How to remove WebAuthN credentials from onboard-TPM on Win10 device?

Question

Latest builds of Windows 10 allow browsers (at least Edge and Chrome) to use on-board TPM device for WebAuthN passwordless authentication.

It does work for me and on test sandbox sites - I can generate private-public key pairs, store private key in TPM and send public key to server for futher authentication.

The issue is that I cannot find a way to clear the saved keys. I haven't tried erasing the whole TPM yet since I don't want to mess with BitLocker.

The question is how can I clear WebAuthN credentials (keys) stored in platform TPM running on Windows 10.

Is it even possible?

Try: (1) In Microsoft Edge > click the ellipsis > select Settings > Passwords & autofill > Manage passwords button > hover over password > click the X button. (2) Control panel > User Accounts > Manage your credentials > Web Credentials > down arrow > Remove. Windows Credentials might also be worth a look. — harrymc, Feb 26 '20 at 07:12
@bedrin Am I correct in assuming that you cleared these credentials by clearing TPM? My device doesn’t have a TPM and I’m not sure where else to look into. — ȷ̇c, May 29 '20 at 12:53

score 11 · Accepted Answer · answered Jun 20 '20 at 14:00

11

The Microsoft command line tool certutil can be used to view and delete these WebAuthN keys.

Disclaimer: it's very easy to delete the wrong key, so make sure that you are happy to accept the risk that you might delete the wrong key; there is no undo.

To view your WebAuthN keys, from a command prompt, run:

certutil -csp NGC -key

WebAuthN keys have names that look like <sid>/<guid>/FIDO_AUTHENTICATOR//<rpIdHash>_<user id>

You need to identify the key that you want to delete, and then to delete a WebAuthN key, from an administrator command prompt, run:

certutil -csp NGC -delkey <name>

answered Jun 20 '20 at 14:00

papaya

126
1
2
4

By the way, you can view the keys in the TPM with the `certutil` command too, from an administrator command prompt, run: `certutil -csp TPM -user -sid 23 -key` and then after running the `-delkey` mentioned in the post, you will notice that there is 1 fewer key in the TPM, confirming its removal. – papaya Jun 20 '20 at 14:05
When I do `-delkey` it responds that I need administrative privileges. When I run it as admin it does not find the user keys. Is there a way to achieve it as a normal user? – BenjaminH Nov 30 '20 at 08:24
@papaya your command doesn't yield results, most likely because of `-sid 23`, that's probably e.g a specific user ID on your machine – gilad905 Feb 25 '21 at 12:00
1

I made a small app that makes this easier: https://github.com/passwordless/webauthn-fido2-key-remover – Anders May 19 '21 at 08:13
@BenjaminH, pass `-sid 22` when you run the command as admin. 22 is "Local System". – tehnicaorg Nov 08 '22 at 07:36

score 4 · Answer 2 · answered May 19 '21 at 08:12

Windows don't have a UI for this which is very irritating when you work with Webauthn.

So I built a small tool that helps with this, it's on github: https://github.com/passwordless/webauthn-fido2-key-remover.

It's using certutil under the hoods but makes it a bit safer and easier to operate.

ȷ̇c · Answer 3 · 2020-05-30T12:35:20.207

I recorded the authentication process with Process Monitor and discovered several operations on several files in %SystemRoot%\ServiceProfiles\LocalService\AppData\Local\Microsoft\Ngc that looked suspicious. A bit of googling suggests that is indeed where Windows Hello credentials are stored.

There are answers (e.g., this one on this site) that suggest you can simply delete this directory’s content to remove all your Windows Hello credentials.

I tried renaming this folder (as SYSTEM by using PsExec), and while it did remove my WebAuthn credentials, it also left me unable to create a new PIN in the “Sign-in options” UI. I’m not sure if rebooting will help.

Edit: After several reboots I got a prompt saying there was something wrong with my Microsoft account. (I use a local account, but am signed into a Microsoft account.) After I signed in again, NGC was restored to the initial state and working properly again.

score 1 · Answer 4 · answered Feb 28 '20 at 10:31

TPM, like most certificate repositories, does not seem to support the delete operation.

I base this observation on the Microsoft article TrustedPlatformModule, describing itself as:

This reference provides cmdlet descriptions and syntax for all TPM cmdlets.

The list does not include any PowerShell cmdlet for deleting certificates.

You could try to create a revocation certificate and import it into the TPM, which might nullify the existing certificate. If it works, this will not delete it, just add a revocation record (that is if TPM works like any other certificate repository).

The only option I could find to delete anything is by clearing totally the TPM. As you are using BitLocker, see the post Will clearing the TPM make BitLocker encrypted data unavailable?

Quoting from the post:

If you clear the TPM, the encrypted drive will only be accessible using the recovery key.

So in your case it should be ok to clear the TPM chip. Afterwards, reboot and enter the recovery key. Once inside Windows, you can re-enable the TPM chip and set a new PIN.

I would suggest, just in case, to backup the BitLocked disk (and perhaps even disabling BitLocker) before such operations.

JWally · Answer 5 · 2023-01-04T18:56:47.123

This is a quick and dirty Node.js script to help anyone using windows quickly and easily remove ALL FIDO CERTS.

Its extremely rough, and could use error-handling / logging. Modify to suit your own needs.

PROCEED WITH CAUTION!:

const util = require('node:util');
const exec = util.promisify(require('node:child_process').exec);

async function NUKE_ALL_CERTS() {
  const { stdout, stderr } = await exec('certutil -csp NGC -key');
  let output = stdout.split("\r\n")
  .filter((element) => {
    return /FIDO_AUTHENTICATOR/.test(element);
  })
  .map((element) => {
    return `certutil -csp NGC -delkey ${element}`;
  });

  await Promise.all(output.map((element) => {return exec(element)}));

  console.log(output);

}
NUKE_ALL_CERTS();

As it’s currently written, your answer is unclear. Please [edit] to add additional details that will help others understand how this addresses the question asked. You can find more information on how to write good answers [in the help center](/help/how-to-answer). — Community, Jan 04 '23 at 18:51

How to remove WebAuthN credentials from onboard-TPM on Win10 device?

5 Answers5

Linked