YubiKey Bio Lockout using PingID Integration for Windows Login


Issue

An issue can occur using a YubiKey Bio while signing in to a Windows workstation protected with PingID Integration for Windows Login where the user may become locked out of their workstation. If the user attempts to use the YubiKey Bio and the fingerprint match fails three times, then the YubiKey Bio will be blocked and continually blink the amber LED. The PingID screens do not prompt for the PIN protecting the YubiKey Bio and therefore the biometrics remain blocked. The user is prevented from signing in to the workstation using the YubiKey Bio. The PingID screen may not show any failure messages.

 

This issue applies to PingID Integration for Windows Login versions: 2.2 through 2.5.2

 

bio-lockout-pingid-i1.png

 

Workaround

Option 1:

  1. Upgrade to PingID Windows Login v2.7. The v2.7 release has been updated to support FIDO2 PINs and will now prompt for PIN after 3 unsuccessful fingerprint matches.
    ** Verify that the PIN prompt behavior of PingID Windows Login v2.7 meets the user experience expectations for your organization.

PingID Windows Login: https://www.pingidentity.com/en/resources/downloads/pingid.html

 

Option 2:

  1. Use an alternate backup authentication method that has been registered with PingID to sign in to the workstation.
  2. Once signed in to the workstation the user can unblock the biometrics on the YubiKey Bio by following instructions in FAQ here.

Option 3:

  1. Sign in to a separate workstation that can be signed in to without using the YubiKey Bio.
  2. Once signed in to the workstation the user can unblock the biometrics on the YubiKey Bio by following instructions in FAQ here.
  3. Once the YubiKey Bio has been unblocked, it can be used to sign in to the first workstation.

 

Related articles: