How to Securely Login to Local Accounts with YubiKey Security Key in Windows 7, Windows 8, and Windows 10
Yubico Login for Windows application provides a simple and secure way for YubiKey users to securely access their local accounts on Windows computers.
The primary benefits of Yubico Login for Windows include:
- Highly secure and easy-to-use multi-factor authentication (MFA) for login using local accounts to Windows workstations
- Simple configuration for up to 10 individual users
- Fast enrollment for backup YubiKeys
- Easy recovery mechanisms for lost YubiKeys
Yubico Login for Windows is designed to provide strong MFA for logging into local accounts on Windows 7, Windows 8.1 or Windows 10 computers. It is not suited for logging into any of the following accounts: Azure Active Directory (AAD), Active Directory (AD), Microsoft accounts.
See also: Yubico Login for Windows Configuration Guide | Yubico support
Once you have Yubico Login setup and configured for a local account on the computer, the user will be required to connect the YubiKey security Key before typing their user name and password credentials to log in to Windows.
This tutorial will show you how to set up Yubico Login to login to a local account with a YubiKey security key in Windows 7, Windows 8, and Windows 10.
Local accounts can be accessed remotely via methods such as remote desktop software, SSH, or authentication via the Microsoft Server Message Block (SMB) protocol. Yubico Login for Windows does not secure those non-local forms of login to local accounts.
You must be signed in as an administrator to install and configure Yubico Login for Windows for any local accounts (standard user or administrator) on the computer.
Uninstalling Yubico Login for Windows will undo and remove the YubiKey security key requirements for all local accounts on the Windows computer.
EXAMPLE: Yubico Login for Windows
![]()
![]()
Here's How:
1 Download and install the same 32-bit or 64-bit version of Yubico Login for Windows as is your 32-bit or 64-bit Windows. (see screenshot below)
You will be required to restart the computer after installing Yubico Login for Windows.
2 Open the Yubico Login Configuration app. (see screenshot below)
3 Click/tap on Next. (see screenshot below)
4 Make any changes you want to the settings, and click/tap on Next. (see screenshot below)
Slots: Select the slot where the challenge-response secret will be stored. All YubiKeys that have not been customized come pre-loaded with a credential in slot 1, so if you are using Yubico Login for Windows to configure YubiKeys that are already being used for logging into other accounts, do not overwrite slot 1.
Challenge/Response Secret: This item enables you to specify how the secret will be configured and where it will be stored. The options are:
Use existing secret if configured - generate if not configured: The key’s existing secret will be used in the specified slot. If the device has no existing secret, the provisioning process will generate a new secret.
Generate new, random secret, even if a secret is currently configured: A new secret will be generated and programmed to the slot, overwriting any previously configured secret.
Manually input secret: For advanced users: During the provisioning process, the application will prompt you to input manually an HMAC-SHA1 secret (20 bytes - 40 characters hex-encoded).
Generate Recovery Code: For each user provisioned, a new recovery code will be generated. This recovery code enables the end-user to log in to the system if they have lost their YubiKey. For more information, refer to the description of the Recovery Code above.
Note: If you select to save a recovery code while provisioning a user for a second key, any previous recovery code becomes invalid, and only the new recovery code will work.
Create Backup Device for Each User: Use this option to have the provisioning process register two keys for each user, a primary YubiKey and a backup YubiKey. If you do not want to provide recovery codes to your users, it is good practice to give each user a backup YubiKey. For more information, refer to the Primary and Backup Keys section above.
5 Select (check) the local account for the user you want to configure, and click/tap on Next. (see screenshot below)
Local accounts that currently have YubiKeys registered and are enabled for Yubico Login for Windows have an asterisk (*) next to the respective usernames. You can add additional YubiKeys for users already configured by selecting the users here.
6 When prompted, insert (connect) a YubiKey security key to the computer to configure it for this user account. (see screenshot below)[INDENT]
[/INDENT
7 Click/tap on Next. (see screenshot below)
The Programming Device page displays the progress of programming each YubiKey. The Device Confirmation page shown below displays the details of the YubiKey detected by the provisioning process, including the device serial number (if available) and the configuration status of each One-Time Password (OTP ) slot. If there are conflicts between what you have set as defaults and what is possible with the detected YubiKey, a warning symbol is displayed. If everything is good to go, a check mark will be shown. If the status line shows an error icon, the error is described and instructions for fixing it are displayed on the screen.
8 When programming the YubiKey has finished for the user account, you will be prompted to remove (disconnect) the Yubikey from the computer.
9 Click/tap on Finish. (see screenshot below)
The selected local account can no longer be accessed without this corresponding YubiKey connected while logging in to Windows.
That's it,
Shawn
Related Tutorials
- How to Set Up Security Key to Log into Apps in Windows 10
- How to Sign in to Windows 10
- How to Enable or Disable Secure Sign-in with Ctrl+Alt+Delete in Windows 10
- How to Automatically Sign in to User Account at Startup in Windows 10
- How to Turn On or Off Require Sign-in on Wakeup in Windows 10
- How to Enable or Disable Require Sign-in after Specified Time when Display Turns Off in Windows 10