The Enabling Technologies Blog


Mark Brezicky / / Categories: Best Practices, Cloud Security, Technical View, Azure, Security, passwords, Cloud

Azure AD Passwordless Authentication with FIDO2 Security Keys – Part 2

In the previous post, you saw how to enable a user or everyone for the use of a FIDO2 security key as an authentication method for Azure AD.  After the Azure AD administrator has configured each user for the ability to sign-in with FIDO2 security keys and the user has received the physical key, it is up to each user to register the use of their security keys.  At least during the public preview, Administrator provisioning and de-provisioning of security keys is not available.  During registration, users will need to specify a PIN or, if their PC supports it, biometrics via fingerprint reader.  These are specific to the individual key and are not stored anywhere else on the PC or in Azure AD.

The following instructions demonstrate the user registration process:

  1. Browse to https://myprofile.microsoft.com
    • Sign-in if not already
  1. Click Security Info
    • If the user already has at least one Azure Multi-Factor Authentication method registered, they can immediately register a FIDO2 security key.
    • If they don’t have at least one Azure Multi-Factor Authentication method registered, they must add one.

Mblog1

  1. Add a FIDO2 Security key by clicking Add method and choosing Security key

Mblog2

5.  Choose USB device or NFC device

 

Mblog

6.  Have your key ready and choose Next

Mblog3

7.  A box will appear and ask you to create/enter a PIN for your security key, then perform the required gesture for your key either biometric or touch.

Mblog4

8.  You will be returned to the combined registration experience and asked to provide a meaningful name for your token so you can identify which one if you have multiple. Click Next.

 

Mblog5Mblog6

 

Once registered, users now have the ability to sign-in from their lock screen on their Windows 10 PC as well as any web-based Azure AD sign-in.  There are a few limitations for the public preview:

  • Windows 10 PC sign-in and lock screen only works from Azure AD Joined machines for now. Domain-joined, Hybrid Azure AD, and standalone PCs are not yet supported.
  • User Principal Name (UPN) changes are not supported. If a UPN changes, the device should be reset and re-registered.
  • Web sign-in requires the latest builds of Edge or Firefox, and the latest version of a WebAuthn compatible browser

Sign-in and Locked Screen experience:

markblogpicself

Sign-in to any Azure AD authenticated website (i.e. https://portal.office.com):  

 

Mblog9

 

Users can manage their own keys Security Info within My Profile, bit also manage biometrics and/or PIN from their local PC depending on their Windows 10 version:

  • Windows 10 version 1809
    • Companion software from the security key vendor is required
  • Windows 10 version 1903 or higher
    • Users can open Windows Settings on their device > Accounts > Security Key
    • Users can change their PIN, update biometrics, or reset their security key

Mblogelle

Mblog11

 

Enabling Technologies can help you properly prepare for moving to the cloud based on Microsoft best practices and utilizing a secure and productive environment.  Turning on passwordless capabilities is a significant change to the end user experience.  Enabling can offer Change Management services to make this transition to end users much less stressful and painful.

 

Subscribe to Email Updates

Refine by

To expand the list, please click on the double arrows.

 

Search by Category or Author:

ref:_00D80KtFf._5000y1WwWQD:ref