Use FIDO2 key with AAD
It is strongly recommended that you use the MFA solution to secure authentication in Azure AD. However, this requires the use of a password and a second factor (phone, mobile phone, mobile application). Microsoft recommends to stop using password.
I write a post since month ago for Azure AD passwordless (click here for access to the post))
This post permit to use FIDO2 key for authentificate user. With this key, user can authenticate itself using this key. The FIDO key can be purchased from different suppliers.
- Yubico : https://www.yubico.com)
- Feitian : https://www.ftsafe.com/)
- Ensurity : https://www.ensurity.com/)
- eWBM : https://www.ewbm.com/)
- AuthenTrend : https://authentrend.com/)
Requirements
To implement Azure AD authentication using FIDO2, it is necessary to implement the following requirements
- Azure Multi-Factor Authentication
- Combined security information registration preview
- Compatible FIDO2 security keys
- Windows 10 version 1809 or higher
Enable the combined registration experience
From the Azure portal, access to Azure Active Directory portal and click on User settings
Click on Manage user feature preview settings.
Select users who have the ability to use the preview functions to record and manage security information. I have chosen to limit the functionality to members of a security group but it is possible to enable it for everyone.
Select users who have the ability to use the preview functions to record and manage security information. I have chosen to limit the functionality to members of a security group but it is possible to enable it for everyone.
Enable FIDO2 security key method
From the Azure Active Directory portal, click on Security then on Authentification methods.
Click on FIDO2 Security Key.
Enable the parameter and select Target. Configure other parameter if you want and click on Save.
Microsoft Authentificator passwordless sign-in must be also enable. You can limit for user group or enable for all users.
User registration of FIDO2 security keys
Open brownser and access to the following URL . Log in with the user account.
https://myprofile.microsoft.com
click on Update Info on Security Info.If MFA is not configured, you need to configure MFA for the user.
Click on Add Method and select Security Key.
A message appear, you need to sign in with two-factor authentification. Click on Next.
Choose the type of Security key. I choose USB device.
Insert your key on computer and create new pin code. Enter a desired name for the security key. Configuration is now finished.
Test authentification with Fido2
On the browser, access to the following URL and click on Sign-in options.
https://myapps.microsoft.com
Select Sign in with Windows Hello or a security key.
Select Security key.
Insert the Security Key into the USB Port and take action on your security key.
User can access to the portal.