- SCP from remote to local - Wed, May 31 2023
- Understanding Kubernetes Persistent Volumes - Mon, May 29 2023
- Pulseway 9.2: Remote monitoring with workflow automation - Thu, May 18 2023
Isn't multifactor authentication on top of traditional password authentication secure? Unquestionably, adding multifactor authentication to conventional password-based authentication is a great way to bolster authentication security. However, MFA can be a cumbersome additional step to enter on top of the need to remember a password for an account.
Passwordless authentication is a more convenient form of strong authentication, since remembering a password is no longer required. Instead, users authenticate with something they have and something they are or know. Note the following examples of each factor:
- Something you have: Windows 10 or 11 device, phone, or security key
- Something you are or know: Biometric scanner or PIN
Microsoft Azure Active Directory contains three passwordless authentication options. These include:
- Windows Hello for Business—Replaces username and password authentication with strong authentication based on an asymmetric key pair
- Microsoft Authenticator app—Uses key-based passwordless authentication, enabling users with credentials tied to a device enabled with a PIN or biometric security mechanisms to carry out passwordless authentication
- FIDO2 security keys—A seamless way for employees to authenticate without entering a username or password, thereby offering an excellent solution for organizations currently using a shared PC environment
Authenticate against Azure Active Directory using a FIDO2 key
FIDO2 keys allow quickly signing into operating systems, applications, and services. Organizations can issue these keys to everyday information workers and those on the front lines who use shared devices. The FIDO2 key works by using industrial-strength public–private key technology. It securely stores a private key that can be unlocked using a biometric or PIN.
All authentication messages exchanged are signed by the private key and then validated by the public key housed in Azure Active Directory. Azure Active Directory then sends a token or session cookie to the device to prove that the authentication and identity are valid.
FIDO2 keys authenticate to Azure Active Directory using public–private key authentication
It is essential to know that FIDO2 keys are still two-factor authentication. However, it is exponentially more secure than using password-based authentication. In addition, when users do not have a phone or dedicated Windows device, the FIDO2 security key provides a simple architecture for passwordless authentication.
After choosing the security key, inserting the key, and choosing the account on the key, the user will be seamlessly logged into the resources to which they are entitled.
If using seamless single sign-on, it carries forward within the session in a browser session. So, for example, if users navigate to myapps.microsoft.com to access their digital workspace, they can access resources both on the Internet or on-premises without reauthenticating.
Setting up FIDO2 authentication with Azure Active Directory
How is FIDO2 security authentication configured in Azure Active Directory? To enable FIDO2 security key authentication in Azure Active Directory, navigate in the Azure portal to Azure Active Directory > Security > Authentication methods > Policies, and click FIDO2 Security Key. Here, you can enable the security authentication method and choose the scope for enablement.
Enabling FIDO2 security key authentication in Azure Active Directory
Below, you can add users and groups to the FIDO2 target to scope users who can use FIDO2 security keys.
Adding users to the FIDO2 security key policy
How do users set up their Azure Active Directory FIDO2 key?
Let's look at the process for a FIDO2-enabled user to configure their FIDO2 key for use with Azure Active Directory. To configure and view FIDO2 keys and other authentication methods, users visit https://aka.ms/mysecurityinfo.
To begin, click Add method. Choose Security key.
Adding a new FIDO2 security key as an end user
Select the type of security key you want to use—USB or NFC device.
Choose the type of FIDO2 security key
You will be prompted to continue the security key setup. The next step is to touch the security key. This proves the user's presence with the security key.
Touch the security key to prove presence
Create a PIN to associate with the security key and verify the PIN.
Create and re enter a PIN for setting up the security key
Next, you will be prompted to name the security key.
Name the security key
The configuration of the new FIDO2 security key should now be completed successfully.
The setup of the FIDO2 security key completes successfully
Final notes
Passwordless authentication is a great way to bolster authentication security. Azure Active Directory provides multiple passwordless authentication types, including FIDO2 security keys.
Subscribe to 4sysops newsletter!
The FIDO2 security key provides strong public–private key authentication that combines something you possess with something you know/are. As shown, it is relatively easy to enable the FIDO2 authentication method in Azure Active Directory, and the process of enrolling from the user's perspective is straightforward.
Thanks great article. Unless I’m missing something there seems to be a gap with Azure Ad where you can’t actually remove the users password completely and go full passwordless ? The password is still there and available for use ?