Yubico announced its plans to support Microsoft's Windows Hello platform back in September at the Ignite conference, with the goal of bringing strong, hardware-based authentication to Windows 10.
Finally, after nearly two months of waiting, the YubiKey for Windows Hello app has landed in the Windows Store. It's a strong solution for retrofitting the additional protection of Windows Hello on systems that don't have built-in support for facial recognition or fingerprint-based sign-in.
The new app requires a YubiKey, Yubico's USB-based device that generates an encrypted, one-time password. Enterprise admins have been using hardware-based authentication for years, making it impossible for phishing attacks and password database breaches to succeed. Even if someone successfully steals your credentials, they can't sign in without proving that they also have the physical device as a second form of identification.
In this initial release, the Windows Hello support is limited to unlocking the device, allowing it to serve as an alternate form of authentication to a PIN.
YubiKey support is also available on other services, including Dropbox, GitHub, WordPress, Google accounts, and a gaggle of password managers. That latter category includes LastPass Premium, which has an extension for Microsoft Edge (as well as every other modern browser), meaning you can use hardware-based authentication on Windows and the Web.
On the PC side, the YubiKey solution requires the Windows 10 Anniversary Update (specifically version 1607, build 14393.321 or later) and a Windows user account set up with a PIN.
I tested the authentication support on a Dell laptop using the YubiKey 4, a $40 device that's roughly the same size as a slim flash drive, and a $50 YubiKey 4 Nano, which fits in a USB slot with only a tiny metal protrusion you tap to authenticate. A bundle with a USB Type-C adapter is also available. (Older YubiKey devices might also work, but the newer designs are preferred.)
Setting up a YubiKey to work with Windows Hello takes literally a few seconds. (The device itself doesn't require any drivers or power.) After installing the app, follow the prompts to associate it with your Windows account, a task that requires inserting the key into a free USB slot and tapping it with a finger.
Signing in after a restart requires full credentials (password or PIN), which means a stranger who steals your PC and the YubiKey can't use it to access your device. The Windows Hello-based authentication kicks in when your device is locked or when you need to authenticate a purchase or other transaction after signing in, a process that normally requires a password or PIN.
The first release of this app, which is built on the Windows Companion Device Framework, is a single-function device, but the potential exists for its capabilities to expand to other Microsoft authentication tasks, including those associated with Windows Hello for Business.
Given the current security threat landscape, anyone who's serious about protecting their online identity should consider hardware-based two-factor authentication. In enterprise settings, a PKI-based system might make more sense, but the simplicity and ease of use of YubiKey makes it a natural choice for individuals and small businesses.