Logon with security key
This section describes the procedure for logging on to a PC using a security key.
Prerequisites
- The software must be installed on the PC.
- The authenticator registration must have been completed.
If the authenticator is not yet registered
You may be forced to register your authenticator when logging on (administrator setting).
In such cases, follow the on-screen instructions to register the authenticator.
Start your PC and display the logon screen.
Make sure “YubiOn® FIDO Logon” is displayed on the screen.
If you don’t see “YubiOn® FIDO Logon”, click “Sign In Options” and then click the YubiOn icon.
YubiOn FIDO Logon includes authentication by smartphone (QR code reading/notification) in addition to authentication by security key, and the authentication screen other than security key may appear depending on the usage situation.
In such cases, click “Logon with another type of device” and then click “Logon with security key” on the authentication information selection screen that appears to log on with the security key.
Plug the authenticator into the USB port.
Make sure that your authenticator is working properly.
When multiple authenticators are connected at the same time, touch the authenticator you want to use to select it.
Operate the authenticator. The operation differs depending on the type of authenticator you are using.
- An authenticator with a PIN set
Enter your PIN.
Touch the authenticator.
If the authentication is successful, it will move to the exit process.
Enter your Windows password.
If you are using a FIDO2 compliant key such as a PIN or biometric
If you are using a FIDO2-enabled key such as a PIN or biometric, the Windows password you enter will be securely stored by the FIDO2 function and will not need to be entered again.
If you change the Windows password, you will need to enter it again.
About Password Cache Regeneration
The password cache is stored using the most appropriate encryption method based on the information obtained during FIDO authentication.
Basically, a password cache is generated and used for each authentication information. However, the password cache may need to be regenerated due to differences or changes in authentication methods, such as the following
- Change of Windows password
- Differences in devices used for smartphone authentication
- Differences in authentication routes (direct logon, remote desktop logon)
- OS and software updates of PCs and smartphones
If you need to regenerate the password cache, you will be asked to enter your Windows password again at the time of logon, so please follow the instructions on the screen to enter the password.
(Client Ver.2.4.0.3 or later)
When the “Screen lock when authenticator is removed” function is enabled,
If the security key used for authentication is pulled out before the logon is completed, the logon will fail.
In this case, connect the security key again and perform the authentication from the beginning again.
If the Windows logon is successful, the desktop will be displayed.
Authentication in offline mode
YubiOn FIDO Logon performs online authentication.
However, if the administrator has enabled cache logon (offline logon) in the organization settings, offline logon is possible under the following conditions .
Cache logon must be enabled in the organization settings.
Online authentication must be successfully completed on the PC.
The number of days specified in the organization settings must have elapsed since the online authentication was successful.