Congratulations, you have a YubiKey and you want to set up your YubiKey to unlock your Windows 10 system. Follow these easy instructions and you’ll be protected with the simplicity of YubiKey two-factor authentication in no time!

Requirements

  • Microsoft Windows 10 Home, Pro, or Enterprise edition
    • Anniversary Edition (Version 1607 required with build 14393.321 or later)
      TIP: To verify the version of Windows you are running, press the Windows key, then type r, select Run, and type winver. The About Windows dialog box displays information on the version and build number of Windows 10.
  • YubiKey
    • YubiKey 4, YubiKey 4 Nano, YubiKey 4C (recommended)
    • YubiKey NEO, YubiKey NEO-n (version 3.3.1 or later)
  • CCID mode enabled on the YubiKey (see below)
  • Local user or cloud user account
  • Your local security policy set to allow companion devices for secondary authentication (see below)
  • A PIN set (under sign-in options) for the user on the system who will be using the YubiKey (required)

Downloading and Installing the YubiKey for Windows Hello App

  1. From the Windows app store, locate the YubiKey for Windows Hello app.
  2. Click Get.
  3. When installation is completed, click Launch.

To access the YubiKey for Windows Hello app

  • From the Start menu, select All Apps >Start > YubiKey for Windows Hello

To uninstall the YubiKey for Windows Hello App

Be sure you have unregistered any YubiKeys before you uninstall the app.

  1. In the Start menu, navigate to the YubiKey for Windows Hello app.
  2. Right-click the app and select Uninstall.
  3. Follow the prompts. It is not necessary to reboot your computer.

Enabling CCID Mode

CCID mode must be enabled on the YubiKey. CCID is enabled by default on on all YubiKey 4 devices and on all YubiKey NEOs shipped since November 2015. To enable CCID mode on older YubiKey NEO devices, use the YubiKey NEO Manager (preferred). If you have a YubiKey NEO, verify that the device has CCID enabled. If you have disabled CCID mode on any YubiKey, be sure to re-enable it.

The following instructions describe how to use the YubiKey NEO Manager. You can also use the Yubico Personalization Tool (command line tool) to change the connection mode.

To enable CCID mode, open YubiKey NEO Manager:

  1. Click Change connection mode.
  2. Select the checkbox for CCID and click OK.
  3. Continue with the following instructions for all other YubiKeys.

Setting Local Security Policy to Allow Companion Devices

On systems running Windows Pro or Windows Enterprise systems, you must set the option to Allow companion device for secondary authentication in the Local Security Policy. If your organization manages your security policy, contact your IT administrator and request this change before installing this app. You cannot change local security policy on systems running Windows Home, however this option is enabled by default.

To modify local security policy

  1. Open the Local Group Policy Editor. To do this, press the Windows key, type R, and then type gpedit.msc.
  2. In the Local Group Policy Editor, from the top level Local Computer Policy, navigate to Computer Configuration > Administrative Templates > Windows Components > Microsoft Secondary Authentication Factor.
  3. In the right pane, click the link to Edit policy setting. (You can also double-click the setting to Allow companion device for secondary authentication.) The default state is Not configured.
    • If the policy is displaying Not Configured or Enabled, then you do not have to make any additional changes. Click Cancel.
    • If the setting is displayed as Disabled, continue with the next step.
  4. In the setting screen, select the option for Enabled, and click OK.
  5. Exit the Local Group Policy Editor and the Management Console.

Notes

  • This app is used to unlock your system only — it will not work with login (waking from sleep/hibernating requires a login).
  • This app allows you to register a maximum of four YubiKeys per account.
  • You cannot register the same YubiKey to more than one account on the same system.
  • You may notice that the YubiKey NEO is slower than the YubiKey 4. When you use a YubiKey NEO to unlock your system, we recommend you swipe the screen or press any key (rather than tapping the YubiKey).
  • We recommend using this app only on single user Windows systems; this app does not currently support multiple users.

Known Issues

  • Yubico Authenticator with password set. Your YubiKey will not work for unlocking your system if you use Yubico Authenticator and have set a password. You can, however, register a YubiKey if Yubico Authenticator is open and you have already verified the password, but registration of a YubiKey will fail if Yubico Authenticator is not open during the registration process. (Issue #7)
  • Requiring the YubiKey. There is currently no way to require the YubiKey to unlock your system — you can always access your account using your PIN or password.
  • Removing all keys. If you have removed all YubiKeys, but have not uninstalled the app, you are still prompted to use the YubiKey to unlock your system. To work around this issue, uninstall the app. (Issue #31)
  • Removing a key. If you try to remove a YubiKey and the key is not inserted into your system, two OATH credentials will be present. You would need to delete these using an an older version of Yubico Authenticator (2.3.0 or older) or by resetting the entire OATH applet (using the ykneomgr command line or opensc-tool command line).
  • Resetting the OATH applet on the YubiKey. If you use the opensc-tool or ykneomgr command line tools to reset the OATH applet on the YubiKey, you will erase the credentials that you have registered for the YubiKey for Windows Hello app. (Issue #9)
in How To