Hey everyone! I'm looking for some help with Windows 11 and YubiKey. Is it possible to completely disable the password login and only allow access through a YubiKey? I've done some searching online, but I'm not finding much info on using hardware authentication devices other than smart cards. Any insights or tips would be greatly appreciated!
4 Answers
I've just set up YubiKeys with FIDO2 and SmartCard, and it sounds like you're on the right track. To make it work, you need to get the Yubico Minidriver installed. After that, you can apply Group Policy or use Intune to enforce the settings. Just a heads up, my users found it a bit challenging to adjust at first, so maybe introduce it gradually. Also, consider installing the Yubikey CLI on your machines to help manage any locked accounts easily without losing data. It’s really handy!
Does it matter if I have a YubiKey 5 or the cheaper $29 YubiKey?
Yes, you can definitely use a YubiKey as a smart card! You'll need to install the YubiKey smart card minidriver to get it working. Once you have that set up, you can use the same smart card policies you normally would. It's a great solution if you're looking to enhance security!
Why would you want to rely solely on a YubiKey? I think it's really important to have multiple forms of identification. Imagine leaving your laptop unattended and someone gains access to everything!
Actually, that's not the case here. Using a YubiKey with FIDO2 means there's still a PIN needed to unlock it. So even if someone finds your laptop, they won't just get in without the key.
It’s a requirement from our security department. The YubiKey enhances security while still requiring a PIN, so it covers the bases.
Yeah, you can do it! Just make sure you have a backup plan in case something goes wrong.
Which specific minidriver do you recommend downloading from Yubico's site?