#15: Added a new command-line option, --skip-all-non-security-key-options, to force this program to always choose the Security Key option, even if there are other valid options like an already-paired phone or Windows Hello TPM PIN/biometrics, instead of just skipping the option to enroll a new phone.

Aldaviva · Aldaviva · commit a7b5b27dd705 · 2025-04-19T07:59:49.000-07:00
diff --git a/AuthenticatorChooser/SecurityKeyChooser.cs b/AuthenticatorChooser/SecurityKeyChooser.cs
@@ -8,15 +8,18 @@
 
 namespace AuthenticatorChooser;
 
-public static class SecurityKeyChooser {
+public class SecurityKeyChooser {
 
     // #4: unfortunately, this class name is shared with the UAC prompt, detectable when desktop dimming is disabled
     private const string WINDOW_CLASS_NAME  = "Credential Dialog Xaml Host";
     private const string ALT_TAB_CLASS_NAME = "XamlExplorerHostIslandWindow";
 
     private static readonly Logger LOGGER = LogManager.GetCurrentClassLogger();
 
-    public static void chooseUsbSecurityKey(SystemWindow fidoPrompt) {
+    public bool skipAllNonSecurityKeyOptions { get; init; }
+
+    public void chooseUsbSecurityKey(SystemWindow fidoPrompt) {
+        Stopwatch overallStopwatch = Stopwatch.StartNew();
         try {
             if (!isFidoPromptWindow(fidoPrompt)) {
                 LOGGER.Trace("Window 0x{hwnd:x} is not a Windows Security window", fidoPrompt.HWnd);
@@ -37,6 +40,8 @@ public static void chooseUsbSecurityKey(SystemWindow fidoPrompt) {
                 return;
             }
 
+            LOGGER.Trace("Window 0x{hwnd:x} is a Windows Security window", fidoPrompt.HWnd);
+
             Condition           credentialsListIdCondition    = new PropertyCondition(AutomationElement.AutomationIdProperty, "CredentialsList");
             IEnumerable<string> securityKeyLabelPossibilities = I18N.getStrings(I18N.Key.SECURITY_KEY);
 
@@ -67,16 +72,15 @@ public static void chooseUsbSecurityKey(SystemWindow fidoPrompt) {
             if (Keyboard.IsKeyDown(Key.LeftShift) || Keyboard.IsKeyDown(Key.RightShift)) {
                 nextButton.SetFocus();
                 LOGGER.Info("Shift is pressed, not submitting dialog box");
-                return;
-            } else if (!authenticatorChoices.All(choice => choice == securityKeyChoice || nameContainsAny(choice, I18N.getStrings(I18N.Key.SMARTPHONE)))) {
+            } else if (!skipAllNonSecurityKeyOptions && !authenticatorChoices.All(choice => choice == securityKeyChoice || nameContainsAny(choice, I18N.getStrings(I18N.Key.SMARTPHONE)))) {
                 nextButton.SetFocus();
-                LOGGER.Info("Dialog box has a choice that is neither pairing a new phone nor USB security key (such as an existing phone, PIN, or biometrics), " +
-                    "skipping because the user might want to choose it");
-                return;
+                LOGGER.Info("Dialog box has a choice that is neither pairing a new phone nor USB security key (such as an existing phone, PIN, or biometrics), skipping because the user might want " +
+                    "to choose it. You may override this behavior with --skip-all-non-security-key-options.");
+            } else {
+                ((InvokePattern) nextButton.GetCurrentPattern(InvokePattern.Pattern)).Invoke();
+                overallStopwatch.Stop();
+                LOGGER.Info("Next button pressed after {0:N3} sec", overallStopwatch.Elapsed.TotalSeconds);
             }
-
-            ((InvokePattern) nextButton.GetCurrentPattern(InvokePattern.Pattern)).Invoke();
-            LOGGER.Info("Next button pressed");
         } catch (COMException e) {
             LOGGER.Warn(e, "UI Automation error while selecting security key, skipping this dialog box instance");
         }
diff --git a/AuthenticatorChooser/Startup.cs b/AuthenticatorChooser/Startup.cs
@@ -22,6 +22,9 @@ public class Startup {
 
     private static Logger? logger;
 
+    [Option("--skip-all-non-security-key-options", CommandOptionType.NoValue)]
+    public bool skipAllNonSecurityKeyOptions { get; }
+
     [Option(DefaultHelpOptionConvention.DefaultHelpTemplate, CommandOptionType.NoValue)]
     public bool help { get; }
 
@@ -55,13 +58,14 @@ public int OnExecute() {
                     logger.Info("{name} {version} starting", PROGRAM_NAME, PROGRAM_VERSION);
                     (string name, string marketingVersion, Version version, string arch) os = getOsVersion();
                     logger.Info("Operating system is {name} {marketingVersion} {version} {arch}", os.name, os.marketingVersion, os.version, os.arch);
-                    logger.Info("Locales are {userLocale} (user) and {systemLocale} (system)", I18N.userLocaleName, I18N.systemLocaleName);
+                    logger.Info("Locales are {locales}", string.Join(", ", I18N.LOCALE_NAMES));
 
                     using WindowOpeningListener windowOpeningListener = new WindowOpeningListenerImpl();
-                    windowOpeningListener.windowOpened += (_, window) => SecurityKeyChooser.chooseUsbSecurityKey(window);
+                    SecurityKeyChooser          securityKeyChooser    = new() { skipAllNonSecurityKeyOptions = skipAllNonSecurityKeyOptions };
+                    windowOpeningListener.windowOpened += (_, window) => securityKeyChooser.chooseUsbSecurityKey(window);
 
                     foreach (SystemWindow fidoPromptWindow in SystemWindow.FilterToplevelWindows(SecurityKeyChooser.isFidoPromptWindow)) {
-                        SecurityKeyChooser.chooseUsbSecurityKey(fidoPromptWindow);
+                        securityKeyChooser.chooseUsbSecurityKey(fidoPromptWindow);
                     }
 
                     _ = I18N.getStrings(I18N.Key.SMARTPHONE); // ensure localization is loaded eagerly
@@ -98,6 +102,9 @@ private static void showUsage() {
              {processFilename} --autostart-on-logon
                  Registers this program to start automatically every time the current user logs on to Windows.
                  
+             {processFilename} --skip-all-non-security-key-options
+                 Chooses the Security Key option even if there are other valid options, such as an already-paired phone, or Windows Hello PIN or biometrics. By default, without this option, this program will only choose the Security Key if the sole other option is enrolling a new phone. This is an aggressive behavior, so if it skips an option you need, remember that you can hold Shift when the FIDO prompt appears if you need to choose a different option.
+                 
              {processFilename} --log[=filename]
                  Runs this program in the background like the first example, and logs debug messages to a text file. If you don't specify a filename, it goes to {Path.Combine(Environment.GetEnvironmentVariable("TEMP") ?? "%TEMP%", PROGRAM_NAME + ".log")}.
                
