2

I just installed the Windows 10 1809 update, which includes support for FIDO2 passwordless sign-in. I own a Yubikey 5, which supports this standard. However, I am not able to set up Windows Hello, a prerequisite for FIDO2 sign-in, because my PC motherboard does not have a TPM installed.

Edit: The comments correctly point out that the article does not mention that Windows Hello is a prerequisite. However, the setting "Windows Hello and security keys" mentioned here is not available to me. I assume this is because I have not set up Windows Hello.

According to the same Microsoft blog post,

The private key is stored securely on the device ... [At the same time] the public key is sent to the Microsoft account system in the cloud.

This implies that using FIDO2 login does not store any secrets in the TPM on the motherboard, since the security key stores them (as expected). If this is correct, why does Microsoft require Windows Hello, and therefore a motherboard TPM? If it's an oversight or deliberate corner-cutting, are they likely to fix it any time soon?

Is there any way I might get this to work without purchasing a TPM that I don't need and won't actually use?

(Background: I don't need this feature but I am interested in the technology and would find it fun to try out.)

Daniel Causebrook
  • 121
  • 5
  • Are you sure you actually need to set up Windows Hello to use a FIDO2 key? The article makes it sound like Windows Hello is an alternative rather than a prerequisite. – Macil Nov 27 '18 at 23:32
  • 1
    Just to be clear: are you trying to log into your PC using the Microsoft account, or trying to log into your Microsoft account through the web browser? The blog post you linked to talks about the latter, not the former. – CBHacking Nov 27 '18 at 23:46
  • @Macil I agree that it isn't clear. There's a clearer article at https://support.microsoft.com/en-us/help/4463210/windows-10-sign-in-microsoft-account-windows-hello-security-key, which does not explicitly say that you need Windows Hello. However, I can confirm that the setting "Windows Hello and security keys" it talks about is not available for me, which I assume is because Windows Hello is not set up. – Daniel Causebrook Nov 28 '18 at 15:42
  • Maybe you don't have the right Windows update installed, or it failed to fully install correctly. – Macil Nov 28 '18 at 21:39

1 Answers1

1

Windows Hello IS a FIDO authenticator. If you don't have a Windows Hello security key (e.g. Yubikey) you can use Windows Hello. That requires a TPM. You shouldn't need a TPM to authenticate using an external key.

Steve
  • 15,155
  • 3
  • 37
  • 66
  • This I understand, but it still does not explain why I do not have the option to add a security key available to me. Unless there is some other configuration issue I am missing, it seems to me like I'll need to set up Windows Hello in order to have the option to add other security keys. – Daniel Causebrook Nov 28 '18 at 15:51
  • 1
    In either case, perhaps this question would be better directed at Microsoft or the Microsoft forums. – Daniel Causebrook Nov 28 '18 at 15:59