Configuring a Yubikey to Protect Local Accounts on a Windows 10 PC

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

in this video i'm going to show you how to use a security key specifically one of the keys from ubicore what they call a yubikey to secure the logon to a windows 10 pc now in order to do that we're going to have to install some special software that comes from ubicore and i'll show you how to do that i'll show you how to download it and install it and configure it and then we'll go ahead and test it with a particular ubi key that i happen to have here now i'd like you to stay tuned though because i'm going to be talking about how you could do this for other operating systems besides windows later in this video so stay tuned for that now for purposes of installing and configuring the yubico software on my pc using a yubikey is actually contained in a help file that's entitled yubico login for windows configuration guide and here is the link that is to the yubico website for this support document it shows you what devices are compatible here now i happen to have a yubikey 5 and i actually have this one right here the yubico 5 nfc so it's fully compatible with this process now i do suggest that you read through this there's a lot of good information here however if you go down to the installation i'm going to jump right to the steps that are important to getting this up and running as quickly as possible the next step is to actually install the software before we can actually configure it obviously for that one you have to go to a different help document that's also on the yubico website highlighted here and also down in the notes below just like the previous webpage that i was on and i'm going to download and install the yubico login for windows 64-bit that's the type of system i have it is now downloaded into the download area of this web page all i have to do is click on open file to run the installation program and it's a standard installation program so i'll just jump right through it and take all the defaults now that it's finished it's going to want to reboot the server which is fine let's do a finish and then i'll do a reboot okay now that the system has rebooted i will go ahead and see if i can log in notice something and i showed this in my previous video the actual appearance of the login is completely changed it now says yubico login now i have not configured it for any of the users on this system as of yet therefore we can use the regular login for username and password that we had before so i'll log into david under admin and i'll put the associated password for that so now i am logged in as the administrator now i need to actually run the configurator so back to the instructions for installation it tells you to run the login configurator now to find this the easiest way to do it is to come down here in the help area the question mark and type in login configurator it'll probably catch it well before you finish typing it and there it is right there so let me run that configurator have to be admin and now taking a look at the configurator read the instructions here and it tells you how it is recommended that you have two ubi keys one is your primary and one is your backup it is the safest way to do it but we will talk about other ways you can back it up as well as we go through this for purposes of this video i'm only going to use one key click next it is actually telling you exactly what i said it will pick one slot on the ub key it has two slots in it the slot 1 is reserved for some online web pages it has a secret key in it slot 2 is the one you would use for a special purpose like a pc login you get your choices of use existing secret if configured generate if not configured now it already has a secret configured on it so i'm going to leave it that way i could have it generate a new one a randomly selected one as part of this process if for whatever reason i don't trust the one that's on there i could also manually input the secret which is a whole different process that you will have to follow that gets quite complicated which i won't cover in this video then you have two check boxes generate a recovery code which i highly recommend you do that and then this checkbox which you will only do if you have a second key as a backup so i'm going to uncheck that and then we hit next again and then it asks me which accounts on this pc that i wish to configure for using a ubi key now i created a special test user for that purpose so i'm going to check only that one i don't want to have the yubikey control these other accounts although if i wanted to i could the one ub key could control as many accounts on a pc as we would like so i'm going to pick the test and i'm going to click next it's now waiting for me to insert my yubi key let me unpack the ub key and insert it into the pc notice that it's ready for programming of test one preparing it and it's done i can now remove the ub key so i'm going to go ahead and save this by clicking on this icon here save to file it defaults to this pc document that's fine i'm going to move it out of here rather soon anyway save i hit next it says my ub key has been configured for the system and the users have been configured to require the ub key now if i go back in here and i take a look it now shows that there's an asterisk right next to test one so that means that one's configured to use the yubikey i'm going to skip that and do a finish at that and we should be ready to go so now that it's been configured let me go ahead and log out okay now that it's rebooted let me see if i can log in to the test one account type the user account name then the password hit enter oh it says i have to insert the ub key and try again let me say ok to that put the ub key in it lights up let me re-enter the password and we're in logging into test one so it looks fine at this point so now this test one account is fully protected by the yubikey but only this account well that's pretty powerful isn't it i was able to actually use this little key to completely lock down my windows accounts now i happen to be using it as a local account if you wanted to do it where you're using a microsoft account it's actually easier to do you do not have to install the special software on this all you have to do is go to the microsoft website where you set up your microsoft account and tell it to use a key and then follow the instructions from that site it'll actually tell you to put the key in and specify that you'd rather use a security key to log into your microsoft account it's actually easier to do and if you prefer having a microsoft account that's probably the best way to go but i do local accounts initially i do them that way on every pc i do and then i eventually move them to my domain now let me tell you about a problem though that i ran into i initially had the machine set up to some obscure name that it defaults to in windows and then i created the test account well the test account and the obscure name to the system it was kind of hard for me to follow that through so i decided to change the system name and it let me do it i change the system name also to test well that somehow messed up this whole yubikey local logon feature completely now if i had done it the reversed order if i had had the system already named test and i tried to create a sit an account name test windows would have prevented me from doing that but the fact that i did it in reverse order it didn't bother giving me even a warning about it and i was really you know scratching my head quite a bit to get this local login to work just wanted to let everybody know that that's something i ran into it's an obscure case and probably very few people ever run into it but just in case i'm going to send a note to yubikey and let them know that there was a problem with that i obviously didn't have the source code to troubleshoot it from the yubikey perspective so i'm not sure exactly why it wouldn't work but it actually was able to let me log in without the yubi key when i had system name test and username test even though i configured the test account to use a yubikey that's not good so now let me show you something that's even better well i did it on windows here right well you don't have to just do it on windows i mean this local log gun will work with just about any system that's out there as you saw there's download options for apple and there's download options for another system as well let me show you on the screen here and you'll see what i'm talking about if we come back onto this screen here and we look over to the left we're going to see some other things you can do other operating systems that you can actually secure using the ubi key things like red hat linux ubuntu ubuntu linux login guide but if you click on this one here ubuntu 19.10 or just ubuntu login either one it'll show you what you have to do and by the way more different keys are supported for this so in addition to the key that i have you could actually go for the normal security key which is a cheaper version of the ub key just to let you know that's like half the price of the yubikey that i had that i had to use in order to authenticate local windows login but they go through it in pretty much all the detail that you need this is advanced stuff however you really have to have some strong understanding of how to use unix at the command line level which is you know not trivial but you can follow this step by step and you can actually get it to work to authenticate a local user on linux ubuntu linux in this case so i just wanted to show everybody this and if people are interested in me trying this and creating a video about this let me know in the comments below [Music] you

Info

Channel: PE4Doers

Views: 17,394

Rating: undefined out of 5

Keywords: Establishing Exceptional Login Protections on Your PC, Using a Security YubiKey to Protect your PC, Protect you PC Accounts from a Cyber Attack

Id: d2QS7oo6NzI

Channel Id: undefined

Length: 10min 33sec (633 seconds)

Published: Fri Oct 22 2021