This is something I wanted to test some time ago, and now thanks to Feitian I was able to do it. So let’s dig into detail what is passwordless with Fido2 Keys, how we can configure it in AzureAD, and what advantages provide as an end user. ¡Let’s begin!
But before dig in depper, let me explain the basics: A security key is a piece of hardware that you can connect to your computer or phone to verify your credentials when logging, unlike a password, it’s completely safe, because the configuration is different for each system.
So, what does Fido2 Keys? As you probably know, logging into a resource requires a username and password, and with MFA, it usually requires a username/password combination plus one other authentication factor, like a time-based one-time password. In this case, FIDO2 is a standards-based method of user authentication that is passwordless, supporting PIN and biometrics in security tokens
For starters, with FIDO you can:
- Improve security with crypto-secured passwordless authentication
- Remove the helpdesk costs associated with forgotten passwords by replacing them with a simple PIN or fingerprint
- Remove the user-experience annoyances of long passwords to create, remember and reset so that your workforce can get on with their role simply and seamlessly.
What about the preparation of AzureAD?
For IT, At high level there is only two tasks to accomplish:
- Enable the new authentication method registration on AzureAD
- Enable FIDO2 as an authentication method
Easy, isn’t it?
What about the registration for end users?
In my case, how the security Key is a biometic security Key, what i needed to do first is to register my fingerprint. Once I did this (manufacturer provide details, you’re ready to go with next steps).
In order to register the security token with AzureAD, the user will need to access to https://aka.ms/setupsecurityinfo where will be able to see all the authentication method available for them:
And once the user have selected the security key option, the process of registration will begin. In my case, I selected USB device and then… I needed to provide a PIN for the security Key:
Things that you have to keep in mind, is we user have to set up their own PIN to use their key, it cannot be enforced or centralized way to manage PIN, so is probably that your users end up using PINs like 123456.
ONce you have registered the key, it will appear in the security Info Panel:
Ok, it’s great what you’re are explaining, but how it is used?
With the following video, I want to show how the process of passwordless authentication in AzureAD is done:
As you can see, the login was done without entering any user or password. If you’re conviced, and you want to start deploying Fido2 Keys in your organization, think first about the following points:
- Control to ensure that the employee has been through sufficient identity checks to create a trusted identity.
The organisation needs policy control over:
- The type of FIDO device used (external USB / Bluetooth)
- The organisation needs to consider the type of user verification required (Fingerprint / NFC)
- The end user needs a simple experience during registration of a FIDO credential
- The organization needs to trust the genuineness of the FIDO device being used for the FIDO credential
- Vision of who has been assigned which FIDO Credentials
- Ability to simply revoke access to all systems accessed by the FIDO Credential
- Ability to manage lost devices / replacement devices / back up devices
- The end user needs a simple experience to authenticate to systems, usernameless aids this process.
As you can see Fido2 Keys are great, and what is better, not only works with AzureAD, it can be used to authenticate with oter services like twitter, Instagram, etc…
Register your key at https://aka.ms/mysecurityinfo
If you are a Microsoft 365 admin, use an interactive guide at https://aka.ms/passwordlesswizard