YubiOn FIDO Logon Adds Enterprise Attestation for Enhanced Asset and Inventory Management

February 6, 2025

To All Members of the Press,

Starting February 6, 2025, YubiOn FIDO Logon, which enables multi-factor authentication for PC logon, now supports Enterprise Attestation, an additional mechanism in the FIDO2 scenario.

Enterprise Attestation requires authenticators that support this functionality. In YubiOn FIDO Logon, these are referred to as enterprise authenticators.

By using enterprise authenticators and their features, YubiOn FIDO Logon can restrict which authenticators are permitted for use. This allows administrators to ensure that only authenticators they provide are used by end users. It also enables the identification of which end user is using which authenticator, making asset and inventory management possible.

Soft Giken Co., Ltd. (President: Norio Fujita, established in 1983) has been offering the cloud service YubiOn FIDO Logon, part of the YubiOn Security Authentication Service, since May 2021. This service makes passwordless authentication easy for everyone. On July 1, 2024, support for PC logon using passkeys via remote desktop connection was added. Furthermore, to simplify enterprise deployment, a powerful key registration option was introduced on November 6, 2024. Now, with the addition of support for enterprise authenticators with Enterprise Attestation, the service further enhances manageability.

Image: Restricting usage to enterprise authenticators only

About Enterprise Attestation

Normally, passkeys (FIDO authentication) do not allow identification of the specific authenticator used by the end user. As a result, users can freely register authenticators, but administrators cannot determine which authenticators are being used by which users.

However, some organizations require more control—not only that passkeys protect users, but also that those passkeys are used only with authenticators provided by the company.

Enterprise Attestation addresses this need by offering a mechanism to identify authenticators and determine whether their use is permitted uniquely. To use this feature, special authenticators that support Enterprise Attestation—referred to as enterprise authenticators—are required.

Enterprise Authenticator Features in YubiOn FIDO Logon

YubiOn FIDO Logon provides passkey-based authentication for PC logon. With the enterprise authenticator feature, authenticators can be managed by serial number.

This enables administrators to:

• Prevent users from registering personal authenticators.

• Ensure only pre-approved authenticators are used for PC logon.

• Track authenticator usage and respond to loss or replacement needs.

Example Use Case

Consider a scenario where a company uses enterprise authenticators:

1. The administrator assigns a company-provided authenticator to User A.

2. Through the YubiOn FIDO Logon management website, the administrator pre-assigns the authenticator to User A.

3. User A can only log on using the assigned authenticator; personal authenticators are not permitted.

4. The administrator can monitor the usage status of User A’s authenticator via the management site.

Image: Administrator specifying the authenticator for the end user

１. What is YubiOn FIDO Logon?

YubiOn FIDO Logon is a cloud-based solution that enhances PC logon security by enabling two-factor authentication using FIDO (passkeys). Its key features include the ability to apply FIDO authentication—originally designed for web authentication—to PC logon, and centralized management and control by administrators via the cloud. It also supports integration with Active Directory (AD) and Azure AD (Microsoft Entra ID).

Image: Overview of YubiOn FIDO Logon

２. Key Features of YubiOn FIDO Logon

１）Management and Control via Web Console

Administrators can check the status of registered devices and authentication information anytime through the web management console. Any configuration changes are immediately reflected on the devices, enabling real-time management.

Authentication logs can also be viewed on the web, allowing quick situational awareness in case of an incident.

２）Easy Implementation of Strong FIDO (Passkey) Authentication

By installing the software and performing simple initial settings, you can upgrade PC logon to FIDO authentication.

This brings the robust security of FIDO to your PC environment.

３）Supports Various FIDO Authenticators

Compatible with multiple authenticators based on the “FIDO2” specification, allowing flexible choice of authentication methods.

Passwordless authentication tailored to customer needs is available, such as “PIN + authenticator” or “fingerprint + authenticator.”

Additionally, Android and Apple smartphones can be used as authenticators, further expanding authentication options.

Administrators can also restrict usage to company-provided authenticators only.

Since it is possible to identify which user is using which authenticator, asset, and inventory management becomes feasible.

３． Use Cases

YubiOn FIDO Logon can be used in various scenarios where security is a concern:

1) In environments using Active Directory (AD) or Azure AD (Microsoft Entra ID)

When you want to introduce two-factor authentication for PC logon without changing AD/Azure AD settings, or when Windows Hello cannot use the desired authenticators due to environmental constraints.

YubiOn FIDO Logon allows a flexible security design without being tied to AD settings.

2) When only specific accounts require two-factor authentication

For example, applying two-factor authentication only to Windows accounts with Administrator privileges.

Fine-grained security settings per account are possible.

3) When you want to reduce password reset inquiries

FIDO Logon enables passwordless login after the initial Windows password entry, reducing password-related inquiries.

４． Product Specifications

1) System Configuration Diagram

Image: YubiOn FIDO Logon Configuration Diagram

2) Operating Environment

CPU: 1 GHz or higher, 32-bit or 64-bit processor

Memory: 2 GB or more

Storage: At least 100 MB of free space

Required Middleware: .NET Framework 4.7.2 or later

3) Supported OS

Client OS: Windows 10, Windows 11

Server OS: Windows Server 2016, Windows Server 2019, Windows Server 2022, Windows Server 2025

Note: Support for specific Windows 10 and 11 versions follows Microsoft’s support lifecycle.

4) Main Features

（1）Two-Factor Authentication

Secure PC logon with strong two-factor authentication using FIDO authenticators (FIDO security keys or smartphones).

With FIDO2 authenticators (including passkey authentication via smartphones), passwordless combinations such as “PIN + authenticator” or “fingerprint + authenticator” are available.

（2）FIDO Logon Enforcement

Enforces logon using FIDO authenticators during Windows login.

（3）Screen Lock Function

Automatically locks the screen when the FIDO security key is removed.

（4）Remote Desktop Logon Support

Supports passkey authentication for Windows standard Remote Desktop logon.

（5）Key Registration on Login Screen

Forces key registration to an account at the logon screen.

（6）Offline Logon Function

・Cached Logon: Retains cache from previous authentication for offline logon.

・Expiration Setting: Configure the validity period for cached information.

（7）Remote Lockout Function

Allows administrators to lock out devices via the web management console remotely.

（8）Authentication Failure Lockout

・Locks out the device after a set number of failed logon attempts.

・Auto-Unlock Setting: Automatically unlocks after a specified time.

（9）Group Policy Function

Applies grouped YubiOn FIDO Logon settings to devices.

（10）Log Management

Collects device logs and displays them in the web management console.

（11）Location Information Retrieval

Collects device location data and displays it in logs.

（12）Version Update

Updates client software to the latest version.

（13）Uninstall Restriction

Prevents general users from uninstalling the software.

５． Pricing

・From ¥5,000 per year per account (annual payment)

Note: Company-specific authenticators must be purchased separately. Please contact SoftGiken for details.

６． Service Page

・Please refer to the following page:

URL：https://fl.yubion.com/