Password-Less Authentication to Azure AD using FIDO2 security keys

I’m sure you will agree that using passwords is on a road to extinction. Hi there is this blog post Im going to cover the topic of security and going Password-less using FIDO2 Security keys. If you would prefer to watch the video version of this head over to Youtube https://youtu.be/Kq74imD6KPY
In this blog I will cover setting up Azure AD, Microsoft Intune and registering a hardware security key for a single test user.
Let me start by saying a special thanks to Feitian who kindly provided me with three of their FIDO2 security keys. And I’ll be using one of these the K26 to demonstrate how it works in a Password-less experience.
Before we dive into the detail, we first need to look at some of the background and put some context around this topic. Recent statistics show around 81% of cyberattacks are due to comprised username or passwords. So, when we look at the use of passwords, old security approaches in the enterprise simply no longer apply. When we think about it the only people who like passwords are hackers. We have to create and remember them which is why help desks get so many calls and not only are they expensive to manage but easy for hackers to guess.
So the first approach and one quickly becoming a standard is to turn on multi-factor authentication which reduces the risk considerably. We won’t go into setting this up or configuring this here but take a look at the Microsoft article in how to achieve this.  Enable Azure AD Multi-Factor Authentication – Microsoft Entra | Microsoft Docs
It is important to highlight that 2 factor Authentication using passwords is not the most convenient and secure method we can use. The diagram below shows a representation of the current guidance on this.

So, what is the answer. Well FIDO or Fast Identity Online (FIDO) is an open standard for Password-less authentication and is backed by an alliance of companies. FIDO allows users to sign in to their resources using an external security key, totally eliminating the need for a username and passwords.
With FIDO2 security keys, users can sign in to Azure AD or hybrid Azure AD joined Windows 10 devices and get single-sign on to their cloud and on-premises resources. They also allow for sign in to supported browsers. FIDO2 security keys are a great option for enterprises and are quickly becoming a key approach. Where companies are very security sensitive or have scenarios where employees aren’t willing or able to use their phone as a second factor, hardware keys are a great option. 

In the following sections I will show how to setup the authentication method policy required within Azure AD, then go through the steps for a user to register a security key. I’ll end this post by showing the different methods to configure security keys a sign-in method on Windows 10, by using Microsoft Intune, and the end-user experience.RequirementsBefore you can register a new security key for a users identity there are a few pre-requisites which are:

  • Have an active Azure AD tenant
  • Have an active Microsoft Endpoint Managment tenant
  • Already have synchronised user identities from on-prem AD or creation of a new Azure AD user account
  • Password-less sign-in with security keys requires Windows 10 version 1903 or higher when using Azure AD accounts and Windows 2004 for Hybrid Azure AD join devices. 
  • ​Users register for Azure MFA

With these in place there are two main administrative configuration steps we need to complete as part of deploying this to Windows 10/11 devices which are:

  • Setup the security key Authentication method within Azure
  • Configure and deploy security key sign-in capability using Microsoft Intune

Authentication method configuration​In this first step we need to enable password-less sign-in with security keys as an authentication method. As Azure AD is a component of Azure we need to logion to the Azure tenant at Portal.Azure.com to configure this. 
Navgation: Azure Tenant

Azure AD security > Authentication methods >

Picture

Select the FIDO2security key option then toggle the Enable option to ‘Enable‘ as per above to turn this on and then choose between ‘All Users’ or ‘Select Users‘ to target your users depending on your preference. Next select the ‘Configure’ option at the top and enable ‘Self-service set up‘ and ‘Enforce attestation‘.  The key restriction policy options are there if you want to only include specific security keys saved with a AAGuid. I would leave this to allow all key restistrations at this point.

Picture

After completing this you have enabled end users to register their own security keys and the FIDO2 security keys authentication method is now available. 

Picture

Before I go ahead and do this for our test user/s we now need to configure security keys as a sign-in method for Windows devices. Windows Security key sign-in option 

​This step can be achieved multiple ways when logged into the Microsoft Endpioint Managment portal (MEM). These Include:

  • Using an ‘Identity protection’ device configuration policy
  • Using a custom device configuration policy
  •  Using the Windows Hello enrollment settings 

For this blog I will just configure the Windows Hello enrollment option. Login to your MEM portal and navigate to:
Devices > Windows > Windows Enrolment > Windows Hello for Business.

Picture

As you can see above I have enabled the ‘Use security keys for sign-in:’ option only and left the Configure Windows Hello for Business option not configured. The reason for this is despite being on the same pane they can be set and function independently. By enabling security key sign-in in this way switches the functionality on for all compatible Windows devices and therefore is not targeting specific users or groups. The other two methods will allow you achive this is you want to gradually roll this out.

Register a FIDO2 security key for an end user

To begin with there is a requirement for Azure MFA to be enabled and the end user registering the key has already registered for MFA on their account. The following steps show how to register a key.
Step 1. Login to https://myprofile.microsoft.com

 as test user account and navigate to ‘Security info‘.​ 
Click on ‘+Add sign-in method‘ select ‘Security Key‘ then the ‘Add‘ button. 

Picture

You may then be prompted on the next screen to sign-in with 2FA. Click the ‘Next‘ button and carry out 2FA using your configured 2FA process which may be using the Windows Authenicator app on your mobile.
You are then presented with a choice on whether you regsiter a security key which is for NFC authentication or USB.  As I have a Feitian K26 Biometic security key I will use USB. follow the steps below which show the overall process.

Picture
Picture
Picture
Picture
Picture

In this next step you will be required to enter and confirm a security key PIN matching your security compexity rules. In my case below I have regitered the key previously so it only asks me for the existing PIN on the device. As and when required you can reset the security key to wipe the PIN and start afresh.

Picture

After entering the PIN depending on the security key you are registering you will be asked to touch the sensor on the front of the key. This is simply a touch and not fingerprint biosmetric recognition even though the hardware device does have a biomtric reader. 

Picture

At this stage you are required to name the security key so that you can distinguish what key it is as you may register multiple keys. In fact some people recommend that at least two keys should be used to ensure you have a backup.

Picture

The final screen will inform you that you have successfully completed the registration. 

Picture

End User testing 

With all the configuration complete and a security key registered the final step is to test that Password-less experience. I have set out two tests, one showing the Windows sign-in experience and the other showing the Password-less experience on Windows when using a browser.  

Windows sign-in experience​

Picture

The icon highlighted in the middle of the picture is for the security key. After clicking this option plug in your security key and you will be prompted for the security key PIN. Enter the PIN and you will be prompted to touch the device. This will sign you into your Windows device without using a username or password hey presto PASSWORD-LESS.Password-less experience with a browser

To test the browser experience choose a Microsoft subscribed website such as Office.com sign-in and choose ‘Sign-in options‘ 

Picture

At this point you can select the ‘Security key‘ login option if available rather than a specific user account as per below. 

Picture

Enter the security key PIN as per the Windows sign-in experience.

Picture

And finally touch the security key to complete and you will be signed into the website using the Password-less option.

Picture

This website uses marketing and tracking technologies. Opting out of this will opt you out of all cookies, except for those needed to run the website. Note that some products may not work as well without tracking cookies.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.