Issue:
Users are unable to authenticate using YubiKey in the Pre-Boot Authentication (PBA) environment. The error message indicates incorrect credentials, although the YubiKey works correctly under Windows. This issue occurs only when the user is not connected to the network. When a network connection is established, the YubiKey is recognized as valid in the PBA, and authentication proceeds without issues.
Cause:
The issue may be related to the multiple interfaces supported by YubiKey, which can sometimes interfere with each other. Additionally, the caching of YubiKey credentials in the PBA may be lost over time, requiring frequent re-caching.
Resolution:
Disable Unnecessary Interfaces on YubiKey:
Use the YubiKey Manager application to disable all interfaces except for the PIV (Personal Identity Verification) interface.
This can help prevent interference between the multiple interfaces supported by YubiKey.
Re-cache YubiKey Credentials:
In the SDConnex application, remove the checkmark for token authentication.
Re-authenticate with the YubiKey.
Re-enable the checkmark for token authentication to re-cache the credentials.
Monitor the Situation:
Observe the behavior over a few weeks to ensure the issue does not reoccur.
If the problem persists, consider updating the SES server and rolling out a new client version.
By following these steps, users should be able to resolve the YubiKey authentication issue in the PBA environment. If the issue continues, further investigation and potential updates to the system may be required.