The Enabling Technologies Blog


Mark Brezicky / / Categories: Best Practices, Technical View, Azure, Security, passwords, Cloud

Azure AD Passwordless Authentication with FIDO2 Security Keys – Part 1

Microsoft recently announced the public preview of support for Fast Identity Online (FIDO) using FIDO2 security keys.  FIDO is an open standard for password authentication and has been around for several years.  With the support of this modern protocol, Microsoft is moving one step closer to truly providing a password-less end to end user experience.

The following chart shows the current supported vendors.  Each offer several different form factor FIDO2 security keys.  Enabling and Microsoft recommends each customer then evaluate the features of each key as well as the types offered by each vendor prior to any bulk purchase.

Mark blog pic 1

For the public preview, users can sign into Azure AD Joined Windows 10 PCs (running version 1809 or higher) as well as sign in to supported browsers (Requires the latest builds of Edge or Firefox, and the latest version of a WebAuthn compatible browser).  As an administrator of Azure AD, you have the option for both a mass rollout and targeted (pilot) rollout of this feature.  The following list is the minimum requirements to get started rolling out this feature to end users:

  • Azure Multi-Factor Authentication
  • Combined registration preview
  • FIDO2 security key preview requires compatible FIDO2 security keys
  • WebAuthN requires Microsoft Edge on Windows 10 version 1809 or higher
  • FIDO2 based Windows sign in requires Azure AD joined Windows 10 version 1809 or higher
    • Win10 Sign-in and lock screen only supported for pure AAD Joined machines.  Hybrid AAD Join Win10 PCs only support web sign in at the moment.

While using a supported browser is automatically enabled for security key sign in, Windows 10 PCs need to have this feature enabled.  There are several ways of configuring this including:

Devices you pilot with must be running Windows 10 version 1809 or higher. The best experience is on Windows 10 version 1903 or higher.  The steps below show examples of how to enable via Intune or Registry.

Using Microsoft Intune, you can enable the use of security keys for sign-in using either a Windows Hello for Business or custom OMA-URI profile.  You do not need to deploy Windows Hello for Business to enable this feature.  However, if you already have Windows Hello for Business profile deployed, the feature is one additional setting within the options.  If not deployed, still configure a Windows Hello for Business profile and enable Use security keys for sign-in.  Configure Windows Hello for Business profile based on your rollout method.

Mark blog pic 2

Mark blog pic 3

Mark blog pic 4

Alternatively, you can also use a custom profile type and OMA-URI setting using the values below.  This policy can be assigned to specific users, devices, or groups.

  • Name: Turn on FIDO Security Keys for Windows Sign-In
  • OMA-URI: ./Device/Vendor/MSFT/PassportForWork/SecurityKey/UseSecurityKeyForSignin
  • Data Type: Integer

Value: 1

Mark blog pic 5

 

Registry

If you are not using Microsoft Intune, this feature can be enabled via a registry change.  This method is not explicitly called out as a supported deployment option, however, the previous method within Intune of using a customer OMA-URI setting does the exact same result.  To configure using Windows 10 Registry, create the following key:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Policies\PassportForWork\SecurityKey]

"UseSecurityKeyForSignin"=dword:00000001

Mark blog pic 6

Once you have your sign-in methods enabled for PCs, you need to configure Azure AD to enable the feature to be used by users.  This involves two steps.  The first requires the user to be enabled for the combined registration experience.  This can be also deployed to all or selected users.

  1. Browse to Azure Active Directory > User Settings
  2. Click on Manage settings for access panel preview features
  3. Under Users can use preview features for registering and managing security info - enhanced.
  4. Choose Selected and choose a group of users who will participate in the preview.
    • Or choose All to enable for everyone in your directory.
  1. Click Save

Mark blog pic 7

The second step requires you to assign the user(s) the capability to use this new authentication method.

  1. Browse to Azure Active Directory > Authentication methods > Authentication method policy (Preview)
  2. Under Method select FIDO2 Security key, choose the following options
    • Enable - Yes or No
    • Target - All users or Select users
  1. Save each method

Mark blog pic 8

Once all requirements are complete, you can provide the physical keys with instructions to your end users on how to enable the use of the security keys.  The user setup is all done by the end users on their PCs.  For the preview, there is not an administrative way to mass enable and enforce the use of the security key.  Our next article will discuss and demonstrate the end user setup of a security key and sign-in experiences.

Enabling Technologies can help you properly prepare for moving to the cloud based on Microsoft best practices and utilizing a secure and productive environment.  You can check out more in the Cloud section of our website. 

 

Subscribe to Email Updates

Refine by

To expand the list, please click on the double arrows.

 

Search by Category or Author:

ref:_00D80KtFf._5000y1WwWQD:ref