Force Use of Hardware Security Key with a Windows Hello Account

Question

Question: Is it possible to bypass Windows Hello (Pin) on a Windows 11 login tied tied to a Microsoft passwordless account? Why? Want to force use of a hardware security key for authentication.

• I have a Microsoft passwordless account on the Windows 11 profile
• Want to bypass Windows Hello (PIN) and use the hardware security key for authentication
• https://www.yubico.com/products/computer-login-tools/
• According to Yubico..."YubiKey cannot be used in conjunction"..."on your computer using a Microsoft Account."

Answer 1

As you already noted,

Yubico Login for Windows does not support any of the following:

• Active Directory (AD) managed accounts
• Azure Active Directory (AAD) managed accounts
• Microsoft Accounts (MSA)

You will need to be using a local account.

Source: Yubico Login for Windows Configuration Guide

Answer 2

(Thread hasn't been updated in several months, but I've found it more than once while Googling related questions, so here's a solution. Hopefully it'll help someone.)

You don't need Yubico Login for Windows for a MS passwordless account, if your computer is AzureAD-joined (might work for Hybrid-Joined, as well, but I've only tried on AzureAD-joined machines).

I have done this on my Windows 11 machine and a Windows 10 VM (VirtualBox allows SecurityKey passthrough, Hyper-V does not).

MS Instructions for enabling FIDO Keys in Azure AD:

• https://learn.microsoft.com/en-us/azure/active-directory/authentication/howto-authentication-passwordless-security-key
• Make sure you either select All Users or your account is included in one of the allowed groups

MS Instructions for adding the security key to your MS Account:

• https://support.microsoft.com/en-us/account-billing/set-up-a-security-key-as-your-verification-method-2911cacd-efa5-4593-ae22-e09ae14c6698
• It isn't stated, but this step adds your AzureAD/MS Credentials to your key

Restart your system after these steps to apply the AzureAD changes. (You may have to wait 10-15 mins for the change to be applied, in my limited experience.)

This step may or may not be necessary, but I've never tried without this step:

• After restarting, goto Start>Settings>Accounts>Sign-In Options>Security Key and click [Manage].
• You'll be asked to insert your key and put in its PIN. Close the window that loads (resetting the key or the pin from this interface will likely remove the credentials from your key).

--

Log off to test. You should get the standard pwd/pin prompt, but inserting your key (and/or selecting more options and the selecting USB-looking icon for a Security Key) it'll ask for your PIN. Once you do this the first time, the default login method will be Security Key.

The only way I've found to REQUIRE the key for Windows is here:
https://swjm.blog/three-ways-of-enforcing-security-key-sign-in-on-windows-10-windows-11-4f0f27227372
It says 3 Ways, but really it's just 3 different ways to do the same thing - disable all Windows credential providers except Security Keys and Smart Cards.

IMPORTANT CONSIDERATIONS:

• While you can add multiple user accounts to a key, Windows Logon will only recognize the last credential added to the key.
• If you disable all credential providers except Security Keys and Smart Cards, make sure you have a way to re-enable them if you lose your key. My machines are Intune managed so I can push a PowerShell script to re-enable the other providers, but I don't know what you'd do without a MDM if the key was lost.
• If you disable all credential providers except Security Keys and Smart Cards, you cannot use Run As Administrator if you're logged in as a Standard User. I've tried logging in with a StandardKey and then trying to provide admin credentials with an AdminKey, but Windows doesn't recognize that the new key has different credentials. (I have only tried this in Windows 10 Pro - Windows 11 may be able to recognize the new credentials.)

Answer 3

Bottom line: It is possible to bypass the windows hello pin and force use of any hardware security key linked to a Microsoft account on a windows profile. No software or special configuration is required.

The most essential parts are:

1. have the HW security key linked to the MS passwordless account
2. use this account for login
3. manually remove the Win hello pin and reboot the computer
4. you will then be prompted for the HW key
5. windows will mandate that you have to reset the hello pin
6. just ignore this, and login will complete without use of hello pin
7. no software, special configuration, changes to credential management...etc. required
8. not an elegant solution but works flawlessly by enforcing use of HW key and eliminating a potential vulnerability that some could hack the pin for login

Caveats:

• have to remove the Windows pin
• for every subsequent login click "setup my pin"
• then click "sign in with a security key", and
• finally click "cancel"

This will force the use of any hardware security key tied to your Microsoft account.

For reference