Program that runs in the background to automatically skip the Windows "Sign in with your passkey" phone prompt and go straight to the USB security key option.
Windows can display a Windows Security credential prompt when requested by a program, such as a browser with WebAuthn. This allows you to authenticate using a FIDO authenticator, such as a USB security key or a passkey in your computer's TPM protected by a Windows Hello PIN or biometrics, like a fingerprint.
In Windows 10 and 11 prior to 22H2 Moment 4 (September 2023), if the TPM contains the private key needed to authenticate to the relying party (like a website), Windows will prioritize prompting for the user's challenge (like a PIN or fingerprint) for this TPM authenticator first. Windows will still provide an option to choose a different authenticator (like a USB security key) with an additional click. Otherwise, if the TPM does not contain the required secret, Windows will immediately prompt you to insert a USB security key.
In Windows 11 22H2 Moment 4 (September 2023) and later (including 23H2), this behavior changed to include the ability to pair with Android and iOS devices over Bluetooth to use their passkeys, which somewhat ameliorates the problem of passkeys not being portable outside their TPM. The behavior is unchanged if the Windows TPM contains the passkey. However, if the local TPM does not contain the passkey, an additional "Sign in with your passkey" step was added before you can use your USB security key.
Now it says "To sign in to βdomainβ, choose a device with a saved passkey," and you have to choose whether you want to use an "iPhone, iPad, or Android device" or a "Security key," and smartphone is the default choice. Choosing the USB security key requires two additional clicks or four additional keystrokes. It is impossible to opt out of this new prompt, even if you turn off Bluetooth, don't have an Android or iOS device, or never want to use it for FIDO authentication on your Windows computer. Windows does not remember the most recently used choice, either. You could disable your Bluetooth device in Device Manager, but this will also prevent you from using any other Bluetooth peripherals with your computer, such as Bluetooth mice, keyboards, headphones, speakers, and proximity location trackers.
The same problem occurs in browsers based upon Chromium on earlier versions of Windows, such as Windows 10. Chromium offers its own Bluetooth FIDO CTAP as a fallback option when Windows does not provide it natively, and all of the same annoyances manifest here.
This is a background program that runs headlessly in your Windows user session. It waits for Windows or Chromium FIDO credential provider prompts to appear, then chooses the Security Key option and clicks Next for you automatically. From the user's perspective, the Bluetooth screen barely even appears before it's replaced with the prompt to plug in your USB security key.
Internally, this program uses Microsoft UI Automation to read and interact with the dialog boxes.
By default, this program does not interfere with local TPM passkey prompts (like requesting your Windows Hello PIN or biometrics). It also does not automatically submit FIDO prompts that contain additional options besides a USB security key and pairing a new Bluetooth smartphone, such as the cases when you already have a paired phone, or you previously declined a Windows Hello factor like a PIN but want to try a PIN again from the authenticator choice dialog. However, you may override this behavior if you wish and force it to always choose the USB security key in all cases, even if there are other valid options like Windows Hello PIN/biometrics, by passing the command-line argument --skip-all-non-security-key-options when starting this program (see Installation for the recommended autostart registry paths if you want to change it there).
If a paired phone option appears in the dialog box and you want to remove it, you can edit the registry to unpair an existing phone. This is useful if your old phone bricked itself, or you just upgraded to a new phone.
If this program skips the authenticator choice dialog when you don't want it to, for example, if you want to use a smartphone Bluetooth passkey only once or infrequently, you can hold Shift when the dialogs appear to temporarily suppress this program from automatically submitting the security key choice once.
Even if this program doesn't click the Next button (because an extra choice was present, or you were holding Shift), it will still highlight the Security Key option and focus the Next button for you, so you can just press Enter or Space to choose the Security Key anyway.
- Windows 10 or later
- Windows Hello Bluetooth FIDO prompts only appear in Windows 11 22H2 Moment 4 (2023-09-26), Windows 11 23H2, and later.
- Tested with Windows 11 23H2 and 24H2
- Chromium Bluetooth FIDO prompts only appear in Chromium-based browsers on earlier OS versions, such as Windows 10 and Windows 11 21H2.
- Tested with Vivaldi on Windows 10 22H2
- Windows Hello Bluetooth FIDO prompts only appear in Windows 11 22H2 Moment 4 (2023-09-26), Windows 11 23H2, and later.
- .NET Desktop Runtime 8 or later
- This program is compatible with x64 and ARM64 CPU architectures and .NET runtimes.
- Download the latest release ZIP archive for your CPU architecture.
- Extract the
AuthenticatorChooser.exefile from the ZIP archive to a directory of your choice, likeC:\Program Files\AuthenticatorChooser\. - Run the program by double-clicking
AuthenticatorChooser.exe.- Nothing will appear because it's a background program with no UI, but you can tell it's running by searching for
AuthenticatorChooserin Task Manager.
- Nothing will appear because it's a background program with no UI, but you can tell it's running by searching for
- Register the program to run automatically on user logon with any one of the following techniques. Be sure to change the example path below if you chose a different installation directory in step 2. If you'd like to specify additional command-line arguments like
--skip-all-non-security-key-options, you can do that here too.- Run this program once with the
--autostart-on-logonargument.\AuthenticatorChooser --autostart-on-logon
- Add a shortcut to
AuthenticatorChooser.exein the Startup folder (%APPDATA%\Microsoft\Windows\Start Menu\Startup\) - Import a
.regfileWindows Registry Editor Version 5.00 [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run] "AuthenticatorChooser"="\"C:\\Program Files\\AuthenticatorChooser\\AuthenticatorChooser.exe\""
- Run a Command Prompt command
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AuthenticatorChooser /d """C:\Program Files\AuthenticatorChooser\AuthenticatorChooser.exe"""
- Run a PowerShell cmdlet
Set-ItemProperty -Path HKCU:\Software\Microsoft\Windows\CurrentVersion\Run -Name AuthenticatorChooser -Value """C:\Program Files\AuthenticatorChooser\AuthenticatorChooser.exe"""
- Use
regedit.exeinteractively to go to theHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Runkey, and then add a new String value with the NameAuthenticatorChooserand the Value"C:\Program Files\AuthenticatorChooser\AuthenticatorChooser.exe"
- Run this program once with the
If you want to build this application yourself instead of downloading precompiled binaries from the releases page, you can follow these steps.
- Install the latest stable .NET SDK (8 or later).
- Clone this repository.
git clone "https://github.com/Aldaviva/AuthenticatorChooser.git" - Go to the project directory.
cd .\AuthenticatorChooser\AuthenticatorChooser\
- Build the program.
dotnet publish -p:PublishSingleFile=true
The program will be compiled to the following path, assuming your CPU architecture is x64.
.\bin\Release\net8.0-windows\win-x64\publish\AuthenticatorChooser.exe
To test with a sample FIDO authentication prompt, visit WebAuthn.io and click the Authenticate button.
![@dependabot[bot]](https://avatars.githubusercontent.com/in/29110?s=64&v=4){kind=small}