How do I get windows applications to recognize my yubikey?
I have successfully used my Yubikey to get my Chrome and Firefox browsers to get my 2-Step Verification to work with my Google account. Unfortunately, I have a few windows applications which I cannot get to work with my key. I enter in my user name in screen 1, password in screen 2, and then I get third the key step:
I am never able to get this window to recognize my key. I can't even figure out what browser is being used for this authentication. My understanding is that windows IE 11 does not support FIDO / U2F, so I tried disabling Windows IE in hopes it would switch the back end to Edge which might work better. It did not.
What can I do get this applications and others with a similar interface and prompt to recognize my key? If that is not possible, why? Further, if it is not possible, short of leaving 2-step verification, what alternatives are available?
Windows Mail Application is an example of such an application (this gives a message saying "You can only use your Security Keys with Google Chrome." Another example of such an application is UpSafe's Free Gmail Backup which takes me to the U2F prompt screen image above.
One of my devices is a Feitian MultiPass FIDO. The other is a Yubico U2F FIDO USB Key.
windows-10 gmail yubikey u2f
asked Feb 6 at 15:59
BKayBKay
1013
add a comment |
I have successfully used my Yubikey to get my Chrome and Firefox browsers to get my 2-Step Verification to work with my Google account. Unfortunately, I have a few windows applications which I cannot get to work with my key. I enter in my user name in screen 1, password in screen 2, and then I get third the key step:
I am never able to get this window to recognize my key. I can't even figure out what browser is being used for this authentication. My understanding is that windows IE 11 does not support FIDO / U2F, so I tried disabling Windows IE in hopes it would switch the back end to Edge which might work better. It did not.
What can I do get this applications and others with a similar interface and prompt to recognize my key? If that is not possible, why? Further, if it is not possible, short of leaving 2-step verification, what alternatives are available?
Windows Mail Application is an example of such an application (this gives a message saying "You can only use your Security Keys with Google Chrome." Another example of such an application is UpSafe's Free Gmail Backup which takes me to the U2F prompt screen image above.
One of my devices is a Feitian MultiPass FIDO. The other is a Yubico U2F FIDO USB Key.
windows-10 gmail yubikey u2f
asked Feb 6 at 15:59
BKayBKay
1013
Can you give examples of the applications? If so I can try testing on my end. And which model Yubi do you have (some apps require FIDO2 and won't work with the FIDO-only keys)
– Ruscal
Feb 6 at 16:13
I updated the question with the answer to these questions.
– BKay
Feb 6 at 16:41
add a comment |
I have successfully used my Yubikey to get my Chrome and Firefox browsers to get my 2-Step Verification to work with my Google account. Unfortunately, I have a few windows applications which I cannot get to work with my key. I enter in my user name in screen 1, password in screen 2, and then I get third the key step:
I am never able to get this window to recognize my key. I can't even figure out what browser is being used for this authentication. My understanding is that windows IE 11 does not support FIDO / U2F, so I tried disabling Windows IE in hopes it would switch the back end to Edge which might work better. It did not.
What can I do get this applications and others with a similar interface and prompt to recognize my key? If that is not possible, why? Further, if it is not possible, short of leaving 2-step verification, what alternatives are available?
Windows Mail Application is an example of such an application (this gives a message saying "You can only use your Security Keys with Google Chrome." Another example of such an application is UpSafe's Free Gmail Backup which takes me to the U2F prompt screen image above.
One of my devices is a Feitian MultiPass FIDO. The other is a Yubico U2F FIDO USB Key.
windows-10 gmail yubikey u2f
asked Feb 6 at 15:59
BKayBKay
1013
I have successfully used my Yubikey to get my Chrome and Firefox browsers to get my 2-Step Verification to work with my Google account. Unfortunately, I have a few windows applications which I cannot get to work with my key. I enter in my user name in screen 1, password in screen 2, and then I get third the key step:
I am never able to get this window to recognize my key. I can't even figure out what browser is being used for this authentication. My understanding is that windows IE 11 does not support FIDO / U2F, so I tried disabling Windows IE in hopes it would switch the back end to Edge which might work better. It did not.
What can I do get this applications and others with a similar interface and prompt to recognize my key? If that is not possible, why? Further, if it is not possible, short of leaving 2-step verification, what alternatives are available?
Windows Mail Application is an example of such an application (this gives a message saying "You can only use your Security Keys with Google Chrome." Another example of such an application is UpSafe's Free Gmail Backup which takes me to the U2F prompt screen image above.
One of my devices is a Feitian MultiPass FIDO. The other is a Yubico U2F FIDO USB Key.
windows-10 gmail yubikey u2f
windows-10 gmail yubikey u2f
asked Feb 6 at 15:59
BKayBKay
1013
asked Feb 6 at 15:59
BKayBKay
1013
edited Feb 6 at 16:40
BKay
asked Feb 6 at 15:59
BKayBKay
1013
asked Feb 6 at 15:59
BKayBKay
1013
asked Feb 6 at 15:59
BKayBKay
1013
1013
Can you give examples of the applications? If so I can try testing on my end. And which model Yubi do you have (some apps require FIDO2 and won't work with the FIDO-only keys)
– Ruscal
Feb 6 at 16:13
I updated the question with the answer to these questions.
– BKay
Feb 6 at 16:41
add a comment |
Can you give examples of the applications? If so I can try testing on my end. And which model Yubi do you have (some apps require FIDO2 and won't work with the FIDO-only keys)
– Ruscal
Feb 6 at 16:13
I updated the question with the answer to these questions.
– BKay
Feb 6 at 16:41
Can you give examples of the applications? If so I can try testing on my end. And which model Yubi do you have (some apps require FIDO2 and won't work with the FIDO-only keys)
– Ruscal
Feb 6 at 16:13
Can you give examples of the applications? If so I can try testing on my end. And which model Yubi do you have (some apps require FIDO2 and won't work with the FIDO-only keys)
– Ruscal
Feb 6 at 16:13
I updated the question with the answer to these questions.
– BKay
Feb 6 at 16:41
I updated the question with the answer to these questions.
– BKay
Feb 6 at 16:41
add a comment |
1 Answer
1
active
oldest
votes
The built in Windows Mail application doesn't have the necessary handlers for FIDO authentication, so that one makes sense. (Also, a persistent mail app isn't something that you'd use with MFA since it needs to be able to run even when you & your token aren't around). For this purpose I'd recommend you setup an App Password just for the Mail app on the trusted device.
It looks like UpSafe (who, shame on them, have literally zero published documentation at their site) is using a browser to make a login call and then running in an isolation context. It is a decent idea, but the wrong way to do security; as an external service performing operations on your behalf, they should use OAUTH tokens.
The idea with security and a un-/semi-trusted 3rd party provider is that they shouldn't ever have access to your passwords (which would let them operate as you, with full control of the account) and instead they should have permission granted to them by you for only the specific items they need (read mail/contacts/etc but not modify or create). That's where the OAUTH comes in.
UpSafe, it seems (I really wish they'd publish documentation so I could speak about this with more precision), has yet to implement that type of security. If instead they are asking for an interactive login it would indicate that they are saving your password and using your credentials to access the account (personally, that is a "run away" sign). Since your saved credentials don't work without the 2FA key, then they re-prompt you the same was as if you'd changed passwords on them. Rinse. Repeat.
In both circumstances your issue isn't with Google authentication or the Yubikey, it is with the application performing the login. And, that neither of these use cases actually work with MFA (they require constant, user-not-present access in order to function properly).
In the case of the Mail app installed on your laptop, it makes sense -- the way a mail app works isn't conducive to MFA and should be setup with an App Password (it isn't a 3rd party provider doing the access on your behalf, it is still you; but it needs access all the time, even without your key present). In the case of UpSafe it seems that (pure speculation without any documentation) they are storing and reusing the password (grumble). They are an external 3rd party and really should be using OAUTH, but if you trust them and don't mind giving them full access to your account, you can use an App Password for them as well.
answered Feb 7 at 14:10
RuscalRuscal
512311
As far as I can tell, you can't use the App Password function with the security keys. Do you know otherwise? Those links don't have an option to use one with my account. Going to "myaccount.google.com/apppasswords" gives error message "The setting you are looking for is not available for your account."
– BKay
Feb 7 at 14:49
@BKay Is your account a company or GSuite account? I just went to myaccount.google.com/apppasswords from my PC (using Chrome, account is 2FA with a Yubikey 4 NFC) and it is letting me setup & manage app passwords. If you're using a managed account (company/school using GSuite then the domain administrator will have to allow App Passwords)
– Ruscal
Feb 7 at 16:39
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "3"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1402736%2fhow-do-i-get-windows-applications-to-recognize-my-yubikey%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
The built in Windows Mail application doesn't have the necessary handlers for FIDO authentication, so that one makes sense. (Also, a persistent mail app isn't something that you'd use with MFA since it needs to be able to run even when you & your token aren't around). For this purpose I'd recommend you setup an App Password just for the Mail app on the trusted device.
It looks like UpSafe (who, shame on them, have literally zero published documentation at their site) is using a browser to make a login call and then running in an isolation context. It is a decent idea, but the wrong way to do security; as an external service performing operations on your behalf, they should use OAUTH tokens.
The idea with security and a un-/semi-trusted 3rd party provider is that they shouldn't ever have access to your passwords (which would let them operate as you, with full control of the account) and instead they should have permission granted to them by you for only the specific items they need (read mail/contacts/etc but not modify or create). That's where the OAUTH comes in.
UpSafe, it seems (I really wish they'd publish documentation so I could speak about this with more precision), has yet to implement that type of security. If instead they are asking for an interactive login it would indicate that they are saving your password and using your credentials to access the account (personally, that is a "run away" sign). Since your saved credentials don't work without the 2FA key, then they re-prompt you the same was as if you'd changed passwords on them. Rinse. Repeat.
In both circumstances your issue isn't with Google authentication or the Yubikey, it is with the application performing the login. And, that neither of these use cases actually work with MFA (they require constant, user-not-present access in order to function properly).
In the case of the Mail app installed on your laptop, it makes sense -- the way a mail app works isn't conducive to MFA and should be setup with an App Password (it isn't a 3rd party provider doing the access on your behalf, it is still you; but it needs access all the time, even without your key present). In the case of UpSafe it seems that (pure speculation without any documentation) they are storing and reusing the password (grumble). They are an external 3rd party and really should be using OAUTH, but if you trust them and don't mind giving them full access to your account, you can use an App Password for them as well.
answered Feb 7 at 14:10
RuscalRuscal
512311
As far as I can tell, you can't use the App Password function with the security keys. Do you know otherwise? Those links don't have an option to use one with my account. Going to "myaccount.google.com/apppasswords" gives error message "The setting you are looking for is not available for your account."
– BKay
Feb 7 at 14:49
@BKay Is your account a company or GSuite account? I just went to myaccount.google.com/apppasswords from my PC (using Chrome, account is 2FA with a Yubikey 4 NFC) and it is letting me setup & manage app passwords. If you're using a managed account (company/school using GSuite then the domain administrator will have to allow App Passwords)
– Ruscal
Feb 7 at 16:39
add a comment |
The built in Windows Mail application doesn't have the necessary handlers for FIDO authentication, so that one makes sense. (Also, a persistent mail app isn't something that you'd use with MFA since it needs to be able to run even when you & your token aren't around). For this purpose I'd recommend you setup an App Password just for the Mail app on the trusted device.
It looks like UpSafe (who, shame on them, have literally zero published documentation at their site) is using a browser to make a login call and then running in an isolation context. It is a decent idea, but the wrong way to do security; as an external service performing operations on your behalf, they should use OAUTH tokens.
The idea with security and a un-/semi-trusted 3rd party provider is that they shouldn't ever have access to your passwords (which would let them operate as you, with full control of the account) and instead they should have permission granted to them by you for only the specific items they need (read mail/contacts/etc but not modify or create). That's where the OAUTH comes in.
UpSafe, it seems (I really wish they'd publish documentation so I could speak about this with more precision), has yet to implement that type of security. If instead they are asking for an interactive login it would indicate that they are saving your password and using your credentials to access the account (personally, that is a "run away" sign). Since your saved credentials don't work without the 2FA key, then they re-prompt you the same was as if you'd changed passwords on them. Rinse. Repeat.
In both circumstances your issue isn't with Google authentication or the Yubikey, it is with the application performing the login. And, that neither of these use cases actually work with MFA (they require constant, user-not-present access in order to function properly).
In the case of the Mail app installed on your laptop, it makes sense -- the way a mail app works isn't conducive to MFA and should be setup with an App Password (it isn't a 3rd party provider doing the access on your behalf, it is still you; but it needs access all the time, even without your key present). In the case of UpSafe it seems that (pure speculation without any documentation) they are storing and reusing the password (grumble). They are an external 3rd party and really should be using OAUTH, but if you trust them and don't mind giving them full access to your account, you can use an App Password for them as well.
answered Feb 7 at 14:10
RuscalRuscal
512311
As far as I can tell, you can't use the App Password function with the security keys. Do you know otherwise? Those links don't have an option to use one with my account. Going to "myaccount.google.com/apppasswords" gives error message "The setting you are looking for is not available for your account."
– BKay
Feb 7 at 14:49
@BKay Is your account a company or GSuite account? I just went to myaccount.google.com/apppasswords from my PC (using Chrome, account is 2FA with a Yubikey 4 NFC) and it is letting me setup & manage app passwords. If you're using a managed account (company/school using GSuite then the domain administrator will have to allow App Passwords)
– Ruscal
Feb 7 at 16:39
add a comment |
The built in Windows Mail application doesn't have the necessary handlers for FIDO authentication, so that one makes sense. (Also, a persistent mail app isn't something that you'd use with MFA since it needs to be able to run even when you & your token aren't around). For this purpose I'd recommend you setup an App Password just for the Mail app on the trusted device.
It looks like UpSafe (who, shame on them, have literally zero published documentation at their site) is using a browser to make a login call and then running in an isolation context. It is a decent idea, but the wrong way to do security; as an external service performing operations on your behalf, they should use OAUTH tokens.
The idea with security and a un-/semi-trusted 3rd party provider is that they shouldn't ever have access to your passwords (which would let them operate as you, with full control of the account) and instead they should have permission granted to them by you for only the specific items they need (read mail/contacts/etc but not modify or create). That's where the OAUTH comes in.
UpSafe, it seems (I really wish they'd publish documentation so I could speak about this with more precision), has yet to implement that type of security. If instead they are asking for an interactive login it would indicate that they are saving your password and using your credentials to access the account (personally, that is a "run away" sign). Since your saved credentials don't work without the 2FA key, then they re-prompt you the same was as if you'd changed passwords on them. Rinse. Repeat.
In both circumstances your issue isn't with Google authentication or the Yubikey, it is with the application performing the login. And, that neither of these use cases actually work with MFA (they require constant, user-not-present access in order to function properly).
In the case of the Mail app installed on your laptop, it makes sense -- the way a mail app works isn't conducive to MFA and should be setup with an App Password (it isn't a 3rd party provider doing the access on your behalf, it is still you; but it needs access all the time, even without your key present). In the case of UpSafe it seems that (pure speculation without any documentation) they are storing and reusing the password (grumble). They are an external 3rd party and really should be using OAUTH, but if you trust them and don't mind giving them full access to your account, you can use an App Password for them as well.
answered Feb 7 at 14:10
RuscalRuscal
512311
The built in Windows Mail application doesn't have the necessary handlers for FIDO authentication, so that one makes sense. (Also, a persistent mail app isn't something that you'd use with MFA since it needs to be able to run even when you & your token aren't around). For this purpose I'd recommend you setup an App Password just for the Mail app on the trusted device.
It looks like UpSafe (who, shame on them, have literally zero published documentation at their site) is using a browser to make a login call and then running in an isolation context. It is a decent idea, but the wrong way to do security; as an external service performing operations on your behalf, they should use OAUTH tokens.
The idea with security and a un-/semi-trusted 3rd party provider is that they shouldn't ever have access to your passwords (which would let them operate as you, with full control of the account) and instead they should have permission granted to them by you for only the specific items they need (read mail/contacts/etc but not modify or create). That's where the OAUTH comes in.
UpSafe, it seems (I really wish they'd publish documentation so I could speak about this with more precision), has yet to implement that type of security. If instead they are asking for an interactive login it would indicate that they are saving your password and using your credentials to access the account (personally, that is a "run away" sign). Since your saved credentials don't work without the 2FA key, then they re-prompt you the same was as if you'd changed passwords on them. Rinse. Repeat.
In both circumstances your issue isn't with Google authentication or the Yubikey, it is with the application performing the login. And, that neither of these use cases actually work with MFA (they require constant, user-not-present access in order to function properly).
In the case of the Mail app installed on your laptop, it makes sense -- the way a mail app works isn't conducive to MFA and should be setup with an App Password (it isn't a 3rd party provider doing the access on your behalf, it is still you; but it needs access all the time, even without your key present). In the case of UpSafe it seems that (pure speculation without any documentation) they are storing and reusing the password (grumble). They are an external 3rd party and really should be using OAUTH, but if you trust them and don't mind giving them full access to your account, you can use an App Password for them as well.
answered Feb 7 at 14:10
RuscalRuscal
512311
answered Feb 7 at 14:10
RuscalRuscal
512311
answered Feb 7 at 14:10
RuscalRuscal
512311
answered Feb 7 at 14:10
RuscalRuscal
512311
512311
As far as I can tell, you can't use the App Password function with the security keys. Do you know otherwise? Those links don't have an option to use one with my account. Going to "myaccount.google.com/apppasswords" gives error message "The setting you are looking for is not available for your account."
– BKay
Feb 7 at 14:49
@BKay Is your account a company or GSuite account? I just went to myaccount.google.com/apppasswords from my PC (using Chrome, account is 2FA with a Yubikey 4 NFC) and it is letting me setup & manage app passwords. If you're using a managed account (company/school using GSuite then the domain administrator will have to allow App Passwords)
– Ruscal
Feb 7 at 16:39
add a comment |
As far as I can tell, you can't use the App Password function with the security keys. Do you know otherwise? Those links don't have an option to use one with my account. Going to "myaccount.google.com/apppasswords" gives error message "The setting you are looking for is not available for your account."
– BKay
Feb 7 at 14:49
@BKay Is your account a company or GSuite account? I just went to myaccount.google.com/apppasswords from my PC (using Chrome, account is 2FA with a Yubikey 4 NFC) and it is letting me setup & manage app passwords. If you're using a managed account (company/school using GSuite then the domain administrator will have to allow App Passwords)
– Ruscal
Feb 7 at 16:39
As far as I can tell, you can't use the App Password function with the security keys. Do you know otherwise? Those links don't have an option to use one with my account. Going to "myaccount.google.com/apppasswords" gives error message "The setting you are looking for is not available for your account."
– BKay
Feb 7 at 14:49
As far as I can tell, you can't use the App Password function with the security keys. Do you know otherwise? Those links don't have an option to use one with my account. Going to "myaccount.google.com/apppasswords" gives error message "The setting you are looking for is not available for your account."
– BKay
Feb 7 at 14:49
@BKay Is your account a company or GSuite account? I just went to myaccount.google.com/apppasswords from my PC (using Chrome, account is 2FA with a Yubikey 4 NFC) and it is letting me setup & manage app passwords. If you're using a managed account (company/school using GSuite then the domain administrator will have to allow App Passwords)
– Ruscal
Feb 7 at 16:39
@BKay Is your account a company or GSuite account? I just went to myaccount.google.com/apppasswords from my PC (using Chrome, account is 2FA with a Yubikey 4 NFC) and it is letting me setup & manage app passwords. If you're using a managed account (company/school using GSuite then the domain administrator will have to allow App Passwords)
– Ruscal
Feb 7 at 16:39
add a comment |
Thanks for contributing an answer to Super User!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1402736%2fhow-do-i-get-windows-applications-to-recognize-my-yubikey%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Can you give examples of the applications? If so I can try testing on my end. And which model Yubi do you have (some apps require FIDO2 and won't work with the FIDO-only keys)
– Ruscal
Feb 6 at 16:13
I updated the question with the answer to these questions.
– BKay
Feb 6 at 16:41