Blog Post

Core Infrastructure and Security Blog
10 MIN READ

How-to: Password-less FIDO2 Security Key Sign-in to Windows 10 HAADJ Devices

LijuV's avatar
LijuV
Icon for Microsoft rankMicrosoft
Jun 03, 2020
Hello everyone, my name is Liju and I am a Premier Field Engineer specializing in Active Directory and Azure AD. Fido2 support for single sign-on (SSO) was introduced first for cloud resources, and...
Updated Jun 03, 2020
Version 5.0
LijuVarghese
zachmintonSTENA's avatar
zachmintonSTENA
Copper Contributor
Mar 04, 2024

jameswonderguy 

by Design you will have to have at least 2 methods for Microsoft MFA that is with SMS, Email or tell your users to install Microsoft Authenticator on a personal Device or provide a device with that there is currently no way to just use FIDO2 Tokens by themselves at this time as the Registration System for Microsoft MFA have no way to do this currently. They will have to do that, but you don't have to require them to use it other than registration then they can setup their FIDO2 token themselves as Admins cannot do this yet. Once the FIDO2 Token is setup they do not have to use the other MFA method at all unless they are replacing their Token or are doing Password Reset as that Requires a minimum 2 Methods. I have seen this question asked hundreds of times and hate to say it but in today's time MFA is almost always required in everyone's personal life for almost every day to day task IE Paying Bills, Accessing Bank Accounts, even Entertainment such as Netflix and Video games Require MFA now Since it is considered a requirement in today's time for almost everything now Companys have told employees If you cannot do this then you can't work for us even with personal devices MFA is not MDM you are not managing the users personal device or have the ability to see or so anything to their device it just becomes a MFA token just like they use for other personal use like Bank, Bill, other system access they would use in their everyday life in today's time this is pretty much a job requirement when accessing computers with work or even schools as even schools require it for students now.



For your other Question FIDO2 Tokens work perfectly fine on Shared Devices The Difference is is While FIDO2 Tokens are still Windows Hello that is where the Secrect is stored on the token vs Windows Hello with TPM/Biometrics of the built-in device there is a limit to how many profiles can be stored on a single Device TPM FIDO2 Tokens and Windows Hello do not have this limit as no secrets are stored in the device itself its stored on the token. Biometrics/Pin using the TPM chip of the shared desktop has a limit to how many users can use the device through those methods but tokens do not have this limitation.