Passwordless Authentication With FEITIAN BioPass FIDO2 Security Key K49

FEITIAN Technologies recently reached me out via LinkedIn to request if I can review one of their latest Passwordless key products – K49. This is not a paid review and only contains my independent opinion as a technologist as well as an avid Identity and Access Management enthusiast. I’m always a big fan of going Passwordless and FIDO2 technology so I thought this will be a great opportunity for me to test and review the product as well as try the Azure AD and Endpoint Manager side of things at the same time. This is my honest opinion about the product and hope it will be helpful for you to get educated as well as to know more about what going passwordless means.

FIDO – Fast IDentity Online

FIDO2 security keys are an unphishable standards-based passwordless authentication method that can come in any form factor. Fast Identity Online (FIDO) is an open standard for passwordless authentication. FIDO allows users and organizations to leverage the standard to sign in to their resources without a username or password using an external security key or a platform key built into a device.


FIDO Authentication and How FIDO Works

Table of Contents

  1. FEITIAN Products
    1. Product Information
  2. First Impressions
  3. Passwordless Authentication Flow
  4. What I will be testing?
  5. Azure AD Setup for FIDO2 Security Key enablement
    1. User Experience – Security Key Provisioning
    2. User Experience – Using Passwordless in the M365 account on Web Browser
  6. Endpoint Manager Setup
    1. User Experience
  7. Final Thoughts

FEITIAN Products

Their Store can be checked from herehttps://shop.ftsafe.us/pages/microsoft

Standard Product Offerings: Biometric✅, USB✅, NFC✅, BLE✅FIPS Certified✅

Product Information

Product Brand: FEITIAN
Product model: BioPass K45 [USB C]
Technology: FIDO2/ Passwordless

FEITIAN BioPass K45 [USB C]

First Impressions

  • A FIDO2 device. This is a huge win as this is this is the latest passwordless tech used in the industry at the moment
  • I really liked the size of the device as it can be easily add to your key-tag as well as look very durable.
  • Fingerprint scanning and identifying was quick and didn’t have any hiccups during the process
  • This device is not coming with NFC and I was bit upset

Passwordless Authentication Flow

Before the steps on how to setup passwordless authentication, I would like to explain the authentication flow. Before the steps on how to setup passwordless authentication, I would like to explain the authentication flow. Below diagram and the steps are from this Microsoft Doc

  1. The user plugs the FIDO2 security key into their computer
  2. Windows detects the FIDO2 security key
  3. Windows sends an authentication request
  4. Azure AD sends back a nonce
  5. The user completes their gesture to unlock the private key stored in the FIDO2 security key’s secure enclave
  6. The FIDO2 security key signs the nonce with the private key
  7. The primary refresh token (PRT) token request with signed nonce is sent to Azure AD
  8. Azure AD verifies the signed nonce using the FIDO2 public key
  9. Azure AD returns PRT to enable access to on-premises resources

What I will be testing?

As I’ve mentioned before there have been a lot of good developments happening in the Identity and Access management landscape. The main reason is the Identity has become the most valuable entity to protect and if that’s breached, it will be really easy to get to the data that the bad actor needs.

And as you may know, passwords are becoming more and more vulnerable to attacks and other authentications are being introduced. Multifactor Authentication, Passwordless Authentication etc.

Microsoft are pioneers of introducing passwordless authentication into their Microsoft Accounts as well as the Work or School Accounts.

The tests I have done are for Work or School accounts and by using Azure AD as well as Endpoint Manager policies to enforce.

Azure AD Setup for FIDO2 Security Key enablement

Login to Azure AD > Azure Active Directory > Security > Authentication methods > Policies > FIDO2 Security Key

Configure the settings as below

In the below section you have 2 options. You can either select all users, user group whom you are planning on providing this feature or add the individual users

And press Save to complete the registration

Provisioning the security key is a user process and not enforced. For a user who is already using a password and Multi factor, they can use the same to get in to the My Security Infor page and configure the key.

For a first time user of M365 services, you can enable TAP – Temporary Access Pass so the user can get in to the portal by using the TAP and configure Passwordless.

How to enable TAP? Please read the article below

User Experience – Security Key Provisioning

Login to My Account (microsoft.com)

Click Update Info in Security Info box

The user will see all the previously added options here. Phone can be added only once, but you can add more than 1 Security key or Authenticator App

Click on Add Method > Select Security Key > Add

Select the Security Key type. I will be selecting the USB Device option

Clear instructions will be provided on how to continue with the next steps. Hit Next

Once you press Next, you will be redirected to the next step. Press OK

More information will be provided as below

Press OK for this message and it will ask you to insert the USB key now

Once inserted, it will ask you to set the security PIN. This will be the key combo that works with this particular key going forward.

Why a PIN number? This is the PIN number that’s associated with this security key. In other words, its a PIN + Touch combo. If someone steals the USB key and knew the UPN, they still can’t get in because it needs the PIN to complete the authentication.

What if the user’s password is compromised? The standard is you must switch on MFA for user accounts. In this way even if the device is lost or the password is compromised, there is always another way to stop the attacker to come in.

To continue the setup, touch the USB key

As the last step it will ask you to name the key

And the completion notice

And once it’s done, get the user to change the Default Sign-in method to Authentication app or Hardware token – code

Check Authentication Methods against the user in Azure AD and you can see below

User Experience – Using Passwordless in the M365 account on Web Browser

Press Next

Edge Browser will prompt below. Select External security key or built-in-sensor

This is where you need to scan for biomatrix verification

Once the biomatrix is verified, you are in and no password prompts!

Privileged Admin is able to remove the key, block the key from Azure AD if the key got lost for some reason.

Endpoint Manager Setup

Earlier what we checked was how Passwordless works with the browser. In one word, Sleek! This is how you can add the security key to login to the computer by using the security key as a part of Windows Hello and how to refrain from entering the password.

Windows device should be Azure AD Joined or Hybrid Azure AD Joined

Endpoint Manager setup > Devices > Configuration Profiles > Create Profile > Create from template > Template: Identity Protection

Since we are not looking at Windows Hello features here and only enabling the Security Key,

Enable the option as below

Once done, set the assignment. I’m providing a device group. So the devices are ready when the policy is synced and if the user is equipped with a key, they can use that to login.

User Experience

When the user have pre-provisioned the Security key, it’s just a matter of verifying biomatrix to go in.

Final Thoughts

Going passwordless is always the better choice in this day and age as more and more password based attacks are taking place everyday. I see this method as a fool-proof method to get authenticated because of the secure methods used by Azure AD. Path to passwordless should not be a taxing journey and glad to see companies like FEITIAN making it easier for everyone by introducing modern products like this.




Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.