YubiKey Bio Lockout using PingID Integration for Windows Login


Issue

An issue can occur using a YubiKey Bio while signing in to a Windows workstation protected with PingID Integration for Windows Login where the user may become locked out of their workstation. If the user attempts to use the YubiKey Bio and the fingerprint match fails three times, then the YubiKey Bio will be blocked and continually blink the amber LED. The PingID screens do not prompt for the PIN protecting the YubiKey Bio and therefore the biometrics remain blocked. The user is prevented from signing in to the workstation using the YubiKey Bio. The PingID screen may not show any failure messages.

 

bio-lockout-pingid-i1.png

 

Workaround

Option 1:

  1. Use an alternate backup authentication method that has been registered with PingID to sign in to the workstation.
  2. Once signed in to the workstation the user can unblock the biometrics on the YubiKey Bio by following instructions in FAQ here.

Option 2:

  1. Sign in to a separate workstation that can be signed in to without using the YubiKey Bio.
  2. Once signed in to the workstation the user can unblock the biometrics on the YubiKey Bio by following instructions in FAQ here.
  3. Once the YubiKey Bio has been unblocked, it can be used to sign in to the first workstation.

** Yubico and Ping Identity are engaged to resolve this issue.

 

Related articles: