github-actions[bot]
commented
1 month ago Your preview is ready!
| Name | Link |
|---|---|
| Latest commit | c57cbc7dcab658c21aa678a840d40ed5528f94ec |
| Preview | https://2566--glowing-salamander-8d7127.netlify.app/ |
Closed oppressor1761 closed 1 month ago
github-actions[bot]
commented
1 month ago | Name | Link |
|---|---|
| Latest commit | c57cbc7dcab658c21aa678a840d40ed5528f94ec |
| Preview | https://2566--glowing-salamander-8d7127.netlify.app/ |
oppressor1761
commented
1 month ago Let me be more clearer: I donot think using Yubikey MFA to harden Windows local account should be recommended because this adds too much attack surface. Any 0-day in the app required could leave your account compromised. If you are concerned use a long password or remove local account login for Windows is the right move, not using Yubikey MFA.
ph00lt0
commented
1 month ago Tend to agree here. Might also be good to point out that windows hello does have support for security keys.
jonaharagon
commented
1 month ago Actually, I disagree with the premise that this could lead to account compromise in the first place. The app only adds a second factor in addition to the existing username+password security. In the unlikely event that the app fails, you should not be worse off than single-factor authentication.
Windows Hello would replace a password I believe, which is not necessarily desirable behavior here.
oppressor1761
commented
1 month ago The app (Yubico Login for Windows) does not just add a factor. It replaces the whole login process for the local account. It's the app not Windows who verify both password and Yubikey. It is possible that exploits in the app lead to account compromise. It's not open source so we donot know how exactly it handles the password entered. best to not trust it in the login process.
oppressor1761
commented
1 month ago It adds a credential provider in HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Provider Filters\{28CF0DB8-7BE8-4F28-8368-7EAB35625D45} . It's different from the original password CP {60b78e88-ead8-445c-9cfd-0b87f74ea6cd}.
oppressor1761
commented
1 month ago I'm not very familar with the PR process. Can anyonw tell me why this is still not merged?
Changes proposed in this PR:
Contribution terms (click to expand)
1) I am the sole author of this work. 2) I agree to grant Privacy Guides a perpetual, worldwide, non-exclusive, transferable, royalty-free, irrevocable license with the right to sublicense such rights through multiple tiers of sublicensees, to reproduce, modify, display, perform, relicense, and distribute my contribution as part of this project. 3) I have disclosed any relevant conflicts of interest in my post. 4) I agree to the Community Code of Conduct.