search

Yubico / yubikey-manager

Python library and command line tool for configuring any YubiKey over all USB interfaces.
https://developers.yubico.com/yubikey-manager/
BSD 2-Clause "Simplified" License
878 stars 124 forks source link

FIDO2 suddenly only works with elevated privileges (Windows 10) #259

Closed Mansarde closed 5 years ago

Mansarde commented 5 years ago

I was able to use the YubiKey with FIDO2 yesterday without any problems. The only thing that changed since then (that I can think of) was that I installed an update for my NVidia graphics card driver. As of today the FIDO2 module doesn't respond anymore. The other modules work fine (OTP, PIV) BUT: If I run the Manager GUI or ykman elevated, then I can suddenly configure FIDO2 again!

I was able to configure and use FIDO2 without elevation before though. The OTP and PIV modules don't need any elevation yesterday (neither did FIDO2). What could be the cause of it suddenly not working anymore without elevated privileges?

Steps to reproduce

  1. Restart PC
  2. Log into user account (is an admin account)
  3. Plug in YubiKey 5 NFC
  4. ykman fido info

Expected result

PIN is not set.

Actual results and logs

Error: Failed connecting to the YubiKey.

Other info

Output of ykman --log-level DEBUG fido info:

2019-06-23T13:21:22+0200 DEBUG [ykman.descriptor.Descriptor.open_device:75] transports: 0x2, self.mode.transports: 0x7
2019-06-23T13:21:22+0200 DEBUG [ykman.descriptor.open_device:80] Opening driver for serial: None, type: YUBIKEY.YK4, mode: OTP+FIDO+CCID
2019-06-23T13:21:22+0200 DEBUG [ykman.descriptor.open_device:82] Attempt 1 of 10
2019-06-23T13:21:22+0200 DEBUG [ykman.descriptor.open_device:101] Sleeping for 0.100000 s
2019-06-23T13:21:22+0200 DEBUG [ykman.descriptor.open_device:82] Attempt 2 of 10
2019-06-23T13:21:22+0200 DEBUG [ykman.descriptor.open_device:101] Sleeping for 0.200000 s
2019-06-23T13:21:23+0200 DEBUG [ykman.descriptor.open_device:82] Attempt 3 of 10
2019-06-23T13:21:23+0200 DEBUG [ykman.descriptor.open_device:101] Sleeping for 0.300000 s
2019-06-23T13:21:23+0200 DEBUG [ykman.descriptor.open_device:82] Attempt 4 of 10
2019-06-23T13:21:23+0200 DEBUG [ykman.descriptor.open_device:101] Sleeping for 0.400000 s
2019-06-23T13:21:23+0200 DEBUG [ykman.descriptor.open_device:82] Attempt 5 of 10
2019-06-23T13:21:23+0200 DEBUG [ykman.descriptor.open_device:101] Sleeping for 0.500000 s
2019-06-23T13:21:24+0200 DEBUG [ykman.descriptor.open_device:82] Attempt 6 of 10
2019-06-23T13:21:24+0200 DEBUG [ykman.descriptor.open_device:101] Sleeping for 0.600000 s
2019-06-23T13:21:24+0200 DEBUG [ykman.descriptor.open_device:82] Attempt 7 of 10
2019-06-23T13:21:24+0200 DEBUG [ykman.descriptor.open_device:101] Sleeping for 0.700000 s
2019-06-23T13:21:25+0200 DEBUG [ykman.descriptor.open_device:82] Attempt 8 of 10
2019-06-23T13:21:25+0200 DEBUG [ykman.descriptor.open_device:101] Sleeping for 0.800000 s
2019-06-23T13:21:26+0200 DEBUG [ykman.descriptor.open_device:82] Attempt 9 of 10
2019-06-23T13:21:26+0200 DEBUG [ykman.descriptor.open_device:101] Sleeping for 0.900000 s
2019-06-23T13:21:27+0200 DEBUG [ykman.descriptor.open_device:82] Attempt 10 of 10
2019-06-23T13:21:27+0200 DEBUG [ykman.descriptor.open_device:101] Sleeping for 1.000000 s
2019-06-23T13:21:28+0200 DEBUG [ykman.descriptor.open_device:103] No matching device found
Usage: ykman [OPTIONS] COMMAND [ARGS]...
Try "ykman -h" for help.

Error: Failed connecting to the YubiKey.
dagheyman commented 5 years ago

Thanks for the report.

It's expected behavior, Microsoft have introduced native WebAuthn APIs and are now blocking direct access to the FIDO transport. Workaround is to run ykman as administrator or use the native Windows UI found under Settings > Accounts > Sign in options > Security Key

Mansarde commented 5 years ago

Ah, that makes sense. I tried it just now with the webauthn demo and it works without any problems. Many thanks for clearing that up, much appreciated! :)