How to set up a YubiKey with Windows 10?
With hardware security keys you can get the additional protection of two-factor authentication to make your login procedure secure. Follow these step-by-step instructions to easily set up a YubiKey with Windows 10.
- Microsoft Windows 10 Home, Pro, or Enterprise edition
- Anniversary Edition (Version 1607 required with build 14393.321 or later)
- TIP: To verify the version of Windows you are running, press the Windows key, then type r, select Run, and type winver. The About Windows dialog box displays information on the version and build number of Windows 10.
- CCID mode enabled on the YubiKey
- Local user or cloud user account
- Your local security policy set to allow companion devices for secondary authentication
- A PIN set (under sign-in options) for the user on the system who will be using the YubiKey (required)
Downloading and Installing the YubiKey for Windows Hello App
- From the Windows app store, locate the app.
- Click Get.
- When installation is completed, click Launch.
To access the YubiKey for Windows Hello app
- From the Start menu, select All Apps >Start > YubiKey for Windows Hello
To uninstall the YubiKey for Windows Hello App
Be sure you have unregistered any YubiKeys before you uninstall the app.
- In the Start menu, navigate to the YubiKey for Windows Hello app.
- Right-click the app and select Uninstall.
- Follow the prompts. It is not necessary to reboot your computer.
Setting Local Security Policy to Allow Companion Devices
On systems running Windows Pro or for Windows Enterprise systems, you must set the option to “Allow Companion Device For Secondary Authentication” in the Local Security Policy. If your organization manages your security policy, contact your IT administrator and request this change before installing this app. You cannot change local security policy on systems running Windows Home, however this option is enabled by default.
To modify local security policy
- Open the Local Group Policy Editor. To do this, press the Windows key, type R, and then type gpedit.msc.
- In the Local Group Policy Editor, from the top level Local Computer Policy, navigate to Computer Configuration > Administrative Templates > Windows Components > Microsoft Secondary Authentication Factor.
- In the right pane, click the link to Edit policy setting. (You can also double-click the setting to “Allow Companion Device For Secondary Authentication.”) The default state is Not Configured.
- If the policy is displaying Not Configured or Enabled, then you do not have to make any additional changes. Click Cancel.
- If the setting is displayed as Disabled, continue with the next step.
- In the setting screen, select the option for Enabled, and click OK.
- Exit the Local Group Policy Editor and the Management Console.
- This app is used to unlock your system only — it will not work with login (waking from sleep/hibernating requires a login).
- This app allows you to register a maximum of four YubiKeys per account.
- You cannot register the same YubiKey to more than one account on the same system.
- We recommend using this app only on single-user Windows systems; this app does not currently support multiple users.
- Yubico Authenticator with password set. Your YubiKey will not work for unlocking your system if you use Yubico Authenticator and have a password set. You can, however, register a YubiKey if Yubico Authenticator is open and you have already verified the password. (Issue #7)
- Requiring the YubiKey. There is currently no way to require the YubiKey to unlock your system — you can always access your account using your PIN or password.
- Removing all keys. If you have removed all YubiKeys but have not uninstalled the app, you are still prompted to use the YubiKey to unlock your system. To work around this issue, uninstall the app. (Issue #31)
- Removing a key. If you try to remove a YubiKey and the key is not inserted into your system, two OATH credentials will be present. You would need to delete these using an older version of Yubico Authenticator (2.3.0 or older) or by resetting the entire OATH applet (using the ykneomgr command line or opensc-tool command line).
- Resetting the OATH applet on the YubiKey. If you use the opensc-tool or ykneomgr command line tools to reset the OATH applet on the YubiKey, you will erase the credentials that you have registered for the YubiKey for Windows Hello app. (Issue #9)
Frequently Asked Questions
- When I try to register a YubiKey with the YubiKey for Windows Hello app, why do I receive an error?
It may be because your local security policy needs to be set to allow companion devices (this applies only to systems running Windows Pro or Windows Enterprise). To change your local security policy to allow companion devices, see the steps in the previous section.