YubiKey Bio Lockout using Duo Windows Login


Issue

An issue can occur using a YubiKey Bio while signing in to an offline Windows workstation protected with Duo Authentication for Windows Logon where the user may become locked out of their workstation. If the user attempts to use the YubiKey Bio and the fingerprint match fails three times, then the YubiKey Bio will be blocked and continually blink the amber LED. The Duo login screens do not prompt for the PIN protecting the YubiKey Bio and therefore the biometrics remain blocked. The user is prevented from signing in to the workstation using the YubiKey Bio. The Duo login screen might display the following failure messages.

 

bio-lockout-duo-i1.png

 

Workaround

Option 1:

  1. Sign in to a separate workstation that can be signed in to without using the YubiKey Bio.
  2. Once signed in to the workstation the user can unblock the biometrics on the YubiKey Bio by following instructions in FAQ here.
  3. Once the YubiKey Bio has been unblocked, it can be used to sign in to the first workstation.

Option 2:

  1. Restore the system to an online state where it can connect to the Duo service. The user can now gain access to the workstation using another authentication method.
  2. Once signed in to the workstation the user can unblock the biometrics on the YubiKey Bio by following instructions in FAQ here.

Related articles: