Using CredUIPromptForWindowsCredentials to authenticate a FIDO2 token

Question

I have an Azure AD joined system set up to log on using FIDO2 tokens. With that token I am able to logon as well as unlock the Windows 10 computer so I know that the token is registered and working.

When I try to authenticate a user's YubiKey using CredUIPromptForWindowsCredentials I do not see the "FIDO security key" as one of the options.

On the same system, when a fingerprint scanner is attached and setup, I see the option to authenticate the fingerprint. PIN and Windows Smart Card authentication is also working.

Anyone have any idea why "FIDO security key" does not appear as an option on the Security Dialog that appears when calling CredUIPromptForWindowsCredentials but does appear and work on the Windows Logon and Unlock screens?

Answer 1

As of Windows 10 1903 you can only access FIDO devices through Windows Hello unless running with administrator permissions. I can't find anymore the original Microsoft changelog talking about this, I did read it some time ago but I think it got removed, but this issue discuss this.

That explains why it shows on the login screen which is running under the SYSTEM account but not when using CredUIPromptForWindowsCredentials which is running in CREDUI mode, that is under the user account.

So you either have to correctly configure Windows Hello to use FIDO devices, or if you are developing your own credential provider you will have to use Windows Hello API.