Forum Discussion

OliMue's avatar
OliMue
Copper Contributor
Nov 22, 2021

Allow dynamic lock with FIDO key

Within Windows 11 (and 10) you can configure various options to log into the system. One possibility is the usage of a physical security key. I really like this option, especially in conjunction with a FIDO key including a fingerprint sensor like the YubiKey Bio or the T2F2BIO key, which allows really password-less log in.

 

Unfortunately it is not possible to configure the system to automatically lock the system by removing the key. So whenever I leave the desk I have to remove the key AND lock the screen. Within windows there is an option of "dynamic lock" which can be used in conjunction with a bluetooth device to track the users presence, but it would be great if we could also use the presence of the connected FIDO key as a detector for presence of the user.

  • Marc_Gehri's avatar
    Marc_Gehri
    Copper Contributor

    Hi OliMue,
    have you found a solution to this problem in the meantime?
    I currently have 2 customers in the healthcare sector who need exactly this solution. Better than LOCK would be LOGOFF....
    The staff uses shared computers, until now with a general account. Now everything is being changed to personal accounts and this is causing discontent among the staff. It is tedious and slow to log on, and logging off is not done either.
    Therefore, the login is done via FIDO-Key, which caused positive reactions from the staff, but the logout is still the problem....

    Regards

    Marc

    • OliMue's avatar
      OliMue
      Copper Contributor

      Hi Marc_Gehri

       

      unfortunately there is still nothing available from Microsoft. We wrote a little tool, that runs as tray icon. It watches for a FIDO key being removed and in that case it locks the screen.

       

      I can't give you the tool, but the most interesting code parts to write the tool yourself, would be these:

      private static bool GetIsFidoKeyAvailable()
      {
          return new ManagementObjectSearcher("SELECT * FROM Win32_PnPEntity WHERE Manufacturer='FIDO'").Get().Cast<object>().Any<object>();
      }
      this._managementEventWatcher = new ManagementEventWatcher();
      WqlEventQuery query = new WqlEventQuery("SELECT * FROM Win32_DeviceChangeEvent");
      this._managementEventWatcher.EventArrived += delegate(object s, EventArrivedEventArgs e)
      {
      	var isKeyAvailable = GetIsFidoKeyAvailable();
      
          if(!isKeyAvailable)
          {
      	    // ToDo: Lock or log off current user
              Process.Start("C:\\WINDOWS\\system32\\rundll32.exe", "user32.dll,LockWorkStation");
      	}
      };
      this._managementEventWatcher.Query = query;
      this._managementEventWatcher.Start();

       

      Be aware, that we seen (especially when using USB Hubs), that the key sometimes gets announced to be removed, just to come back a few hundred milliseconds later. For this purpose we debounced the log off to wait for 1 sec before really doing so.

       

      • Marc_Gehri's avatar
        Marc_Gehri
        Copper Contributor
        Hi OliMue

        Sorry for the late reply.
        Thank you for the info, that reassures me, so I definitely do not have to invest much more time. It remains only to hope on Microsoft that something analogous to SmartCard, also for FIDO is developed.
        The solution with the app to check existing hardware works only partially with one of the two customers. NFC is used on some workstations, and the hardware recognition is said not to work. Unfortunately, I am not directly involved...

        If I have further information, I will notify you...

Resources