Delete Fido2 keys on Windows Hello for different account

Question

I’ve recently been working on a project involving FIDO2. While working on this project, I generated several FIDO2 keys on Windows Hello in my laptop (OS: Windows 10 Enterprise 22H2) using a non-admin account. I now have about 40. I’ve been looking for a way to delete them. The only way is apparently running this command from an elevated powershell:

certutil -csp NGC -key
certutil -csp NGC -delkey <name>

The problem with this is that the archive that contains the keys is user-specific, so when I use an elevated Powershell, I don’t see the keys for my non-admin account. I only see them using my non-admin account (from a non-elevated Powershell), but I can’t delete them from that account :).

I've been looking at this github repo which gives a more simplified interface over that same certutil command. The problem is the same. https://github.com/passwordless/webauthn-fido2-key-remover

I’m not sure how to get around this problem. Any ideas would be appreciated.

Update 5 Dec 22: Thanks to the comments, I learnt that there is an API for managing Fido2 keys in Windows, but it's available only for Windows 11, starting from version 22H2. Google Chrome uses this to manage Fido2 keys from the browser dev tools. This wasn't applicable for me though.

Answer 1

The solution I found was to ask for my non-admin account to be added to the Administrators group temporarily, just so I could run

certutil -csp NGC -delkey

from my account with admin privileges. This allowed me to delete the Fido2 keys. I hope the Fido key management API is made available for Windows 10 too.

Answer 2

If you're on Windows 11 22H2 (the fall release), you can use Chrome 109 (chrome://settings/passkeys) to delete individual passkeys.

Answer 3

I was able to delete my local keys form an elevated prompt if I passed the option -sid 22.

> certutil -csp NGC -delkey -sid 22 "S-1-5-21-2198355965-3069668908-1776980537-1002/eb1fd08f-4e43-4ac3-89a3-dafa7cbd8d72/FIDO_AUTHENTICATOR//49960de5880e8c687434170f6476605b8fe4aeb9a28632c7995cf3ba831d9763_3ccd8256884a69b994ae569185dde0ecd7f3b043897
ead56839e9877537a9cd4"
  S-1-5-21-2198355965-3069668908-1776980537-1002/eb1fd08f-4e43-4ac3-89a3-dafa7cbd8d72/FIDO_AUTHENTICATOR//49960de5880e8c687434170f6476605b8fe4aeb9a28632c7995cf3ba831d9763_3ccd8256884a69b994ae569185dde0ecd7f3b043897ead56839e9877537a9cd4
CertUtil: -delkey command completed successfully.

---

Extra info:

• sid values:

  -sid WELL_KNOWN_SID_TYPE  -- Numeric SID
            22 -- Local System
            23 -- Local Service
            24 -- Network Service

• If I don't use -sid 22 I get the following error:

CertUtil: -delkey command FAILED: 0x80090027 (-2146893785 NTE_INVALID_PARAMETER)
CertUtil: The parameter is incorrect.

• If I use my regular (non-admin) account I get this error:

Administrator permissions are needed to use the selected options.  Use an administrator command prompt to complete these tasks.
CertUtil: The requested operation requires elevation.