Managing Windows Hello / Microsoft Login with Security Key Accounts

wishy · September 14, 2022, 6:25pm

So I had about 7 Microsoft accounts, all have a security key login option.

I’ve had to delete 3 accounts because of inactivity, however even that the accounts are gone, If I try to use the security key to login into Microsoft, they are still there.

One way to solve this is to reset the key using windows, however that deletes basically all entries that use the security key including non Microsoft one (Basically a FIDO wipe)

I was wondering If I could somehow manage which account to keep and which to delete from the Fido key.

Here is an example Image

t11 · September 14, 2022, 7:07pm

Did you try using the CLI to delete the credential from the key like this - OnlyKey Command-Line Utility | Docs

wishy · September 14, 2022, 8:25pm

I tried that on both windows and linux, it asks for PIN

I tried the pin that unlocks ONLYKEY, I tried the PIN that windows asks when using ONLYKEY, I tried the PIN for unlocking the pc.

Whichever option I do, it just gives me nothing.
I even use change-pin and still the same.

Is there a specific PIN to put?

wishy · September 14, 2022, 9:47pm

@t11

So I run onlykey-cli credential ls on both fedora and ubuntu and now it shows this list of errors:

onlykey-cli credential ls
PIN: 
Traceback (most recent call last):
  File "/usr/local/bin/onlykey-cli", line 11, in <module>
    load_entry_point('onlykey==1.2.10', 'console_scripts', 'onlykey-cli')()
  File "/usr/local/lib/python3.6/dist-packages/onlykey/cli.py", line 1196, in main
    cli()
  File "/usr/local/lib/python3.6/dist-packages/onlykey/cli.py", line 520, in cli
    solo.cli.key()
  File "/usr/local/lib/python3.6/dist-packages/click/core.py", line 1128, in __call__
    return self.main(*args, **kwargs)
  File "/usr/local/lib/python3.6/dist-packages/click/core.py", line 1053, in main
    rv = self.invoke(ctx)
  File "/usr/local/lib/python3.6/dist-packages/click/core.py", line 1659, in invoke
    return _process_result(sub_ctx.command.invoke(sub_ctx))
  File "/usr/local/lib/python3.6/dist-packages/click/core.py", line 1659, in invoke
    return _process_result(sub_ctx.command.invoke(sub_ctx))
  File "/usr/local/lib/python3.6/dist-packages/click/core.py", line 1395, in invoke
    return ctx.invoke(self.callback, **ctx.params)
  File "/usr/local/lib/python3.6/dist-packages/click/core.py", line 754, in invoke
    return __callback(*args, **kwargs)
  File "/usr/local/lib/python3.6/dist-packages/solo/cli/key.py", line 552, in cred_ls
    client = solo.client.find(serial, udp=udp)
  File "/usr/local/lib/python3.6/dist-packages/solo/client.py", line 38, in find
    raise solo.exceptions.NoSoloFoundError("no Device found")
solo.exceptions.NoSoloFoundError: no Device found
Error in atexit._run_exitfuncs:
Traceback (most recent call last):
  File "/usr/local/lib/python3.6/dist-packages/onlykey/cli.py", line 1204, in exit_handler
    only_key._hid.close()
AttributeError: 'OnlyKey' object has no attribute '_hid'

And this is what happens when I run it on windows:

onlykey-cli credential ls

PIN:
Traceback (most recent call last):
  File "cli.py", line 6, in <module>
  File "onlykey\cli.py", line 1196, in main
  File "onlykey\cli.py", line 520, in cli
  File "click\core.py", line 829, in __call__
  File "click\core.py", line 782, in main
  File "click\core.py", line 1259, in invoke
  File "click\core.py", line 1259, in invoke
  File "click\core.py", line 1066, in invoke
  File "click\core.py", line 610, in invoke
  File "solo\cli\key.py", line 563, in cred_ls
  File "fido2\ctap2\credman.py", line 178, in enumerate_creds
  File "fido2\ctap2\credman.py", line 179, in <listcomp>
  File "fido2\ctap2\credman.py", line 165, in enumerate_creds_next
  File "fido2\ctap2\credman.py", line 96, in _call
  File "fido2\ctap2\base.py", line 882, in credential_mgmt
  File "fido2\ctap2\base.py", line 680, in send_cbor
  File "fido2\cbor.py", line 171, in decode
  File "fido2\cbor.py", line 167, in decode_from
  File "fido2\cbor.py", line 149, in load_map
  File "fido2\cbor.py", line 167, in decode_from
  File "fido2\cbor.py", line 149, in load_map
  File "fido2\cbor.py", line 167, in decode_from
  File "fido2\cbor.py", line 132, in load_text
UnicodeDecodeError: 'utf-8' codec can't decode byte 0x80 in position 0: invalid start byte
[12284] Failed to execute script cli

Any fix for that?

wishy · September 14, 2022, 11:27pm

UPDATE: I finally made it work.

It seems that the backup that I made recently had corrupted, perhaps (which gave the error above).
When I did a reset for the credentials, and restored from an older backup onlykey-cli credential ls it worked!!
I removed all the entries, then re added them as new in Microsoft, and made a new backup, reset again, then restored to it and everything works just fine.

Sorry If I panicked on posting, it is just I have 400+ accounts with FIDO setup and I didn’t want to go through them all from scratch.

Topic		Replies	Views
Windows claims "You've entered incorrect pin too many times" Two Factor Authentication	3	451	May 23, 2022
Windows Hello FIDO key registration	0	46	January 29, 2024
How can I see my keys? Two Factor Authentication	2	272	October 7, 2022
Unable to list credentials and set FIDO2 PIN in CLI Two Factor Authentication	15	1040	June 7, 2021
Onlykey Blocked In Microsoft 365 Two Factor Authentication	5	250	October 3, 2023

Managing Windows Hello / Microsoft Login with Security Key Accounts

Related Topics