user input
    - 1st factor (password, PIN ...)
    - 2nd factor, e.g., for FIDO2 -> Insert YubiKey into the USB slot, enter PIN, tap on YK
    - Login

    The described process and question here regarding to the 2nd factor (FIDO2 or U2F). Instead of connecting the YubiKey via USB, we would like to simply place the YubiKey on the NFC reader and, depending on the protocol login with (FIDO2) or without (U2F) PIN entry.

    Reguards,
    Jens

  • 0   in reply to   

    Beware the following caveats

    A: the OES client + AAF client currently does not support Fido2 with OES client as primary credential provider, I've been waiting well over a year for a fix

    B: There's also a bug where OES client + AAF client 6.4.2(.1) will not work if OES client is primary credential provider.  They are working on official fix.

    Workaround for both is to switch to using AAF as primary credential provider.

    Fix just for issue B is to continue to use the previous AAF 6.4.1 client.

    Rodney

    If you found this post useful, give it a "Like" or click on "Verify Answer" under the "More" button.   This helps others.

  • Suggested Answer

    0   in reply to 

    Hello Jens,

    Apologies about the delay in replying. I had to ask internally.

    Yes, this works. Yubikey on an NFC reader.

    Hope that helps.

    Thanks.

    Regards,

    Luciano Testa

  • 0 in reply to   
    Yes, this works. Yubikey on an NFC reader.

    hey Luciano Testa,
    we have now tried various things and tested a lot.

    When we register the u2f method, we only can do this by inserting the YubiKey into the USB slot and tapping on it. This wouldn't be a problem if at least after registering the U2F method, placing the key on the NFC field would work. Attempts to log in to Windows solely by placing the key on the NFC field have also failed, regardless of whether a second factor is used or not. 

    Are there specific settings that we need to configure for this? Any tips or ideas on where we need to look for solutions?

    System:
    - Windows 10, Windows 11
    Hardware:
    - Integrated NFC Reader / external NFC Reader
    - Yubikey 5 NFC, Yubikey 5 NFC FIPS

    regards,
    Jens

  • Suggested Answer

    0   in reply to 

    Hello Jens,

    I just checked this internally and it will work with the FIDO2 method, not the U2F.

    Thanks.

    Regards,

    Luciano Testa