-
-
Notifications
You must be signed in to change notification settings - Fork 10
Command‐line arguments
When run without any arguments, this program listens for Windows Security dialog boxes and automatically chooses the Security Key option when it appears, as long as the only other option is pairing a new phone.
To use these arguments, append them to the program filename when starting AuthenticatorChooser, such as in a command prompt, shortcut file, or the autostart registry key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run, based on how you run it. For example, depending on your installation directory, you could run
"C:\Program Files\AuthenticatorChooser\AuthenticatorChooser.exe" --skip-all-non-security-key-optionsRegisters AuthenticatorChooser as a startup program in your Windows user account. This will make Windows start this program whenever you log in. When running this program with this argument, it will also leave it running normally in the background, so you don't need to run it a second time without this argument. You only need to run with this argument once, because after that it will still be registered as a startup program from the first time this argument was used.
- < 0.5.0: Startup registration uses the
HKCU\Software\Microsoft\Windows\CurrentVersion\Runregistry key. - ≥ 0.5.0: Startup registration uses a Scheduled Task to run AuthenticatorChooser as your user with highest privileges when you log in. This strategy is necessitated by the Windows 11 January 2026 update blocking processes with medium integrity level (not elevated, the same as those started by the
Runkey above) from interacting with the UI of the FIDO dialog programCredentialUIBroker.exe.
When Windows prompts you for the FIDO PIN for your USB security key, automatically submit the dialog once you have typed a PIN that is $num characters long (minimum 4), instead of you having to manually press Enter. For example, if your PIN is 5 characters long, you can pass --autosubmit-pin-length=5, which will automatically hit Enter after you type the 5th character of the PIN. Remember that enough consecutive incorrect submissions (8 on YubiKeys) will permanently block the security key until you reset it and lose all its FIDO credentials, so type with care because this program doesn't record what PIN characters you typed, let alone try to determine their uniqueness or correctness, and it submits them solely based on length. This will neither autosubmit PINs when registering a new FIDO credential, changing your PIN, nor entering a Windows Hello PIN (which Windows autosubmits without this program's help). This argument is optional, and enabling it does not disable the default security key choosing logic of this program.
Show usage information in a dialog box.
Enable debug message logging to a text file on disk. If you pass a $filename, you can specify the path of the file (absolute or relative to the process working directory) where logs should be written, such as --log="AuthenticatorChooser.log" or --log="%USERPROFILE%\Desktop\AuthenticatorChooser.log". If you don't pass a $filename, as in --log, then the log file will be saved to %TEMP%\AuthenticatorChooser.log. If you don't pass this argument at all, the log file will not be created or written to.
By default, this program skips the "iPhone, iPad, or Android device" option and chooses "Security key" only if it is the sole other choice. This means it will not skip other options like existing paired phones, fingerprints, PINs, or facial recognition. This argument lets you skip these additional options as well, if you're someone who absolutely, positively always wants to use a USB security key without exception. Remember that holding Shift while a Windows Security dialog box appears will temporarily disable AuthenticatorChooser from interacting with it, in case you need to pick another option manually.