FEITIAN Technologies recently reached me out via LinkedIn to request if I can review one of their latest Passwordless key products – K49. This is not a paid review and only contains my independent opinion as a technologist as well as an avid Identity and Access Management enthusiast. I’m always a big fan of going Passwordless and FIDO2 technology so I thought this will be a great opportunity for me to test and review the product as well as try the Azure AD and Endpoint Manager side of things at the same time. This is my honest opinion about the product and hope it will be helpful for you to get educated as well as to know more about what going passwordless means.
FIDO – Fast IDentity Online
FIDO2 security keys are an unphishable standards-based passwordless authentication method that can come in any form factor. Fast Identity Online (FIDO) is an open standard for passwordless authentication. FIDO allows users and organizations to leverage the standard to sign in to their resources without a username or password using an external security key or a platform key built into a device.
FIDO Authentication and How FIDO Works
Table of Contents
- FEITIAN Products
- First Impressions
- Passwordless Authentication Flow
- What I will be testing?
- Azure AD Setup for FIDO2 Security Key enablement
- Endpoint Manager Setup
- Final Thoughts
Their Store can be checked from here – https://shop.ftsafe.us/pages/microsoft
Standard Product Offerings: Biometric✅, USB✅, NFC✅, BLE✅FIPS Certified✅
Product Brand: FEITIAN
Product model: BioPass K45 [USB C]
Technology: FIDO2/ Passwordless
- A FIDO2 device. This is a huge win as this is this is the latest passwordless tech used in the industry at the moment
- I really liked the size of the device as it can be easily add to your key-tag as well as look very durable.
- Fingerprint scanning and identifying was quick and didn’t have any hiccups during the process
- This device is not coming with NFC and I was bit upset
Passwordless Authentication Flow
Before the steps on how to setup passwordless authentication, I would like to explain the authentication flow. Before the steps on how to setup passwordless authentication, I would like to explain the authentication flow. Below diagram and the steps are from this Microsoft Doc
- The user plugs the FIDO2 security key into their computer
- Windows detects the FIDO2 security key
- Windows sends an authentication request
- Azure AD sends back a nonce
- The user completes their gesture to unlock the private key stored in the FIDO2 security key’s secure enclave
- The FIDO2 security key signs the nonce with the private key
- The primary refresh token (PRT) token request with signed nonce is sent to Azure AD
- Azure AD verifies the signed nonce using the FIDO2 public key
- Azure AD returns PRT to enable access to on-premises resources
What I will be testing?
As I’ve mentioned before there have been a lot of good developments happening in the Identity and Access management landscape. The main reason is the Identity has become the most valuable entity to protect and if that’s breached, it will be really easy to get to the data that the bad actor needs.
And as you may know, passwords are becoming more and more vulnerable to attacks and other authentications are being introduced. Multifactor Authentication, Passwordless Authentication etc.
Microsoft are pioneers of introducing passwordless authentication into their Microsoft Accounts as well as the Work or School Accounts.
The tests I have done are for Work or School accounts and by using Azure AD as well as Endpoint Manager policies to enforce.
Azure AD Setup for FIDO2 Security Key enablement
Login to Azure AD > Azure Active Directory > Security > Authentication methods > Policies > FIDO2 Security Key
Configure the settings as below
In the below section you have 2 options. You can either select all users, user group whom you are planning on providing this feature or add the individual users
And press Save to complete the registration
Provisioning the security key is a user process and not enforced. For a user who is already using a password and Multi factor, they can use the same to get in to the My Security Infor page and configure the key.
For a first time user of M365 services, you can enable TAP – Temporary Access Pass so the user can get in to the portal by using the TAP and configure Passwordless.
How to enable TAP? Please read the article below
User Experience – Security Key Provisioning
Login to My Account (microsoft.com)
Click Update Info in Security Info box
The user will see all the previously added options here. Phone can be added only once, but you can add more than 1 Security key or Authenticator App
Click on Add Method > Select Security Key > Add
Select the Security Key type. I will be selecting the USB Device option
Clear instructions will be provided on how to continue with the next steps. Hit Next
Once you press Next, you will be redirected to the next step. Press OK
More information will be provided as below
Press OK for this message and it will ask you to insert the USB key now
Once inserted, it will ask you to set the security PIN. This will be the key combo that works with this particular key going forward.
Why a PIN number? This is the PIN number that’s associated with this security key. In other words, its a PIN + Touch combo. If someone steals the USB key and knew the UPN, they still can’t get in because it needs the PIN to complete the authentication.
What if the user’s password is compromised? The standard is you must switch on MFA for user accounts. In this way even if the device is lost or the password is compromised, there is always another way to stop the attacker to come in.
To continue the setup, touch the USB key
As the last step it will ask you to name the key
And the completion notice
And once it’s done, get the user to change the Default Sign-in method to Authentication app or Hardware token – code
Check Authentication Methods against the user in Azure AD and you can see below
User Experience – Using Passwordless in the M365 account on Web Browser
Edge Browser will prompt below. Select External security key or built-in-sensor
This is where you need to scan for biomatrix verification
Once the biomatrix is verified, you are in and no password prompts!
Privileged Admin is able to remove the key, block the key from Azure AD if the key got lost for some reason.
Endpoint Manager Setup
Earlier what we checked was how Passwordless works with the browser. In one word, Sleek! This is how you can add the security key to login to the computer by using the security key as a part of Windows Hello and how to refrain from entering the password.
Windows device should be Azure AD Joined or Hybrid Azure AD Joined
Endpoint Manager setup > Devices > Configuration Profiles > Create Profile > Create from template > Template: Identity Protection
Since we are not looking at Windows Hello features here and only enabling the Security Key,
Enable the option as below
Once done, set the assignment. I’m providing a device group. So the devices are ready when the policy is synced and if the user is equipped with a key, they can use that to login.
When the user have pre-provisioned the Security key, it’s just a matter of verifying biomatrix to go in.
Going passwordless is always the better choice in this day and age as more and more password based attacks are taking place everyday. I see this method as a fool-proof method to get authenticated because of the secure methods used by Azure AD. Path to passwordless should not be a taxing journey and glad to see companies like FEITIAN making it easier for everyone by introducing modern products like this.