Using libfido2 on Windows without Windows Hello #699
-
Hi folks! I am trying to use your library for WebAuthn flows outside of browsers. Also I am limited to not using Windows Hello and would prefer to talk to the authenticator directly. The flow is fairly simple - get a challenge from a relying party, call However on Windows I get no output if I try running
Interestingly enough, if I run the above command in an elevated PowerShell (admin rights) I am able to get a device handle. Also I can then use the same handle to call
I am using the latest release (1.13.0) downloaded from https://developers.yubico.com/libfido2/Releases/ on Windows 10 Enterprise 22H2. |
Beta Was this translation helpful? Give feedback.
Replies: 8 comments 15 replies
-
Hi @apantina, The only way to interface with a FIDO device from an unprivileged context in recent versions of Windows 10 and in Windows 11 is through Windows Hello. This is a OS-level requirement. It's a bit strange that you aren't seeing Windows Hello in the output of Thank you, -p. |
Beta Was this translation helpful? Give feedback.
-
Hi @martelletto, thanks for the quick response! |
Beta Was this translation helpful? Give feedback.
-
That's quite interesting. Is there an alternative mechanism for unprivileged applications (e.g. Chrome) to communicate with FIDO keys? If so, we could look into supporting it in libfido2. |
Beta Was this translation helpful? Give feedback.
-
Browsers such as Chrome and Edge work fine with FIDO2 keys via WebAuthn even with Windows Hello disabled on their respective machines. Looking into Chromium code here, it seems like they use their WebAuthN header file and API, but I don't see any direct references to Windows Hello. |
Beta Was this translation helpful? Give feedback.
-
Oh, I see. Thanks. That dialogue comes from Microsoft's webauthn.dll, which is usually (but mistakenly) referred to as Windows Hello. We support webauthn.dll in libfido2, so it's strange that |
Beta Was this translation helpful? Give feedback.
-
Thanks for the clarification! For the record, I used pre-built binaries from the Releases page so I assume they had the default |
Beta Was this translation helpful? Give feedback.
-
An additional data point: @LDVG had a look and confirmed that the latest release image for Windows (1.13.0) was built with |
Beta Was this translation helpful? Give feedback.
-
Going back to your previous comment:
Not sure if I follow - what should have been listed here exactly? A device handle or just Should |
Beta Was this translation helpful? Give feedback.
Hi @apantina,
The only way to interface with a FIDO device from an unprivileged context in recent versions of Windows 10 and in Windows 11 is through Windows Hello. This is a OS-level requirement.
It's a bit strange that you aren't seeing Windows Hello in the output of
fido2-token -L
. Did you explicitly disableUSE_WINHELLO
when building?Thank you,
-p.