or I need YubiKey 5 ? I'm not sure, which can be used with AAF.
Thanks for advice.
David
Cybersecurity
DevOps Cloud
IT Operations Cloud
or I need YubiKey 5 ? I'm not sure, which can be used with AAF.
Thanks for advice.
David
Hello David,
I think any device that is FIDO2 compatible is fine, but how exactly are you planning to use AAF (so I can double check)?
Thanks.
Regards,
Luciano Testa
Customer is planning to use AAF with Windows 10/11 plus OES client, GroupWise, Filr, ZenWorks Service Desk etc. Second factor probably TOTP.
David
Then the Windows client supports the FIDO2 and FIDO U2F methods.
Hey David,
I can confirm that the YubiKey (5) NFC works fine with U2F or FIDO2. In addition to your request, I would like to know if I can use U2F or FIDO2 without inserting the YubiKey physically, but instead using NFC. Does anyone have any experience with this?
Regards,
Jens
Hello Jens,
How exactly do these devices work, with a phone? Or where are these placed? I need more details to get an answer to your question, thanks.
Regards,
Luciano Testa
Dear Luciano,
I would like to know if anyone has experience with the following scenario:
Requirements:
- YubiKey 5 NFC
- Laptops with integrated NFC reader
- Windows 10 or Windows 11
- MFA protocol U2F or FIDO2
Current process:
- In the Windows login window, select the appropriate MFA event after user input
- 1st factor (password, PIN ...)
- 2nd factor, e.g., for FIDO2 -> Insert YubiKey into the USB slot, enter PIN, tap on YK
- Login
The described process and question here regarding to the 2nd factor (FIDO2 or U2F). Instead of connecting the YubiKey via USB, we would like to simply place the YubiKey on the NFC reader and, depending on the protocol login with (FIDO2) or without (U2F) PIN entry.
Reguards,
Jens
Beware the following caveats
A: the OES client + AAF client currently does not support Fido2 with OES client as primary credential provider, I've been waiting well over a year for a fix
B: There's also a bug where OES client + AAF client 6.4.2(.1) will not work if OES client is primary credential provider. They are working on official fix.
Workaround for both is to switch to using AAF as primary credential provider.
Fix just for issue B is to continue to use the previous AAF 6.4.1 client.
Rodney
If you found this post useful, give it a "Like" or click on "Verify Answer" under the "More" button. This helps others.
Hello Jens,
Apologies about the delay in replying. I had to ask internally.
Yes, this works. Yubikey on an NFC reader.
Hope that helps.
Thanks.
Regards,
Luciano Testa
Yes, this works. Yubikey on an NFC reader.
hey Luciano Testa,
we have now tried various things and tested a lot.
When we register the u2f method, we only can do this by inserting the YubiKey into the USB slot and tapping on it. This wouldn't be a problem if at least after registering the U2F method, placing the key on the NFC field would work. Attempts to log in to Windows solely by placing the key on the NFC field have also failed, regardless of whether a second factor is used or not.
Are there specific settings that we need to configure for this? Any tips or ideas on where we need to look for solutions?
System:
- Windows 10, Windows 11
Hardware:
- Integrated NFC Reader / external NFC Reader
- Yubikey 5 NFC, Yubikey 5 NFC FIPS
regards,
Jens
Hello Jens,
I just checked this internally and it will work with the FIDO2 method, not the U2F.
Thanks.
Regards,
Luciano Testa