Lately I got the opportunity to test the latest Identity Authentication method with Azure AD. None other than the Passwordless Authentication. I will post few related articles on FIDO2 and what it does rather than re-explaining what has already well explained by the FIDO Alliance and Microsoft.
The good thing is passwordless methods can be activated on top of the standard Azure MFA methods (Authenticator and/or phone SMS).
More on FIDO alliance and how Microsoft uses this technology in Azure AD
How to go passwordless with FIDO2 supported device?
Below is a FIDO2 USB key from Yubico
Device: YubiKey Series 5 NFC
Passwordless Authentication Flow
Before the steps on how to setup passwordless authentication, I would like to explain the authentication flow. Before the steps on how to setup passwordless authentication, I would like to explain the authentication flow
- The user plugs the FIDO2 security key into their computer.
- Windows detects the FIDO2 security key.
- Windows sends an authentication request.
- Azure AD sends back a nonce.
- The user completes their gesture to unlock the private key stored in the FIDO2 security key’s secure enclave.
- The FIDO2 security key signs the nonce with the private key.
- The primary refresh token (PRT) token request with signed nonce is sent to Azure AD.
- Azure AD verifies the signed nonce using the FIDO2 public key.
- Azure AD returns PRT to enable access to on-premises resources.
source: FIDO2 Security Keys
Azure AD Portal Configuration
Log in to the Azure AD portal and go to Azure Active Directory > Security
Select Authentication Methods under Manage and select FIDO2 Security Key (preview) option
Enable the option and add all users or a single user or a group
Allow Self-Service setup: Get the user to setup their own pin during the device initiliase setup
Enforce attestation: This will be used to check if the certificate is legitimate during the enrollment process
Enforce key restrictions: If Yes, that will give you the option to block some keys
Save the settings and exit the page.
Login to My Account (microsoft.com)
Click Update Info in Security Info box
The user will see all the previously added options here. Phone can be added only once, but you can add more than 1 Security key or Authenticator App
Click on Add Method > Select Security Key > Add
Select the Security Key type. I will be selecting the USB Device option
Clear instructions will be provided on how to continue with the next steps. Hit Next
Once you press Next, you will be redirected to the next step. Press OK
More information will beprovded as below
Press OK for this message and it will ask you to insert the USB key now
Once inserted, it will ask you to set the securty PIN. This will be the key combo that works with this perticular key going forward.
Why a PIN number? This is the PIN number that’s associated with this security key. In other words, its a PIN + Touch combo. If someone steals the USB key and knew the UPN, they still can’t get in because it needs the PIN to complete the authentication.
What if the user’s password is compromised? The standard is you must switch on MFA for user accounts. In this way even if the device is lost or the password is compromised, there is always another way to stop the attacker to come in.
To continue the setup, touch the USB key
As the last step it will ask you to name the key
And the completion notice
An Azure AD GUID will be created for this device
Admins can view the Key info from the user’s Authentication Methods in the Users blade in Azure AD
Login to Office.com from any device. I use this address because it’s the one
Enter the email address > This will identify the tenant and the specific Security Features enabled for that account and will show the option to “Sign in with a security key“
Once clicked, it will be redirected the below page and also will be prompted to insert the device
User will be prompted to enter the PIN setup in the device setup process
Once entered, the authentication flow will continue and will be prompted the user to touch the USB key
That is all and the user will be prompted to login.
Going passwordless is the future. Yes there are few steps to get into that state in an Office 365 account. Also you still have to use the password in case you have to fall back to a different method, but that is not getting used and it’s safe guarded by Multi Factor auth.
It would be nice if the IT Administrator can provision these devices as a bulk before sending it to the user. Looks like that feature is on the way so I’m hopeful.