Getting rid of unsecure password authentication is becoming a priority for many businesses. Companies using Microsoft's Azure Active Directory have many options to implement passwordless authentication. One of these is using a FIDO2 security key.

Isn't multifactor authentication on top of traditional password authentication secure? Unquestionably, adding multifactor authentication to conventional password-based authentication is a great way to bolster authentication security. However, MFA can be a cumbersome additional step to enter on top of the need to remember a password for an account.

Passwordless authentication is a more convenient form of strong authentication, since remembering a password is no longer required. Instead, users authenticate with something they have and something they are or know. Note the following examples of each factor:

  • Something you have: Windows 10 or 11 device, phone, or security key
  • Something you are or know: Biometric scanner or PIN

Microsoft Azure Active Directory contains three passwordless authentication options. These include:

  • Windows Hello for Business—Replaces username and password authentication with strong authentication based on an asymmetric key pair
  • Microsoft Authenticator app—Uses key-based passwordless authentication, enabling users with credentials tied to a device enabled with a PIN or biometric security mechanisms to carry out passwordless authentication
  • FIDO2 security keys—A seamless way for employees to authenticate without entering a username or password, thereby offering an excellent solution for organizations currently using a shared PC environment

Authenticate against Azure Active Directory using a FIDO2 key ^

FIDO2 keys allow quickly signing into operating systems, applications, and services. Organizations can issue these keys to everyday information workers and those on the front lines who use shared devices. The FIDO2 key works by using industrial-strength public–private key technology. It securely stores a private key that can be unlocked using a biometric or PIN.

All authentication messages exchanged are signed by the private key and then validated by the public key housed in Azure Active Directory. Azure Active Directory then sends a token or session cookie to the device to prove that the authentication and identity are valid.

FIDO2 keys authenticate to Azure Active Directory using public–private key authentication

FIDO2 keys authenticate to Azure Active Directory using public–private key authentication

It is essential to know that FIDO2 keys are still two-factor authentication. However, it is exponentially more secure than using password-based authentication. In addition, when users do not have a phone or dedicated Windows device, the FIDO2 security key provides a simple architecture for passwordless authentication.

After choosing the security key, inserting the key, and choosing the account on the key, the user will be seamlessly logged into the resources to which they are entitled.

If using seamless single sign-on, it carries forward within the session in a browser session. So, for example, if users navigate to myapps.microsoft.com to access their digital workspace, they can access resources both on the Internet or on-premises without reauthenticating.

Setting up FIDO2 authentication with Azure Active Directory ^

How is FIDO2 security authentication configured in Azure Active Directory? To enable FIDO2 security key authentication in Azure Active Directory, navigate in the Azure portal to Azure Active Directory > Security > Authentication methods > Policies, and click FIDO2 Security Key. Here, you can enable the security authentication method and choose the scope for enablement.

Enabling FIDO2 security key authentication in Azure Active Directory

Enabling FIDO2 security key authentication in Azure Active Directory

Below, you can add users and groups to the FIDO2 target to scope users who can use FIDO2 security keys.

Adding users to the FIDO2 security key policy

Adding users to the FIDO2 security key policy

How do users set up their Azure Active Directory FIDO2 key?

Let's look at the process for a FIDO2-enabled user to configure their FIDO2 key for use with Azure Active Directory. To configure and view FIDO2 keys and other authentication methods, users visit https://aka.ms/mysecurityinfo.

To begin, click Add method. Choose Security key.

Adding a new FIDO2 security key as an end user

Adding a new FIDO2 security key as an end user

Select the type of security key you want to use—USB or NFC device.

Choose the type of FIDO2 security key

Choose the type of FIDO2 security key

You will be prompted to continue the security key setup. The next step is to touch the security key. This proves the user's presence with the security key.

Touch the security key to prove presence

Touch the security key to prove presence

Create a PIN to associate with the security key and verify the PIN.

Create and re enter a PIN for setting up the security key

Create and re enter a PIN for setting up the security key

 

Next, you will be prompted to name the security key.

Name the security key

Name the security key

The configuration of the new FIDO2 security key should now be completed successfully.

The setup of the FIDO2 security key completes successfully

The setup of the FIDO2 security key completes successfully

Final notes ^

Passwordless authentication is a great way to bolster authentication security. Azure Active Directory provides multiple passwordless authentication types, including FIDO2 security keys.

Subscribe to 4sysops newsletter!

The FIDO2 security key provides strong public–private key authentication that combines something you possess with something you know/are. As shown, it is relatively easy to enable the FIDO2 authentication method in Azure Active Directory, and the process of enrolling from the user's perspective is straightforward.

avatar
0 Comments

Leave a reply

Your email address will not be published.

*

© 4sysops 2006 - 2022

CONTACT US

Please ask IT administration questions in the forums. Any other messages are welcome.

Sending

Log in with your credentials

or    

Forgot your details?

Create Account