Implement FIDO2 WinLogon CredentialProvider for AD using Yubikey 5 NFC

[Arun Sudhir]

I'm trying to implement a passwordless windows logon for AD - we use AD but not Azure AD. Recently Microsoft came out with Windows Hello for Business , but I cannot use it as I do not have or want an Azure subscription.

I'm thinking of using Yubikey 5 NFC  for FIDO2 - using https://github.com/microsoft/Windows-classic-samples/tree/master/Samples/CredentialProvider as a starting point and also using  https://github.com/Microsoft/webauthn for webauth/CTAP2. My problem is how i cna be KErberised without a password and I'm thinking using PIV with Yubikey as a smart card should help me talk to ADCS for KErberising. 

Does this sound right? Also, i read somewhere that virtual smart cards are going away. IS that true?

Thanks

Arun

[Alex Seigler]

This is probably not the right forum for this question, but WHfB can be deployed on premises without a custom credential provider (https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-deployment-cert-trust) and without an additional roaming authenticator for users to break or lose. WHfB with certificate trust is similar to VSC from end user perspective, but yes I also heard VSC is going to be deprecated.

-aseigler

Get Outlook for Android

---

From: fido...@fidoalliance.org <fido...@fidoalliance.org> on behalf of Arun Sudhir <aruns...@gmail.com>
Sent: Wednesday, May 15, 2019 3:13:17 AM
To: fido...@fidoalliance.org
Subject: [FIDO-DEV] Implement FIDO2 WinLogon CredentialProvider for AD using Yubikey 5 NFC

 

--
You received this message because you are subscribed to the Google Groups "FIDO Dev (fido-dev)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to fido-dev+u...@fidoalliance.org.
To view this discussion on the web visit https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/CABKFgsV7VxRWu-j9hFAT7nGwVsaznn_MB9QrLOvugu5P_KxDmw%40mail.gmail.com.