powershellfidowindows-hello

Delete Fido2 keys on Windows Hello for different account


I’ve recently been working on a project involving FIDO2. While working on this project, I generated several FIDO2 keys on Windows Hello in my laptop (OS: Windows 10 Enterprise 22H2) using a non-admin account. I now have about 40. I’ve been looking for a way to delete them. The only way is apparently running this command from an elevated powershell:

certutil -csp NGC -key
certutil -csp NGC -delkey <name>

The problem with this is that the archive that contains the keys is user-specific, so when I use an elevated Powershell, I don’t see the keys for my non-admin account. I only see them using my non-admin account (from a non-elevated Powershell), but I can’t delete them from that account :).

I've been looking at this github repo which gives a more simplified interface over that same certutil command. The problem is the same. https://github.com/passwordless/webauthn-fido2-key-remover

I’m not sure how to get around this problem. Any ideas would be appreciated.

Update 5 Dec 22: Thanks to the comments, I learnt that there is an API for managing Fido2 keys in Windows, but it's available only for Windows 11, starting from version 22H2. Google Chrome uses this to manage Fido2 keys from the browser dev tools. This wasn't applicable for me though.


Solution

  • The solution I found was to ask for my non-admin account to be added to the Administrators group temporarily, just so I could run

    certutil -csp NGC -delkey
    

    from my account with admin privileges. This allowed me to delete the Fido2 keys. I hope the Fido key management API is made available for Windows 10 too.