Blog Post

Microsoft Entra Blog
3 MIN READ

Announcing the public preview of Azure AD support for FIDO2-based passwordless sign-in

Alex_Simons's avatar
Alex_Simons
Icon for Microsoft rankMicrosoft
Jul 10, 2019
Howdy folks,   I’m thrilled to let you know that you can now go passwordless with the public preview of FIDO2 security keys support in Azure Active Directory (Azure AD)! Many teams across Microso...
Updated Aug 03, 2020
Version 11.0
Alex_Simons's avatar
Icon for Microsoft rankMicrosoft
Joined May 01, 2017
View Profile
Microsoft Entra Blog
Stay informed on how to secure access for employees, customers, and non-human identities, from anywhere, to multicloud and on-premises resources, with comprehensive identity and network access solutions powered by AI.
Neil Goldstein-EASI's avatar
Neil Goldstein-EASI
Copper Contributor
Sep 19, 2019

Is everyone who is setting this up checking all the pre-reqs (I know some aren't because I see people posting about 1803)

 

From the top of this page are pre-reqs: (https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-authentication-passwordless-security-key)

  • Azure Multi-Factor Authentication
  • Combined registration preview with users enabled for SSPR
  • FIDO2 security key preview requires compatible FIDO2 security keys
  • WebAuthN requires Microsoft Edge on Windows 10 version 1809 or higher
  • FIDO2 based Windows sign in requires Azure AD joined Windows 10 version 1809 or higher

 

Also scroll down to list of supported FIDO2 keys. NO, not U2F

https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-authentication-passwordless#fido2-security-keys

 

 

Also don't forget to enable the preview combined registration page support (which is also as of today still in preview):

https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-registration-mfa-sspr-combined

Side-implication, you must be willing to have self service password reset enabled on the tenant, and then enable the preview.

 

I have this working with a K27 from Feitian but I had to first wait for the preview combine registration process to show up for users.

 

Note: I do not know if, even in a cloud only AzureAD, if you use self-hosted Microsoft MFA server if this is supposed to work yet. I would think that wouldn't occur until Hybrid support is available. So for those of you who have had MFA since BPOS days you might have some oddities.

 

I am hoping to test some other keys in the next month or so (the eWBM fingerprint keys and the feitian k33 multikey are what I am hoping to get next).

 

Security Questions:

  • Anyone in the red-team security side see about extracting fingerprint data from a key - either when inserted into compromised device or if user "lost" it.
  • And can Windows Security and/or Windows Defender ATP detect and alert on the insertion of a broken/compromised FIDO2 key.
    I.e. does inserting the wrong FIDO2 key count as a bad password attempt? 

Preview Feature I am hoping comes next (even before Hybrid😞

  • Handling scenario where user reports a security key is lost.

-Neil