FIDO2

A while back I requested a sample kit of the FIDO2 keys from yubico. These keys lets you utilize the passwordless features. Still in public preview, employees can use external security keys to sign in to their Azure Active Directory Joined Windows 10 machines (running version 1809 or higher) and get single-sign on to their cloud resources.

FIDO2 security keys are an unphishable standards-based passwordless authentication method that can come in any form factor. Fast Identity Online (FIDO) is an open standard for passwordless authentication.

While there are many keys that are FIDO2 certified by the FIDO Alliance, Microsoft requires some optional extensions of the FIDO2 CTAP specification to be implemented by the vendor to ensure maximum security and the best experience.

A security key MUST implement the following features and extensions from the FIDO2 CTAP protocol to be Microsoft-compatible:

# Feature / Extension trust Why is this feature or extension required?
1 Resident key This feature enables the security key to be portable, where your credential is stored on the security key.
2 Client pin This feature enables you to protect your credentials with a second factor and applies to security keys that do not have a user interface.
3 hmac-secret This extension ensures you can sign in to your device when it’s off-line or in airplane mode.
4 Multiple accounts per RP This feature ensures you can use the same security key across multiple services like Microsoft Account and Azure Active Directory.

Now an important factor in the user experience here is the Client Pin. Users will have to enter a pin, next to using the FIDO2 key to login to Microsoft services. Other services like Facebook, only require you to load the key onto the FIDO2 key and you are good to go.

Requirements

So basically there are some requirements to get started. They have been outlined below. Please note that the latest versions of Google Chrome and Fire Fox should be working as well (For example with Facebook). However I haven’t gotten it to work with the Microsoft services just yet.

The requirements are the following:

                • Azure Multi-Factor Authentication

                • Combined registration preview with users enabled for SSPR

                • FIDO2 security key preview requires compatible FIDO2 security keys

                • WebAuthN requires Microsoft Edge on Windows 10 version 1809 or higher

                • FIDO2 based Windows sign in requires Azure AD joined Windows 10 version 1809 or higher

Once you have the requirements outlined and have fulfilled them you are ready to go.

Intune enrollment & profile

You will need to complete the following steps to be able to use your FIDO2 keys to login to you windows 10 Device.

In my lab, I have several test devices at my disposal. For this guide, I have/will be using intune for enrolling my devices. Now I won’t go into detail on how to actually enroll devices. However if you want to start using FIDO2 keys, there are some settings that you should prepare in order for FIDO2 keys to work. In addition if you are using auto-pilot to enroll/setup your devices, you should also make sure your clients are getting these settings.

Open up your Intune dashboard in the Azure Portal.

Next in the menu, select Windows enrollment

Now select Windows Hello for Business in the right part of the screen.

Now you will see two settings in the bottom of the screen.

In this guide, I have used the following settings:

  • Configure Windows Hello for Business: Not Configured
  • Use security keys for sign-in: Enabled

Next we are going to create a configuration profile to enable the credential provider.

Go to the intune dashboard and click device configurations – profile.

Now click on create profile.

Enter a name and description.

At the platform option select Windows 10 and later.

Select Profile type custom.

In the settings option, click add to add OMA-URI settings.

Use the following Custom OMA-URI Settings:

  • Name: Turn on FIDO Security Keys for Windows Sign-In
  • OMA-URI: ./Device/Vendor/MSFT/PassportForWork/SecurityKey/UseSecurityKeyForSignin
  • Data Type: Integer
  • Value: 1

Now save all your settings and you can close this window. Don’t forget to assign these profiles. You can do this based on users, devices or groups.

*Please note that you can also add the credential providers via a provisioning package. However I haven’t tested this option yet. You should be able to use the Windows Configuration Desginer tool, available in the Microsoft store.

Enable preview features

Next we need to enable the preview features in Azure Active Directory.

Open up your azure portal and head over to Azure Active Directory. In here select user settings.

In there, you can see the option User feature previews. Click on Manager user feature preview settings.

In here enable the feature: Users can use preview features for registering and managing security info – enhanced and put it on all.

Now save your settings.

Next select authentication methods in azure active directory.

In here you can see the FIDO2 Methods defined.

Change it to enabled, as it is disabled by default.

Also, you can define to which users this option becomes available. In this case I leave it for all users on by default.

(Optional) Enable Conditional Access for Combined registration

You can now enable Conditional Access to control on when and how users register for MFA and self-service passwords resets. This functionality can then be used to make sure that users register from a central location such as a trusted network.

Open up your conditional access pane in the Azure Portal.

In here create a new policy.

Give this policy a name.

Next scope it to the users you want to apply this setting on. In addition, I would always recommend first testing this setting on a selected group of users. That way you can safely test in a controlled environment.

Next go to the Cloud apps or actions option and enable the register security information preview setting.

 Head over to the conditions option and select location. In here include any location.

Next go to the exclusions and add your trusted locations.

*Please mind, that I selected all trusted locations. This will automatically add all trusted locations I have defined in my tenant. If you want a more controlled environment, you should select only a specific location.

Head over to the Grant options and select block.

Now enable the policy, and you are good to go.

End-user setup

Now basically we have prepared the environment to be compatible for using the FIDO2 keys. Now the End-user can begin setting up a FIDO2 key.

*Please mind, that currently an administrative setup/rollout for a company of FIDO2 keys is not available at time of writing this guide. So this is something an End-user should be doing themselves for now.

Now as an end-user, login to http://myprofile.microsoft.com.

Click on Security Info in this portal.  

In there, we can add a new method for Multi Factor Authentication. If you have completed your MFA registration in the past, you can continue, using this wizard. If not you will be prompted to sign up for MFA first.

When adding a new method, you can see the security key option. Select this one.

Now choose the device type you want to place your FIDO2 key on. In my case I selected the USB device.

You will be prompted to enter the key in the USB port.

In addition you will be redirected to a Microsoft Login screen, with a new warning popup.

Click ok to continue.

A new warning will appear, stating that some information will be exchanged. If you want to know more about this process exactly click learn more. If you approve, click ok to continue.

Next you will need to create a PIN for your FIDO 2 Key.

Next step, you will be redirected back to the Myprofile portal. In there you will need to give your new key a name.

Click next to continue after you entered a name. You will be prompted, that you’re all set.

Next time you login to windows you can now use your FIDO2 key as an option to login. Please remind yourself that you need to enable this feature, either by enrolling your device in Intune and pushing the configuration or use a configuration package.

End-user login experience

Now, how does the login experience look for an end-user?

Let’s take the example of logging in to your Office 365 portal at https://login.onmicrosoft.com.  We are also using Microsoft Edge as a browser.

In here, we enter the login address of the user.

At the bottom, you will see the option: “Sign in with Windows Hello or a security key”. Click on it.

Make sure your key is plugged into a USB port.

Next enter your Security Pin.

Next touch your FIDO2 key on the fingerprint reader part.

Once done, you are logged into the system.

Basically that is it. The experience is also quite similar when logging in, into your Windows 10 device. You will first be prompted for your pin and then you are to touch your FIDO2 key.

Closing note

Basically, the setup is very straight forward and not that complex. However in my opinion, there still is some work to be done (and yes I am aware it is still in preview).

For example a companywide rollout, by administrators, would really make it an interesting option to secure your environment in an easy way for the workforce.

However, these FIDO2 keys have a huge potential to become the facto standard in highly secure environments.

If you need any help, got some useful feedback or want to have a chat about going password less, please don’t hesitated to contact me.

DutchEnglish