Today in this blog post, let us check out the Azure AD Passwordless sign-in with FIDO2 security key.
Table of Contents
What’s the Buzz with Passwordless
As Microsoft GA released Passwordless authentication in Azure AD in its Ignite March 2021 event, today in this blog post, let us have a look into the different passwordless authentication offerings that are made available to the users.
Microsoft’s passwordless offerings with Azure AD gives you three options to cover the use-cases of different authentication types (computer sign-in or web sign-in) to suit the different types of roles expected to be found in an organization, as shown below.
| Hardware Based | Software Based | Platform Based |
| FIDO2 Security Keys | Phone Sign-in with Microsoft Authenticator app | Windows Hello for Business |
Previously, I have already talked about the benefits of going Passwordless and why this particular development in Identity and Access management has remained a top buzzword since 2019 in this blog post. Also, I have covered the phone sign-in method with the Microsoft Authenticator app in my last blog post. Do give them a read!
Requirements for Azure AD Passwordless sign-in with FIDO2 Security Key
To test and implement passwordless authentication in the environment, you must have
- a pilot group created to contain users who will be testing the passwordless deployment.
- a minimum of Azure AD Premium P1 license assigned to the pilot users be able to use MFA and SSPR.
- the pilot users should already be registered for Azure AD MFA to start using passwordless auth methods.
Further, you need to enable at tenant level,
- combined registration for Azure AD Multi-Factor Authentication and self-service password reset (SSPR)
All the new tenants that are created on or after Aug 15, 2020 are already provisioned with the new experience feature enabled.
For tenants provisioned before the mentioned date, in the AAD portal, when you navigate to Security > Authentication methods, you should see the notification as highlighted below.
Click on the notification and you will be taken to this screen. You can safely enable the “combined experience” for All Users.
Enable Passwordless authentication methods in Azure AD
In the Azure AD portal, Security > Authentication method is the hub to control Passwordless auth policies.
Here you will see, we have options for
- FIDO2 Security Key which is hardware-based
- Microsoft Authenticator which is software-based
- Text message (in preview), and finally
- Temporary Access Pass (in preview)
Temporary Access Pass is a short-lived authentication method that actually serves the purpose to enable users’ login to my https://mysignins.microsoft.com/security-info without an actual password and registers for any of the strong authentication methods (including passwordless). It is especially useful in a fully passwordless environment for new users or existing users with the need to register a new auth method.
Do check out my posts on Azure AD Temporary Access Pass to know about it and how you can generate TAP using MS Graph API and Powershell for bulk action.
You won’t notice the Windows Hello option here as it is platform-specific and is controlled/configured from a different location.
Enable FIDO2 Security Key authentication method policy
From the list of available passwordless authentication methods listed from Security > Authentication method,
- Select the FIDO2 Security Key method,
- Set the policy to Enabled state, and finally
- Select the Group that contains your pilot users.
- Under General, Set both Allow self-service setup and Enforce attestation to Yes.
- Click on Save. The authentication method will get enabled for the selected group of users.
Prevent users from registering certain security keys
There may be scenarios where an organization decides to not allow users to register and use FIDO security keys of a particular make/model.
Such scenarios can be addressed by configuring the Key Restriction Policy when enabling the FIDO2 Security Key Authentication Method.
Under Key Restriction Policy,
- set Enforce key restrictions to Yes
- set Restrict specific keys to Allow/Block as per the requirement
- when set to Block, the user will not be able to register a security key that matches the Admin defined AAGUID(s).
- when set to Allow, users will be able to register only those security keys that match the Admin-defined AAGUID(s).
- click on Add AAGUID to specify the AAGUID(s) of the key(s)
Once done, save the policy.
AAGUID (Authenticator Attestation GUID) is a 128-bit identifier that helps to uniquely identify the type (for example make and model) of the authenticator, and is identical for the same model of security key created by the manufacturer, but differs for different models of security keys created by the same manufacturer and/or different manufacturer(s).
For example, all YubiKey 5C security keys (manufactured by YubiKey) will have the same AAGUID, but the AAGUID of a YubiKey 5C will differ from that of a YubiKey 5 NFC security key. Similarly, the AAGUID of a YubiKey 5C and Feitian ePass K9 Security Key will be different.
I have seen only Yubico providing the complete list of AAGUIDs for all their security keys on their website. Ref: YubiKey Hardware FIDO2 AAGUIDs.
Want to block a particular make/model of a security key but cannot find the AAGUID information from the OEM website?
If you have the particular security key model that you would want to restrict or allow, it is possible to find the AAGUID of the key model by using the get_info.py script that’s available in the Python-FIDO2 library (made available by Yubico).
Another way is to register the security key as a sign-in method by which the AAGUID of the key can be retrieved from the portal.
Till this, the configuration items as shown above are the responsibility of the IT Admin to configure for the end-users.
Whatever follows are the actions that are required from the end-user side to enable and start using the Passwordless sign-in method.
Register FIDO2 Security Key via MySecurity Info
User can register their FIDO Security Key using the aka.ms/mysecurityinfo
- Click on Add method
- Select Security Key using the drop-down and click on Add
- The setup wizard will prompt for a two-factor auth. Click on Next and complete the auth.
- The setup wizard will now prompt to choose the type of security key.
I am using a Yubico NFC security key, however, the laptop does not have an NFC receiver. As such I will go with the USB device option.
- The setup wizard shows the process overview to setup the security key.
Plug in the security key to the USB port of the laptop and click on Next. This will redirect to a browser-based setup experience as shown below. The user is asked to create/enter a PIN for the security key, then perform the required gesture for the key, either biometric or touch.
Once done with the above, the user is returned to the original setup wizard and asked to provide a name for the key for identification purposes. This is important if the user has multiple security keys registered. Once done, click on Next.
At this point, the security registration is complete and ready for user sign-in use. Click on Done to close the wizard.
User can see their registered Security key under the available authentication method.
FIDO2 security key sign-in User Experience
When the user tries to sign-in to any of the M365 services, user can use the Sign-in with a security key option.
Note: User can sign in with FIDO2 security key to any M365 service using a web browser that supports the WebAuthN protocol. The supported browsers are MS Edge, Chrome, Firefox, and Safari.
Clicking on the same, the user would go through a sign-in experience as shown below.
If the key is not already plugged-in, user gets the prompt as shown. Note that the prompt shows the browser which is raising the sign-in request.
As the user plugs-in the security key, the prompt will ask the user to enter the PIN set for the security key.
Once user enters the PIN, the prompt will ask the user to perform the required gesture for the key.
As user performs the required gesture, the sign-in is performed. As the authentication is done, the user is presented with the usual prompt of “stay signed in?”.
Whatever the user chooses, the sign-in is completed and user gets access to the M365 service.
How the FIDO2 authentication works is documented here.
Wrap Up
Initially, it might seem daunting to configure passwordless sign-in. But once you understand all the configuration ‘bits’, it’s quite easy to manage. Also, passwordless sign-in provides a better user experience and more security over the traditional password-based authentication, including 2FA.
That’s all for today. Thanks for reading.
More Information