Nextcloud allowing Login with Windows Hello, bypassing Yubikey


That is indeed a bit vague. I meant by useless that I cannot force using the keys which I intended for it since as stated the users can add other keys too.
So if I buy keys, i will inform them how to add it. Since they know how to add it they will conclude that adding windows Hello is also possible. I am sure they will do it too, cause they just can. Therefore they will almost never use the key.

Screen captures:

On second screen, the final user has 2 choices. Whello or the key. I am looking to enforce only the key.
To do it, 2 options:

  1. Enforce hardware keys for Windows login. Possible with azure AD. Witch my client don’t use. In that case, the pin is secure by the hardware key.

  2. Disable Whello, not test so far. Don’t even know if it is possible…

I don’t know if it’s somehow possible to enforce the usage of the security key locally on the device itself. Maybe with some hacks? But this only makes sense, if the devices of your users are managed by the company, either via an on prem AD or Azure AD. If the devices are unmanaged and the users have admin premissions on them or if they bring their own devices, they could just revert these changes, respective don’t apply them in the first place.