How do I get windows applications to recognize my yubikey?












0















I have successfully used my Yubikey to get my Chrome and Firefox browsers to get my 2-Step Verification to work with my Google account. Unfortunately, I have a few windows applications which I cannot get to work with my key. I enter in my user name in screen 1, password in screen 2, and then I get third the key step:
U2F prompt screen 3
I am never able to get this window to recognize my key. I can't even figure out what browser is being used for this authentication. My understanding is that windows IE 11 does not support FIDO / U2F, so I tried disabling Windows IE in hopes it would switch the back end to Edge which might work better. It did not.



What can I do get this applications and others with a similar interface and prompt to recognize my key? If that is not possible, why? Further, if it is not possible, short of leaving 2-step verification, what alternatives are available?



Windows Mail Application is an example of such an application (this gives a message saying "You can only use your Security Keys with Google Chrome." Another example of such an application is UpSafe's Free Gmail Backup which takes me to the U2F prompt screen image above.



One of my devices is a Feitian MultiPass FIDO. The other is a Yubico U2F FIDO USB Key.










share|improve this question

























  • Can you give examples of the applications? If so I can try testing on my end. And which model Yubi do you have (some apps require FIDO2 and won't work with the FIDO-only keys)

    – Ruscal
    Feb 6 at 16:13











  • I updated the question with the answer to these questions.

    – BKay
    Feb 6 at 16:41
















0















I have successfully used my Yubikey to get my Chrome and Firefox browsers to get my 2-Step Verification to work with my Google account. Unfortunately, I have a few windows applications which I cannot get to work with my key. I enter in my user name in screen 1, password in screen 2, and then I get third the key step:
U2F prompt screen 3
I am never able to get this window to recognize my key. I can't even figure out what browser is being used for this authentication. My understanding is that windows IE 11 does not support FIDO / U2F, so I tried disabling Windows IE in hopes it would switch the back end to Edge which might work better. It did not.



What can I do get this applications and others with a similar interface and prompt to recognize my key? If that is not possible, why? Further, if it is not possible, short of leaving 2-step verification, what alternatives are available?



Windows Mail Application is an example of such an application (this gives a message saying "You can only use your Security Keys with Google Chrome." Another example of such an application is UpSafe's Free Gmail Backup which takes me to the U2F prompt screen image above.



One of my devices is a Feitian MultiPass FIDO. The other is a Yubico U2F FIDO USB Key.










share|improve this question

























  • Can you give examples of the applications? If so I can try testing on my end. And which model Yubi do you have (some apps require FIDO2 and won't work with the FIDO-only keys)

    – Ruscal
    Feb 6 at 16:13











  • I updated the question with the answer to these questions.

    – BKay
    Feb 6 at 16:41














0












0








0








I have successfully used my Yubikey to get my Chrome and Firefox browsers to get my 2-Step Verification to work with my Google account. Unfortunately, I have a few windows applications which I cannot get to work with my key. I enter in my user name in screen 1, password in screen 2, and then I get third the key step:
U2F prompt screen 3
I am never able to get this window to recognize my key. I can't even figure out what browser is being used for this authentication. My understanding is that windows IE 11 does not support FIDO / U2F, so I tried disabling Windows IE in hopes it would switch the back end to Edge which might work better. It did not.



What can I do get this applications and others with a similar interface and prompt to recognize my key? If that is not possible, why? Further, if it is not possible, short of leaving 2-step verification, what alternatives are available?



Windows Mail Application is an example of such an application (this gives a message saying "You can only use your Security Keys with Google Chrome." Another example of such an application is UpSafe's Free Gmail Backup which takes me to the U2F prompt screen image above.



One of my devices is a Feitian MultiPass FIDO. The other is a Yubico U2F FIDO USB Key.










share|improve this question
















I have successfully used my Yubikey to get my Chrome and Firefox browsers to get my 2-Step Verification to work with my Google account. Unfortunately, I have a few windows applications which I cannot get to work with my key. I enter in my user name in screen 1, password in screen 2, and then I get third the key step:
U2F prompt screen 3
I am never able to get this window to recognize my key. I can't even figure out what browser is being used for this authentication. My understanding is that windows IE 11 does not support FIDO / U2F, so I tried disabling Windows IE in hopes it would switch the back end to Edge which might work better. It did not.



What can I do get this applications and others with a similar interface and prompt to recognize my key? If that is not possible, why? Further, if it is not possible, short of leaving 2-step verification, what alternatives are available?



Windows Mail Application is an example of such an application (this gives a message saying "You can only use your Security Keys with Google Chrome." Another example of such an application is UpSafe's Free Gmail Backup which takes me to the U2F prompt screen image above.



One of my devices is a Feitian MultiPass FIDO. The other is a Yubico U2F FIDO USB Key.







windows-10 gmail yubikey u2f






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited Feb 6 at 16:40







BKay

















asked Feb 6 at 15:59









BKayBKay

1013




1013













  • Can you give examples of the applications? If so I can try testing on my end. And which model Yubi do you have (some apps require FIDO2 and won't work with the FIDO-only keys)

    – Ruscal
    Feb 6 at 16:13











  • I updated the question with the answer to these questions.

    – BKay
    Feb 6 at 16:41



















  • Can you give examples of the applications? If so I can try testing on my end. And which model Yubi do you have (some apps require FIDO2 and won't work with the FIDO-only keys)

    – Ruscal
    Feb 6 at 16:13











  • I updated the question with the answer to these questions.

    – BKay
    Feb 6 at 16:41

















Can you give examples of the applications? If so I can try testing on my end. And which model Yubi do you have (some apps require FIDO2 and won't work with the FIDO-only keys)

– Ruscal
Feb 6 at 16:13





Can you give examples of the applications? If so I can try testing on my end. And which model Yubi do you have (some apps require FIDO2 and won't work with the FIDO-only keys)

– Ruscal
Feb 6 at 16:13













I updated the question with the answer to these questions.

– BKay
Feb 6 at 16:41





I updated the question with the answer to these questions.

– BKay
Feb 6 at 16:41










1 Answer
1






active

oldest

votes


















1














The built in Windows Mail application doesn't have the necessary handlers for FIDO authentication, so that one makes sense. (Also, a persistent mail app isn't something that you'd use with MFA since it needs to be able to run even when you & your token aren't around). For this purpose I'd recommend you setup an App Password just for the Mail app on the trusted device.



It looks like UpSafe (who, shame on them, have literally zero published documentation at their site) is using a browser to make a login call and then running in an isolation context. It is a decent idea, but the wrong way to do security; as an external service performing operations on your behalf, they should use OAUTH tokens.



The idea with security and a un-/semi-trusted 3rd party provider is that they shouldn't ever have access to your passwords (which would let them operate as you, with full control of the account) and instead they should have permission granted to them by you for only the specific items they need (read mail/contacts/etc but not modify or create). That's where the OAUTH comes in.



UpSafe, it seems (I really wish they'd publish documentation so I could speak about this with more precision), has yet to implement that type of security. If instead they are asking for an interactive login it would indicate that they are saving your password and using your credentials to access the account (personally, that is a "run away" sign). Since your saved credentials don't work without the 2FA key, then they re-prompt you the same was as if you'd changed passwords on them. Rinse. Repeat.



In both circumstances your issue isn't with Google authentication or the Yubikey, it is with the application performing the login. And, that neither of these use cases actually work with MFA (they require constant, user-not-present access in order to function properly).
In the case of the Mail app installed on your laptop, it makes sense -- the way a mail app works isn't conducive to MFA and should be setup with an App Password (it isn't a 3rd party provider doing the access on your behalf, it is still you; but it needs access all the time, even without your key present). In the case of UpSafe it seems that (pure speculation without any documentation) they are storing and reusing the password (grumble). They are an external 3rd party and really should be using OAUTH, but if you trust them and don't mind giving them full access to your account, you can use an App Password for them as well.






share|improve this answer
























  • As far as I can tell, you can't use the App Password function with the security keys. Do you know otherwise? Those links don't have an option to use one with my account. Going to "myaccount.google.com/apppasswords" gives error message "The setting you are looking for is not available for your account."

    – BKay
    Feb 7 at 14:49











  • @BKay Is your account a company or GSuite account? I just went to myaccount.google.com/apppasswords from my PC (using Chrome, account is 2FA with a Yubikey 4 NFC) and it is letting me setup & manage app passwords. If you're using a managed account (company/school using GSuite then the domain administrator will have to allow App Passwords)

    – Ruscal
    Feb 7 at 16:39













Your Answer








StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "3"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});

function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});


}
});














draft saved

draft discarded


















StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1402736%2fhow-do-i-get-windows-applications-to-recognize-my-yubikey%23new-answer', 'question_page');
}
);

Post as a guest















Required, but never shown

























1 Answer
1






active

oldest

votes








1 Answer
1






active

oldest

votes









active

oldest

votes






active

oldest

votes









1














The built in Windows Mail application doesn't have the necessary handlers for FIDO authentication, so that one makes sense. (Also, a persistent mail app isn't something that you'd use with MFA since it needs to be able to run even when you & your token aren't around). For this purpose I'd recommend you setup an App Password just for the Mail app on the trusted device.



It looks like UpSafe (who, shame on them, have literally zero published documentation at their site) is using a browser to make a login call and then running in an isolation context. It is a decent idea, but the wrong way to do security; as an external service performing operations on your behalf, they should use OAUTH tokens.



The idea with security and a un-/semi-trusted 3rd party provider is that they shouldn't ever have access to your passwords (which would let them operate as you, with full control of the account) and instead they should have permission granted to them by you for only the specific items they need (read mail/contacts/etc but not modify or create). That's where the OAUTH comes in.



UpSafe, it seems (I really wish they'd publish documentation so I could speak about this with more precision), has yet to implement that type of security. If instead they are asking for an interactive login it would indicate that they are saving your password and using your credentials to access the account (personally, that is a "run away" sign). Since your saved credentials don't work without the 2FA key, then they re-prompt you the same was as if you'd changed passwords on them. Rinse. Repeat.



In both circumstances your issue isn't with Google authentication or the Yubikey, it is with the application performing the login. And, that neither of these use cases actually work with MFA (they require constant, user-not-present access in order to function properly).
In the case of the Mail app installed on your laptop, it makes sense -- the way a mail app works isn't conducive to MFA and should be setup with an App Password (it isn't a 3rd party provider doing the access on your behalf, it is still you; but it needs access all the time, even without your key present). In the case of UpSafe it seems that (pure speculation without any documentation) they are storing and reusing the password (grumble). They are an external 3rd party and really should be using OAUTH, but if you trust them and don't mind giving them full access to your account, you can use an App Password for them as well.






share|improve this answer
























  • As far as I can tell, you can't use the App Password function with the security keys. Do you know otherwise? Those links don't have an option to use one with my account. Going to "myaccount.google.com/apppasswords" gives error message "The setting you are looking for is not available for your account."

    – BKay
    Feb 7 at 14:49











  • @BKay Is your account a company or GSuite account? I just went to myaccount.google.com/apppasswords from my PC (using Chrome, account is 2FA with a Yubikey 4 NFC) and it is letting me setup & manage app passwords. If you're using a managed account (company/school using GSuite then the domain administrator will have to allow App Passwords)

    – Ruscal
    Feb 7 at 16:39


















1














The built in Windows Mail application doesn't have the necessary handlers for FIDO authentication, so that one makes sense. (Also, a persistent mail app isn't something that you'd use with MFA since it needs to be able to run even when you & your token aren't around). For this purpose I'd recommend you setup an App Password just for the Mail app on the trusted device.



It looks like UpSafe (who, shame on them, have literally zero published documentation at their site) is using a browser to make a login call and then running in an isolation context. It is a decent idea, but the wrong way to do security; as an external service performing operations on your behalf, they should use OAUTH tokens.



The idea with security and a un-/semi-trusted 3rd party provider is that they shouldn't ever have access to your passwords (which would let them operate as you, with full control of the account) and instead they should have permission granted to them by you for only the specific items they need (read mail/contacts/etc but not modify or create). That's where the OAUTH comes in.



UpSafe, it seems (I really wish they'd publish documentation so I could speak about this with more precision), has yet to implement that type of security. If instead they are asking for an interactive login it would indicate that they are saving your password and using your credentials to access the account (personally, that is a "run away" sign). Since your saved credentials don't work without the 2FA key, then they re-prompt you the same was as if you'd changed passwords on them. Rinse. Repeat.



In both circumstances your issue isn't with Google authentication or the Yubikey, it is with the application performing the login. And, that neither of these use cases actually work with MFA (they require constant, user-not-present access in order to function properly).
In the case of the Mail app installed on your laptop, it makes sense -- the way a mail app works isn't conducive to MFA and should be setup with an App Password (it isn't a 3rd party provider doing the access on your behalf, it is still you; but it needs access all the time, even without your key present). In the case of UpSafe it seems that (pure speculation without any documentation) they are storing and reusing the password (grumble). They are an external 3rd party and really should be using OAUTH, but if you trust them and don't mind giving them full access to your account, you can use an App Password for them as well.






share|improve this answer
























  • As far as I can tell, you can't use the App Password function with the security keys. Do you know otherwise? Those links don't have an option to use one with my account. Going to "myaccount.google.com/apppasswords" gives error message "The setting you are looking for is not available for your account."

    – BKay
    Feb 7 at 14:49











  • @BKay Is your account a company or GSuite account? I just went to myaccount.google.com/apppasswords from my PC (using Chrome, account is 2FA with a Yubikey 4 NFC) and it is letting me setup & manage app passwords. If you're using a managed account (company/school using GSuite then the domain administrator will have to allow App Passwords)

    – Ruscal
    Feb 7 at 16:39
















1












1








1







The built in Windows Mail application doesn't have the necessary handlers for FIDO authentication, so that one makes sense. (Also, a persistent mail app isn't something that you'd use with MFA since it needs to be able to run even when you & your token aren't around). For this purpose I'd recommend you setup an App Password just for the Mail app on the trusted device.



It looks like UpSafe (who, shame on them, have literally zero published documentation at their site) is using a browser to make a login call and then running in an isolation context. It is a decent idea, but the wrong way to do security; as an external service performing operations on your behalf, they should use OAUTH tokens.



The idea with security and a un-/semi-trusted 3rd party provider is that they shouldn't ever have access to your passwords (which would let them operate as you, with full control of the account) and instead they should have permission granted to them by you for only the specific items they need (read mail/contacts/etc but not modify or create). That's where the OAUTH comes in.



UpSafe, it seems (I really wish they'd publish documentation so I could speak about this with more precision), has yet to implement that type of security. If instead they are asking for an interactive login it would indicate that they are saving your password and using your credentials to access the account (personally, that is a "run away" sign). Since your saved credentials don't work without the 2FA key, then they re-prompt you the same was as if you'd changed passwords on them. Rinse. Repeat.



In both circumstances your issue isn't with Google authentication or the Yubikey, it is with the application performing the login. And, that neither of these use cases actually work with MFA (they require constant, user-not-present access in order to function properly).
In the case of the Mail app installed on your laptop, it makes sense -- the way a mail app works isn't conducive to MFA and should be setup with an App Password (it isn't a 3rd party provider doing the access on your behalf, it is still you; but it needs access all the time, even without your key present). In the case of UpSafe it seems that (pure speculation without any documentation) they are storing and reusing the password (grumble). They are an external 3rd party and really should be using OAUTH, but if you trust them and don't mind giving them full access to your account, you can use an App Password for them as well.






share|improve this answer













The built in Windows Mail application doesn't have the necessary handlers for FIDO authentication, so that one makes sense. (Also, a persistent mail app isn't something that you'd use with MFA since it needs to be able to run even when you & your token aren't around). For this purpose I'd recommend you setup an App Password just for the Mail app on the trusted device.



It looks like UpSafe (who, shame on them, have literally zero published documentation at their site) is using a browser to make a login call and then running in an isolation context. It is a decent idea, but the wrong way to do security; as an external service performing operations on your behalf, they should use OAUTH tokens.



The idea with security and a un-/semi-trusted 3rd party provider is that they shouldn't ever have access to your passwords (which would let them operate as you, with full control of the account) and instead they should have permission granted to them by you for only the specific items they need (read mail/contacts/etc but not modify or create). That's where the OAUTH comes in.



UpSafe, it seems (I really wish they'd publish documentation so I could speak about this with more precision), has yet to implement that type of security. If instead they are asking for an interactive login it would indicate that they are saving your password and using your credentials to access the account (personally, that is a "run away" sign). Since your saved credentials don't work without the 2FA key, then they re-prompt you the same was as if you'd changed passwords on them. Rinse. Repeat.



In both circumstances your issue isn't with Google authentication or the Yubikey, it is with the application performing the login. And, that neither of these use cases actually work with MFA (they require constant, user-not-present access in order to function properly).
In the case of the Mail app installed on your laptop, it makes sense -- the way a mail app works isn't conducive to MFA and should be setup with an App Password (it isn't a 3rd party provider doing the access on your behalf, it is still you; but it needs access all the time, even without your key present). In the case of UpSafe it seems that (pure speculation without any documentation) they are storing and reusing the password (grumble). They are an external 3rd party and really should be using OAUTH, but if you trust them and don't mind giving them full access to your account, you can use an App Password for them as well.







share|improve this answer












share|improve this answer



share|improve this answer










answered Feb 7 at 14:10









RuscalRuscal

512311




512311













  • As far as I can tell, you can't use the App Password function with the security keys. Do you know otherwise? Those links don't have an option to use one with my account. Going to "myaccount.google.com/apppasswords" gives error message "The setting you are looking for is not available for your account."

    – BKay
    Feb 7 at 14:49











  • @BKay Is your account a company or GSuite account? I just went to myaccount.google.com/apppasswords from my PC (using Chrome, account is 2FA with a Yubikey 4 NFC) and it is letting me setup & manage app passwords. If you're using a managed account (company/school using GSuite then the domain administrator will have to allow App Passwords)

    – Ruscal
    Feb 7 at 16:39





















  • As far as I can tell, you can't use the App Password function with the security keys. Do you know otherwise? Those links don't have an option to use one with my account. Going to "myaccount.google.com/apppasswords" gives error message "The setting you are looking for is not available for your account."

    – BKay
    Feb 7 at 14:49











  • @BKay Is your account a company or GSuite account? I just went to myaccount.google.com/apppasswords from my PC (using Chrome, account is 2FA with a Yubikey 4 NFC) and it is letting me setup & manage app passwords. If you're using a managed account (company/school using GSuite then the domain administrator will have to allow App Passwords)

    – Ruscal
    Feb 7 at 16:39



















As far as I can tell, you can't use the App Password function with the security keys. Do you know otherwise? Those links don't have an option to use one with my account. Going to "myaccount.google.com/apppasswords" gives error message "The setting you are looking for is not available for your account."

– BKay
Feb 7 at 14:49





As far as I can tell, you can't use the App Password function with the security keys. Do you know otherwise? Those links don't have an option to use one with my account. Going to "myaccount.google.com/apppasswords" gives error message "The setting you are looking for is not available for your account."

– BKay
Feb 7 at 14:49













@BKay Is your account a company or GSuite account? I just went to myaccount.google.com/apppasswords from my PC (using Chrome, account is 2FA with a Yubikey 4 NFC) and it is letting me setup & manage app passwords. If you're using a managed account (company/school using GSuite then the domain administrator will have to allow App Passwords)

– Ruscal
Feb 7 at 16:39







@BKay Is your account a company or GSuite account? I just went to myaccount.google.com/apppasswords from my PC (using Chrome, account is 2FA with a Yubikey 4 NFC) and it is letting me setup & manage app passwords. If you're using a managed account (company/school using GSuite then the domain administrator will have to allow App Passwords)

– Ruscal
Feb 7 at 16:39




















draft saved

draft discarded




















































Thanks for contributing an answer to Super User!


  • Please be sure to answer the question. Provide details and share your research!

But avoid



  • Asking for help, clarification, or responding to other answers.

  • Making statements based on opinion; back them up with references or personal experience.


To learn more, see our tips on writing great answers.




draft saved


draft discarded














StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1402736%2fhow-do-i-get-windows-applications-to-recognize-my-yubikey%23new-answer', 'question_page');
}
);

Post as a guest















Required, but never shown





















































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown

































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown







Popular posts from this blog

How to make a Squid Proxy server?

Is this a new Fibonacci Identity?

19世紀