The YubiKey PIN Generator is a Python script that facilitates configuration of a YubiKey(s). The script:
- Sets a random and non-trivial PIN (default:
4digits) - If selected (and supported by the YubiKey) sets PIN to expire on first use
- Prints YubiKey model, serial number, intial PIN (and change flag) to a JSON output file
- Prompts for configuration of additional YubiKey(s).
The following are prerequisites towards running the script:
- Python installed on client
- Python-fido2 installed on client
- Yubikey Manager (CLI) installed on client.
NOTE: Refer to swjm.blog for detailed setup instructions.
To run the script, simply execute command: python yubikey-pin-gen.py
NOTE: Refer to swjm.blog for detailed usage instructions.
The script will outout a file on working directory called output.json.
Here is an example:
[
{
"Model": "YubiKey 5C NFC",
"Serial number": 12345678,
"PIN": "6855",
"PIN change required": true
}
]The AAGUID, short for "Authenticator Attestation Globally Unique Identifier" is part of the FIDO2 specification. The AAGUID (in most cases) identifies the authenticator make and model. As such it allows the Relying Party (RP) or Identity Provider (IdP) a simple way to include (or exclude) authenticators during registration/enrollment and authentication without for example implementing the Fido Metadata Service.
A CSV file containing "all" AAGUIDs can be found here.
Last updated: 2024-05-15 at 17:00 CET
The file Enable-Security-Key-Logon.reg contains a registry key that will enable security key logon on Windows 10 & Windows 11.
To use this registry key, download it or save content to file (with .reg extension) and double-click on it.
The archive file Enable-Security-Key-Sign-in-ADMX-1.0.zip adds security key sign-in as a GPO control to the existing credentialproviders.admx view (not the file itself) to "augment" a Windows Server GPO where this control is not yet available (e.g on Windows Server 2019 and earlier).
For usage instructions, see readme.txt inside the archive.
The file Enable-Security-Key-Sign-in-1.0.ppkg contains a provisioning package that will enable security key logon on Windows 10 & Windows 11. The package is unsigned and not encryped.
To use this package download it and double-click on it (or import into Windows Configuration Designer and go from there).
The file Disable-PasswordProvider.reg contains a registry key that will DISABLE password-based logon on Windows 10 & Windows 11.
To use this registry key, download it or save content to file (with .reg extension) and double-click on it. To disable _ additional _ credential providers you can expand this key using a listing provided at https://swjm.blog
The file Enforce_security_key_sign-in.ps1 constitutes a PowerShell script meant for Microsoft Endpoint Manager (Intune) configuration of Windows 10 and 11 clients. The script is _ adapted _ from an original script created by Craig Wilson (https://craigwilson.blog/) and works by DISABLING alternative credential providers.
See: https://swjm.blog
The file Add-Kerberos-object-to-AAD.ps1 PowerShell script is designed to establish an Azure AD Kerberos Server object within your on-premise AD, enabling seamless FIDO2 (SSO) access to on-premise resources like network shares. It's important to note that this isn't mandatory for FIDO2 security key sign-in, but it does broaden the scope of security key utilization beyond PC login.
See: https://swjm.blog
The file Terms-of-Use-(ToU)-Passkeys.pdf is an example of a "Terms of Use" (ToU) that can be presented to users when accessing company resources. This example ToU stipulates that users must set a non-trivial PIN on the security key and transfers the responsibility to the user.
See: swjm.blog