Share via

Windows Security Key Login with Multiple Accounts on Key

Thomas Pike 20 Reputation points
2023-06-24T00:24:10.2266667+00:00

We are currently implementing security key logins for Windows 11 using YubiKey FIDO keys on our AutoPilot deployed AzureAD only joined devices. So far the implementation is working well for the majority of our users.

Our administrators have separate high privilege administrator accounts so they have two AzureAD accounts associated with their YubiKey. When logging into websites and virtual machines they are able to select which account to use and therefore use the right account to access services.

The issue we are facing is with Windows logins. When using a YubiKey to login they are logged into the last account the user logged into the machine with, which is typically the 'wrong' account - normally their administrative account, rather than their low privileges account. This occurs even when the low privileges account is selected from the account picker on the Windows login screen.

How can Windows logins be configured to allow a single YubiKey to support multiple Windows accounts?

Microsoft Security | Intune | Security
Microsoft Security | Microsoft Entra | Microsoft Entra ID
Windows for business | Windows Client for IT Pros | User experience | Other

4 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Graham C 36 Reputation points
    2026-05-07T19:01:39.5866667+00:00

    This is a big problem. Guidance across the board to separate admin from normal access but we can't specify the desktop user at signon for the most phishing resistant method? That means we cannot fully enforce FIDO2 keys only for desktop use on PAW/SAW devices or have to issue a key for each account to use at the desktop.

    Is there a feature enhancement request we can upvote somewhere to make this a thing on W11 ?

    Was this answer helpful?

    0 comments
  2. Carsten S 0 Reputation points
    2023-11-10T12:33:53.5866667+00:00

    It seems that Windows logon uses the account which has been most recently added to the Yubikey. So: reset your Yubikey, re-register your administrative account(s) first, then finally register your normal account.

    If you don't want to completely reset and re-register all your admin accounts, it might also work to only remove your normal account credentials with ykman.exe (https://tinyurl.com/mvw2bdmc) and re-register it so that it becomes the most recently added. But I have not tried this yet.

    Was this answer helpful?

    0 comments
  3. Maurice 21 Reputation points
    2023-09-19T16:09:21.39+00:00

    Same problem here. Does anyone have a suggestion? Thank you! Edit: Just found this doc, it is not supported. https://learn.microsoft.com/en-us/azure/active-directory/authentication/howto-authentication-passwordless-security-key-windows#unsupported-scenarios

    Was this answer helpful?

    0 comments
  4. Deleted

    This answer has been deleted due to a violation of our Code of Conduct. The answer was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.

    Comments have been turned off. Learn more

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.