warning for yubikey MFA for Windows

[oppressor1761]

Changes proposed in this PR:

• Point out the potential risks of using third-party software to modify the operating system login process.

• I agree to the terms listed below:
  Contribution terms (click to expand)

  1) I am the sole author of this work. 2) I agree to grant Privacy Guides a perpetual, worldwide, non-exclusive, transferable, royalty-free, irrevocable license with the right to sublicense such rights through multiple tiers of sublicensees, to reproduce, modify, display, perform, relicense, and distribute my contribution as part of this project. 3) I have disclosed any relevant conflicts of interest in my post. 4) I agree to the Community Code of Conduct.

[github-actions]

✅ Your preview is ready!

Name	Link
🔨 Latest commit	c57cbc7
😎 Preview	https://2566--glowing-salamander-8d7127.netlify.app/

[jonaharagon]

Thanks for the PR!

I don't think we need to explicitly say "consider your threat model" on the site though. We could just as well say it under every single recommendation. This is kind of implied...

[oppressor1761]

Let me be more clearer: I donot think using Yubikey MFA to harden Windows local account should be recommended because this adds too much attack surface. Any 0-day in the app required could leave your account compromised. If you are concerned use a long password or remove local account login for Windows is the right move, not using Yubikey MFA.

[ph00lt0]

Tend to agree here. Might also be good to point out that windows hello does have support for security keys.

[jonaharagon]

Actually, I disagree with the premise that this could lead to account compromise in the first place. The app only adds a second factor in addition to the existing username+password security. In the unlikely event that the app fails, you should not be worse off than single-factor authentication.

Windows Hello would replace a password I believe, which is not necessarily desirable behavior here.

[oppressor1761]

The app (Yubico Login for Windows) does not just add a factor. It replaces the whole login process for the local account. It's the app not Windows who verify both password and Yubikey. It is possible that exploits in the app lead to account compromise. It's not open source so we donot know how exactly it handles the password entered. best to not trust it in the login process.

[oppressor1761]

It adds a credential provider in HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Provider Filters\{28CF0DB8-7BE8-4F28-8368-7EAB35625D45} . It's different from the original password CP {60b78e88-ead8-445c-9cfd-0b87f74ea6cd}.

[jonaharagon]

Sorry I double checked later and you're right. These changes LGTM now 👍

[oppressor1761]

I'm not very familar with the PR process. Can anyonw tell me why this is still not merged?