There are various ways you can change the default browser and similar defaults on Windows, but oneof the ways many third-party tools do this is by editing the relevant registry strings. It turns out that Microsoft is not particularly happy with this, as they’ve recently introduced a new driver specifically designed to prevent this from happening, by blocking tools like regedit or PowerShell from editing a number of registry keys for setting default applications. The driver was discovered by Christoph Kolbicz.

Microsoft implemented a driver based protection to block changes to http/https and .pdf associations by 3rd party utilities. The rollout was staggered and activated “randomly”, but in the meantime I got many reports – also from business or education environments (but not Server OS).

Microsoft also updated the driver during my tests (from 2.0 to 2.1) and extended the deny list of executables. This means, they can change the behavior almost on the fly and add new tricks or block additional extensions/protocols!

↫ Christoph Kolbicz

Digging further into what, exactly, this driver can do, Microsoft also made it so that even if you disable the driver, an additional scheduled task will run to re-enable the driver and revert the registry changes. It also seems this is somehow related to the changes Microsoft has to make to comply with the EU’s DMA, but the driver is also installed on systems outside of the EU, so it’s all a bit unclear at the moment.

One of the things I’ve always wanted to experiment with on my computers is logging in and authenticating things like sudo requests with a hardware tool – a fingerprint reader, a smart card, or a USB hardware security device like a YubiKey. There’s really no solid reason for me to want this other than that it just feels cool and futuristic to me (yes, even in this, the year of our lord 2024). I have no state secrets, no secret Swiss bank accounts, no whistleblower material to protect, and my computers rarely leave the house – I just want it because it’s possible and cooler than typing in my password.

Due to the flexibility and feature set of the YubiKey, I think it’s the best choice to go for. A no-name USB fingerprint reader would probably be ugly, cumbersome to position, and Linux support would be difficult to determine. A USB smart card reader would bring the same issues as the fingerprint reader, and combined with a smart card it seems like it’s just a Yubikey with extra steps. I do have to admit the idea of sliding a smart card in a slot and have it authorise you sounds really, really satisfying.

Anyway, YubiKeys come in all shapes and sizes, but I want one of the USB-A ones with a fingerprint reader built-in, since I can plug it in at the bottom of my monitor, perfectly positioned to put my thumb on it to authenticate. This way, it’s easily accessible to be used to log into my desktop session, authorise sudo requests when I’m configuring things, log into websites with Firefox, and so on.

But there’s a problem: setting up a YubiKey on Linux seems like it’s a huge ordeal.

Just look a the official instructions on the YubiKey website, or the instructions on the Fedora website, my distribution of choice. That’s absolutely insane, and nobody should be expected to understand any of this nonsense to use what is being marketed as a consumer product. It’s important to note that this is not a hardware, software, or driver issue – all the necessary support is there, and Linux can make full use of the functionality tools like the YubiKey offers. The problem is that you’re expected to set this up manually, package by package, configuration file by configuration file, PAM module by PAM module.

When I first looked into getting a YubiKey, I expected biometric and advanced authentication tools like these to be fully integrated into modern Linux distributions and desktop environments. I figured that once you plugged one of these tools into your PC, additional options would become available in GNOME’s or KDE’s user account settings, but apparently, this isn’t the case. This means that even if you manually set everything up using the official arcane incantations, your graphical user interface won’t be aware of any of that, and changing anything will mean you have to go through those official arcane incantations again.

This is entirely unacceptable. The moment you plug in an an advanced hardware security tool like a YubiKey, GNOME and KDE should recognise it, and the settings, tools, and setup ‘wizards’ relevant to it should become available. All the hardware and software support is there – and in 2024, biometric and advanced security devices like these should not be so complicated and unforgiving to set up. Smart cards and fingerprint readers have been supported by Linux for literally decades. Why isn’t this easier?

For now, I’m still in doubt about going through with buying a YubiKey. I definitely have the skills to go through with this whole insane setup process, but I really shouldn’t have to.