The previous day, a new version of YubiOn FIDO Logon was released. YubiOn FIDO Logon has also undergone various updates since its release in May 2021, but this is the first major update.
Surprisingly, you can now log on to Windows using your smartphone!
Until now, all of YubiOn's logon products required some security key device (YubiKey / FIDO security key), but now we have finally created a YubiOn product that can be used without a security key. Our company also works as a security key sales agent, so this may not be a good idea for promoting sales. However, we believe that we have created a product that is easy to recommend to everyone. A product that is easier to introduce enhances PC logon and allows more people to use it.
■ Try logon using the passkey on a smartphone
First, let's see how it works. I will check the actual operation after registering YubiOn FIDO Logon, installing the client application on the PC, and setting the registration code.
As a prerequisite, your PC must be connected to the Internet and your PC and smartphone must be compatible with BLE (Bluetooth Low Energy). Additionally, the smartphone OS version must be Android 9 or later for Android, and version 16 or later for iOS / iPadOS.
Launch the Setting tool and open "Authentication settings".
This Authentication settings screen previously had buttons for "Register" and "Delete", but the "Register" button has been divided into the "Register smartphone" and "Register security key" buttons. Click the "Register smartphone" button.
After communicating with the server for a while, a QR code will be displayed on the screen. By reading this QR code, you can use your smartphone as an "authenticator" similar to a security key. Here, let's read the QR code using an Android device.
When you read the QR code with a QR code reading app, a screen like this will be displayed on your smartphone, so tap "Allow" to proceed.
The registration confirmation screen will appear on your smartphone, so tap "Continue".
My smartphone supports fingerprint authentication, so I am asked for fingerprint authentication. Touch the fingerprint sensor the same way you normally unlock your smartphone. (I can't take a screen capture of this screen, but the screen will be like this photo.)
After communicating with the server for a while, registration is complete. Now you are ready for authentication.
Next, let's try logging on and unlocking.
This time we will try it briefly, so let's try locking the screen instead of logging out.
When you open the lock screen, a message will appear saying that a notification will be sent to the smartphone you registered earlier. The behavior here will change depending on the registered device. For Apple devices (iOS / iPadOS), a QR code will be displayed on the screen just like when registering. Android devices support "Hybrid authentication by notification", so notifications will be sent like this. I will explain the differences in this area later, but let's proceed with authentication for now.
When you click "Start authentication", a notification will be sent to your smartphone. Open the notification.
You will be asked to verify on your smartphone. Just like when registering, touch the fingerprint sensor to proceed.
If you proceed to this point, authentication will be completed and you will be asked to enter your Windows password. This part is the same as when using a security key, once you enter the password, you will not be asked for the password next time.
The screen lock was successfully released and the desktop was displayed.
■ Don't need the security key anymore?
Some people may think that if a smartphone can replace a security key, there is no need for a security key anymore. However, in actual use, I think it is best to use security keys and smartphones differently depending on the purpose. For example, the following usages can be considered:
・Scenes where high security is required:
In situations where high security is required, such as data centers, it may not be possible to bring in communication devices such as smartphones. In such cases, it is possible to use a security key inside the data center and a smartphone outside the data center.
・Scenes where you want to physically manage authentication information:
This is a similar story to the high-security section. One possible use would be to permit to use of the PC by physically handing over the security key. Normally, the administrator keeps the security key and permits to use the PC by handing over the key when necessary.
・Scenes without internet connection:
I will explain the details in the "Technical issue ①" section below, but this time, smartphone support uses a mechanism called Hybrid authentication. Due to the Hybrid authentication mechanism, an internet connection is required. You can easily log on with your smartphone in cases where you normally have a network connection, and use a security key to log on in cases where you cannot connect to the network.
In addition, although the technical aspects will be explained later if you register a smartphone as an authenticator, the authentication information will be synchronized with your Google account or Apple ID as a synced passkey(*1) rather than with the device itself. Although not directly related to YubiOn FIDO Logon, we also recommend using FIDO security keys to protect those OS accounts. Of course, the security key can also be shared with YubiOn FIDO Logon, so you can use the security key like a master key, usually authenticating with your smartphone, and then authenticating with the security key in case of trouble.
I can say that I have a position as an employee of a security key sales agency, but as an engineer myself, I also recommend FIDO security keys, so I hope you will consider them.
(*1) Only when registering an Android device from the WEB management console, it may be treated as device-bound passkeys depending on the settings. Please check this out for details.
■ Technical Talk ① - Hybrid Authentication
In technical terms, this update is an update that "supports Hybrid authentication". I explained Hybrid authentication as an aside when I explained passkey previously, but to put it simply, it is a mechanism(*2) for using a smartphone as an external authenticator. It was previously called "caBLE (cloud-assisted BLE)" and was primarily implemented in Android and Chrome browsers. Apple is implementing it at the same time as passkey support.
There are two main ways to use Hybrid authentication, which differ in how communication is started between a PC and a smartphone:
① Scan the QR and connect:
Display the QR code on the PC screen, and scan the QR on the smartphone side to connect. After scanning the QR code, it uses BLE to confirm that the PC and smartphone are nearby and then authenticates by exchanging authentication information via the Internet.
② Connect using notification:
At the moment, it is only implemented on Android, but once you have connected using the QR code in ①, you can send an authentication request notification from your PC to your smartphone via the Internet. By using this, you can perform authentication more easily by going through the notification → authentication on the smartphone side, without having to scan the QR code every time. Of course, BLE communication is also used now, so authentication cannot be performed if the PC and smartphone are far apart.
In both cases, the main flow is as follows:
Hybrid authentication starts by scanning a QR code or notification (via the Internet).
Confirm that the PC and smartphone are nearby using BLE.
Authentication is exchanged using CTAP2 (FIDO device communication protocol) via the Internet.
Authentication completed.
In addition, as the old name "caBLE" says, "cloud-assisted", Hybrid authentication communicates via the cloud, so an Internet connection is required. After confirming the presence of a smartphone near the PC using BLE, the actual exchange of authentication information (CTAP2) is encrypted over the Internet. The information required for encryption and decryption is exchanged using QR code and BLE, so data can be exchanged safely even over the Internet.
(*2) Basically, there are many ways to use a smartphone from a PC as an external authenticator, but the latest Chrome browser on Android has also been implemented to display a QR code on the smartphone and use another smartphone as an external authenticator.
■ Technical Talk ② - synced passkeys
The website claims that this update "supports passkey", but as I mentioned before, the word passkey is a little ambiguous. To describe precisely how we have "supported passkeys" this time, I think we can say that we have "supported synced passkeys on Apple and Android through Hybrid authentication".
I have previously introduced synced passkeys (formerly known as Multi-device FIDO Credentials, MDC), and as I briefly touched on above, it is a mechanism for synchronizing (sharing) authentication information with your smartphone OS account. I tried registering and logging in to my Android device earlier, but the credentials I registered here are automatically synchronized with my Google account and can be used on other Android smartphones and tablets using the same Google account. Apple devices also sync with Apple ID. This mechanism eliminates the need to register authentication information again even if you buy a new smartphone.
■ Summary
This time, I explained about logging on using a smartphone, which was added in the YubiOn FIDO Logon update. I think security products are evolving positively, becoming more convenient while still maintaining a high level of security.
You can try the free version for 3 months with the same functions as the paid person, so please try it!
■ Related links
[YubiOn FIDO Logon]
[YubiOn FIDO Logon Overview Page]
[Special page for YubiOn FIDO Logon passkey support]