Microsoft's bio-authentication system Windows Hello is one of the most demanded features users want with new PCs. Currently, the most popular are fingerprint readers, facial recognition using IR cameras, or iris scanners (for phones).
Another new Windows Hello method is just starting to come to market: companion devices. In theory, wearables like smartwatches or your phone could be a yet another way to validate your authenticity. YubiKey's new app for Windows 10 fits into this category. Today, I'll review it and show you how it works.
YubiKey – What it is
YubiKeys by Yubico are small USB devices that you carry around with you to add two-factor authentication (aka '2FA') to various apps and services. For instance, if you use LastPass to store all your passwords you need one master password to unlock them all. That's a huge security vulnerability because if someone managed to get that password, they would get all the rest too in your safe. By using a YubiKey, the attacker would physically need your USB YubiKey in addition to your password to unlock your virtual safe.
Sure, 2FA is an extra step. Besides typing in your password, you need to insert the YubiKey, wait a second, and press on the touch-to-sign metal area on the key. It's super easy to use, but still a little more work. Nonetheless, when it comes to security that type of protection is wanted — and needed — by many.
Other services that work with YubiKey included Google, Dashlane, KeePass, Dropbox, Evernote, WordPress, GitHub, and other things like disk encryption (opens in new tab).
There are three main types of YubiKeys (opens in new tab) on sale right now:
- YubiKey 4 (USB) (opens in new tab)
- YubiKey 4 Nano (USB) (opens in new tab)
- YubiKey NEO (USB and NFC) (opens in new tab)
They range in price from $40 for the regular USB versions to $50 for the USB and NFC variant. With NFC users can also use the YubiKey NEO for Android mobile phones and presumably any other system with NFC.
At CES 2017 Yubico announced YubiKey 4C (opens in new tab), which is a USB Type-C device to keep up with modern PCs and computers. That version goes on sale in February 2017 for $50 as well.
YubiKey for Windows Hello
Recently, Yubico released a new app called YubiKey for Windows Hello in the Windows Store. The free app lets you link your YubiKey to your PC (not Microsoft Account) as a companion security device.
While not bio-authentication e.g. fingerprint or face recognition adding a YubiKey to your PC lets you unlock and log into the computer just by inserting the physical device into the PC.
So, why bother? Most PCs today including laptops and desktops do not have a built-in Windows Hello system. By using YubiKey, you can cheaply add this to your PC while also using it with your other apps and services listed above.
Once inserted into the PC the system is unlocked all the time. Removing the key lets it lock again. A YubiKey is small enough to be carried around on a key chain making it easy to use with your home PC or laptop.
Setting up YubiKey is very easy once you have the physical device in your possession.
- Download and run YubiKey for Windows Hello (opens in new tab) from the Store
- Select Register
- After inserting the YubiKey into a USB Port select Continue
- Optionally name the YubiKey (good if you have multiple keys) and choose Continue
- Follow the prompts to authenticate your key with Windows Hello
- When done choose Finish
That's it. The whole process takes about 30 seconds.
Setting up on Windows 10 Pro or Enterprise
For those with a Windows 10 Home license, the above steps are all that is required to get YubiKey working with Windows Hello. If, however, you have Windows 10 Pro or Enterprise editions, you will need to edit the Local Security Policy to allow companion devices.
If you are unsure which version of Windows 10 you have only go to Settings > System > About and under Edition it should read as Windows 10 Home, Windows 10 Pro, or Windows 10 for Enterprise.
If you are on Windows 10 Pro or Enterprise, you can modify the system to allow companion devices for Windows Hello. Here is how according to Yubico (opens in new tab):
- Open the Local Group Policy Editor. To do this, press [Windows key + R], and then type gpedit.msc.
- In the Local Group Policy Editor, from the top level Local Computer Policy, navigate to Computer Configuration > Administrative Templates > Windows Components > Microsoft Secondary Authentication Factor.
- In the right pane, click the link to Edit policy setting. (You can also double-click the setting to Allow companion device for secondary authentication.) The default state is Not configured.
- In the setting screen, select the option for Enabled, and click OK. If this option is already selected, your policy is set and you can click Cancel.
- Exit the Local Group Policy Editor and the Management Console.
Again, if you are Windows 10 Home you can skip this as there is no Local Group Policy Editor.
There are some interesting restrictions though with using a companion device like YubiKey and Windows Hello.
For instance, the YubiKey is not a two-factor authenticator for Windows Hello. In other words, the computer does not need to scan your face and see the YubiKey in the USB port to unlock your PC.
Instead, the YubiKey is a non-biometric based physical device that can optionally unlock your PC when inserted. If you lose the key, you can still use a PIN, a fingerprint, a facial scan, or the primary password to log into the computer like normal.
Currently, there is no way to require you have the YubiKey in the USB port to unlock the PC. That means if someone still has your full PC password they can unlock your computer whether your YubiKey is there or not. In that sense, if you already have a fingerprint reader or facial recognition using YubiKey is not needed.
Conceptually, however, you can think of it this way: when you leave the YubiKey in your PC, it is unlocked for everyone like a car. When you remove the YubiKey, the system is now locked. There are many environments including schools, enterprise, or labs where such a key system would be desirable. It's also a good option if you already use YubiKey and don't have a biometric Windows Hello system for your computer.
Overall, the YubiKey for Windows Hello app and key is a neat option for those interested in security. For a home computer, a parent could use this key to keep the PC unlocked for their kids without having to type in a password or use a fingerprint regularly. Once the key is removed, however, the child cannot use the computer.
I'd also suggest YubiKey as an option for those without a Windows Hello facial recognition camera or fingerprint reader. When inserted it allows the user to unlock the PC with ease and can be a valuable tool in various situations.
For offices, the YubiKey for Windows Hello app also works on the Surface Hub. That means keys can be given to employees to unlock certain computers or the Surface Hub without requiring IT to get involved with assigning or sharing of passwords.
Of course, there are other uses for YubiKey besides Windows Hello, which gives the tool a secondary and exciting use. In the future, consumers can expect such functionality to come to their mobile phones, smartwatches, and more making computer security even more flexible while allowing you to have a very long password.
Daniel Rubino is the Executive Editor of Windows Central, head reviewer, podcast co-host, and analyst. He has been covering Microsoft here since 2007, back when this site was called WMExperts (and later Windows Phone Central). His interests include Windows, Microsoft Surface, laptops, next-gen computing, and arguing with people on the internet.
The price seems right for what it does. Thanks for the review :).
Is it $5?
Obviously I read the article. $40 for a thumdrive that only unlocks your PC is way overpriced. $5 for such a thing would be a reasonable.
Yeah security, its never worth it.... wow i bet you are a yahoo user.
It is $40 for a thumb drive. It should at least have some sort of biometrics built in.
I agree. Its reasonable for something as integrated as this. I'm sure cheaper alternatives will surface. More I think about it.... Maybe $50 is more reasonable for a Surface branded one.
Does any fido utf device work, such as https://www.amazon.ca/Yubico-Y-123-FIDO-U2F-Security/dp/B00NLKA0D8?tag=h...
I wonder if the 4C will also work with the lumias.
Official Yubico video - https://www.youtube.com/watch?v=vOEImhrwAh8
I'm better off using a pin or password.
My only problem with this device is the physical design. It's so thin and sticks out so far, I can easily imagine a situation where something strikes it or you move your laptop around and accidently break the thing off by hitting a wall, table, whatever where the device is protruding. Now you have a piece stuck in your USB port but no actual key. If you're careful, however, I do think this could be a worthwhile device.
You might be wanting the Yubikey Nano. A couple engineers at work have these. They seem to work great. They don't stick out much at all and these cost 10 bucks more. https://www.amazon.com/Yubico-Y-159-YubiKey-4-Nano/dp/B018Y1XXT6/ref=sr_...
That's more like it. Although now I see why the YubiKey NEO (which is evidently the model that's pictured in the article) is different from the Nano--it is NFC capable. This, of course, could be an additional security concern. Thanks for the heads-up on the Nano!
Unplug it after you are done logging in. It doesn't have to stay plugged in all the time, only at login, or when you use it to login to other apps on your computer.
Wait a while until one, its cheaper and more seevices are supported, seems limited at the minute
I think it's good device but only problem with the design.
Meh, if you already have a Windows Hello compatible device, I'd rather just use bother my fingerprint/face + a pin. No need for another hardware...
Yes, IF you already do. The SP3, for example, is not Hello-compatible.
This kind of device is not for me. I'll always lose it i like my finger and face which will always be where I am.
The shadow of him in the last picture... He looks as if he is holding a gun and... Just my first thoughts. Not to be rude. Hehe
Appreciate the guide; I didn't know it wasn't a 2FA method until I read this. I'm actually glad that it isn't a 2FA method, because I'd never want to have to use a physical key with my PCs (didn't that die with the 90s?). That said, as you pointed out, this is a great way to give people temporary physical access to Windows without sharing your password with them.
Get the best of Windows Central in in your inbox, every day!
Thank you for signing up to Windows Central. You will receive a verification email shortly.
There was a problem. Please refresh the page and try again.