In this post I will be discussing on how to configure Azure Active Directory account to go passwordless using FIDO2 security key. I recently received AllinPass FIDO2 Plus security key to explore the feature and to provide my views on it. I will be providing my inputs on the usage, benefits and the reason to use FIDO2 security keys. But before that lets understand the basics.
- What is FIDO2 Security Key
- Why do we need FIDO2 security key
- Feitian AllinPass FIDO2 Plus security features
What is FIDO2 Security Key
FIDO stands for Fast Identity Online, the FIDO alliance helps to promote open authentication standards to reduce the user of passwords as form of authentication. FIDO2 is the latest standard.
FIDO2 security keys are hardware devices such as USB device which can be also use features as Bluetooth or NFC. With the usage of hardware device, you can authenticate the account login without entering the password.
Why do we need FIDO2 security key
FIDO2 security keys are one of the three passwordless authentication options which is used by Microsoft to login to Azure Active Directory connected devices. This can be devices which Azure AD or hybrid Azure AD joined. These are the three forms of passwordless authentication:
- Windows Hello for Business
- Microsoft Authenticator
- FIDO2 security keys
In this post, we are just focusing upon FIDO2 security keys only.
Feitian AllinPass FIDO2 Plus security features
The FEITIAN AllinPass FIDO2 Plus security key is a combination of various functions such as Passwordless Authentication, Identification Card, and Physical Access into one device that fits into the standard wearable cardholder, and provides strong multi-factor authentication to eliminate account takeovers. This provides an extremely user-friendly and secure passwordless logon experience using biometrics. The device which I received is Feitian AllinPass FIDO2 Biometric Fingerprint Security Key K43.
This device has a USB-C interface which can be used with Laptops, Desktops and Android devices. Device also has Bluetooth inbuild providing NFC communication.
Designed for Enterprise use
AllinPass FIDO2 Plus security key can be used for enterprise solution which has a formfactor like card. This can be used as security key as well as employee ID card.
Data stored in this security key is secured using algorithm which using CC EAL 6+ Secure Element embedded on the chip.
Enable Authentication method for FIDO2 Security key in Azure
By default FIDO2 Security Key authentication method is not enabled. You need to enable it first before configuring FIDO Security key.
Login to Azure Portal and navigate to Azure Active Directory > Security > Authentication methods.
Here you will see FIDO2 Security Key status showing as No (disabled state), click on FIDO2 Security Key.
This will open FIDO2 Security Key settings. Enable the setting and under Target you can either select All users or “Select users”. For planned rollout of FIDO2 security feature I would recommend going with pilot users first. For demonstration purpose in my lab, I selected “All users”, click Save.
Register FIDO2 security key in Azure Active Directory
We have successfully enabled FIDO2 security key authentication method. Now let’s open the URL My Sign-Ins and navigate to Security info.
Here you will be able to see all existing sign-in method for the account we used to login. Click on Add sign-in method to add another one.
Under Add a method popup, you will be able to see 3rd option available now ie. “Security key”, previously this option wasn’t available. Only after we enable the FIDO2 security key as authentication open we see it here apart from three other default options ie. Authenticator app, Email and phone.
Click on Security key and click Add.
You will get message:
To set up a security key, you need to sign in with two-factor authentication, click Next.
This will take you to Approve sign in request whichever method you have added previously, I authenticated it using Microsoft Authenticator app by simply clicking on Approve.
Next page for Security key asking me to choose the type of security key, this can be:
- USB device
- NFC device
I connected my Feitian Security key K43 using USB port and clicked on USB device.
This is the time when you need to plus in the security key to USB port. Click Next.
Next page will verify your identity with login.microsoft.com account with multiple options. Choose External security key or built-in sensor.
Click on ok when you see Security key setup which is requesting to use security key configuration.
Continue setup popup will show you message that credentials will be saved on security key which allows us to sign in without having to type username. Click OK.
This is one of the most important step where it ask you to touch the security key or enter the Security Key PIN if configured previously.
Once credentials are saved in Security key, next page will ask you to name it. It make sense to provide something obvious.
Next time when you login to Azure Portal, you can directly click on Sign-in options to login without providing username & password.
Once you click, you have multipole Sign-in options, click on Sign in with a security key.
You have options with multiple windows security, we are interested with security key, click on it.
We will be able to see all accounts which are saved in this security key, hence it can be used for any other account as well. Simply click on the account which we used to create the security key just now.
And here we go, we have successfully logged in to Azure Portal using Security key without even providing username or password.
Configure Security Key
Feitian Security key can be configured using 3 methods:
- Windows settings
- Feitian BioPass FIDO2 Manager
- Chrome Browser
Windows settings configuration for Security key
On windows 10 or Windows 11 device, click on Start > Settings > Accounts > Sign-in options > Security key and click on Manage.
Follow the prompt by touching the security key and setting up Security key PIN
Configure Security key using FIDO2 Manager
Download FIDO2 Manager for Windows or Mac.
For other Windows users
Download BioPass FIDO2 Manager from Microsoft Store (Windows 10) or from FEITIAN website.
For Mac users
Download BioPass FIDO2 Manager from Mac App Store or from FEITIAN website.
Launch BioPass FIDO2 Manager and click on Add Fingerprint.
Provide the PIN if previously setup or enter new Security PIN to configure.
It will ask you to touch the Fingerprint sensor.
It will prompt you to touch the sensor multiple times to register your fingerprints. Once done, you will be able to see Fingerprint 1 registered. You may register multiple fingerprint as well.
Same way you can do this for Chrome browser as well.
Azure Active Directory passwordless sign-in – Microsoft Entra | Microsoft Docs
Browser support of FIDO2 passwordless authentication – Microsoft Entra | Microsoft Docs