About Windows AAD offline login using hmac-secret
83 views
Skip to first unread message
Steven li
Jan 2, 2023, 9:30:14 PM1/2/23
to FIDO Dev (fido-dev)
Hi guys,
I have a questions to ask
1. Regarding hmac-secret, I found that Yubico provides a Windows login application that can also log in offline, and join Windows AAD with USB FIDO Key.
Do they all use the HMAC Secret extension?
Yubico Login for Windows Configuration Guide link:
2. Or where to find an intuitive application of the HMAC secret extension?
Thanks,
Steven
My1
Jan 2, 2023, 9:36:58 PM1/2/23
to Steven li, FIDO Dev (fido-dev)
I think the Windows AAD thing uses hmac-secret (notably to likely provide secrets for decrypting stuff), and while the Windows Login application of Yubico does use HMAC, it does not use hmac-secret specifically, or in fact it does not use anything FIDO, but rather the hmac function Yubikeys specifically provide, which is also a reason, the Blue Yubis and the Bio wont work with the Yubico Application, as they are pure FIDO keys.
--
You received this message because you are subscribed to the Google Groups "FIDO Dev (fido-dev)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to fido-dev+u...@fidoalliance.org.
To view this discussion on the web visit https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/b98b2b02-852e-4bcf-b31a-b2de9db538f5n%40fidoalliance.org.
Steven li
Jan 3, 2023, 8:26:54 PM1/3/23
to FIDO Dev (fido-dev), My1, FIDO Dev (fido-dev), Steven li
Hi My1,
Thank you for your prompt reply.
I will look again to see if there is any application of hmac-secret extension.
Steven
My1 在 2023年1月3日 星期二上午10:36:58 [UTC+8] 的信中寫道:
Emanuele Cesena
Jan 4, 2023, 10:59:56 AM1/4/23
to Steven li, FIDO Dev (fido-dev), My1
To the best of my knowledge Windows login (the enterprise login via AD) does use hmac-secret. It’s very possible that Windows also has a specific integration with yubikeys as My1 describes, but if you use for example a solokey that’s going to use hmac-secret extension.
So, if you’re looking for an example of hmac-secret used in a real application: windows “enterprise login" with a solokey/FIDO key.
To view this discussion on the web visit https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/5c37a8fd-111e-4724-9e4a-69504d148453n%40fidoalliance.org.
My1
Jan 4, 2023, 11:02:53 AM1/4/23
to Emanuele Cesena, Steven li, FIDO Dev (fido-dev)
not quite.
The question revolves around both FIDO and the Yubico Login for Windows Application, so it may be a bit confusing to read.
that application uses the Yubikey's specific HMAC Profiles for login, while on the other hand AAD uses hmac-secret and actual fido.
Regards
Reply all
Reply to author
Forward
0 new messages