Blog Post

Microsoft Entra Blog
4 MIN READ

Expansion of FIDO standard and new updates for Microsoft passwordless solutions

Alex_Simons's avatar
Alex_Simons
Icon for Microsoft rankMicrosoft
May 05, 2022
Howdy folks,    Happy World Password Day! Today, I’m super excited to share some great news with you: Together, with the FIDO Alliance and other major platforms, Microsoft has announced support f...
Updated May 19, 2022
Version 3.0
identity and access management
Alex_Simons's avatar
Icon for Microsoft rankMicrosoft
Joined May 01, 2017
View Profile
Microsoft Entra Blog
Stay informed on how to secure access for employees, customers, and non-human identities, from anywhere, to multicloud and on-premises resources, with comprehensive identity and network access solutions powered by AI.
Lexington's avatar
Lexington
Brass Contributor
May 05, 2022

1) Google stated the following in their blog post:

 

"To sign into a website on your computer, you’ll just need your phone nearby and you’ll simply be prompted to unlock it for access."

 

I agree with the other poster that this needs to work without requiring a phone. I neither have nor want a smartphone and people in secure facilities are not permitted to have a mobile phone on premises. Also, not all employees are given company phones and employees should never use their own phones for work purposes as they can then be subpoenaed. Therefore, users should be able to use FIDO with whatever devices they choose, without a strict phone requirement; whether that be using multiple desktop computers, or other non-phone hardware such as FIDO USB security keys, etc.. The choice of hardware used to authenticate should be for the user to decide – not the people implementing it – with as many options as possible available to them to suit their own use case.

 

2) I would also like to know more details on the mechanisms in place to protect syncing between devices. With FIDO2, an attacker would need physical access to the machine to obtain the private key. If the private key is now being stored in the cloud, it would be useful to provide more details on what steps are taken to ensure this private key cannot be accessed by anyone else.

 

3) Details on what type of recovery mechanisms – that don't involve a phone – are in place would also be useful. For example, if someone is travelling and the bag they are carrying – which contains both their phone and laptop – is lost or stolen. Presumably, the cloud account will still require a traditional non-FIDO recovery method, such as recovery codes for this scenario (as Google, Microsoft, Samsung, already allow recovery codes).

 

4) Other than that, it sounds good. The only issue I have experienced using FIDO U2F and FIDO2 over the years, is that not very many websites support it. Hopefully this new "multi-device FIDO credential" (passkey) will gain greater adoption this time, as it's more flexible for the end user (being able to sync between devices) and also more flexible for the website (individual websites don't have to worry about account recovery if a user loses their Yubikey, as the problem is now passed higher up the chain to the passkey cloud provider).