Blog Post

Microsoft Entra Blog
4 MIN READ

Expansion of FIDO standard and new updates for Microsoft passwordless solutions

Alex_Simons's avatar
Alex_Simons
Icon for Microsoft rankMicrosoft
May 05, 2022
Howdy folks,    Happy World Password Day! Today, I’m super excited to share some great news with you: Together, with the FIDO Alliance and other major platforms, Microsoft has announced support f...
Updated May 19, 2022
Version 3.0
identity and access management
Alex_Simons's avatar
Icon for Microsoft rankMicrosoft
Joined May 01, 2017
View Profile
Microsoft Entra Blog
Stay informed on how to secure access for employees, customers, and non-human identities, from anywhere, to multicloud and on-premises resources, with comprehensive identity and network access solutions powered by AI.
michaelbartholomew's avatar
michaelbartholomew
Copper Contributor
May 06, 2022

As FIDO for on-premises login currently sits, FIDO keys do not work reliably, rather only when the Windows client has direct network connectivity to a domain controller in the organization. If the client cannot reach the domain controller, one single login works and after that FIDO login fails with the message "Sorry, try that again. There was an issue with the server." This was not the case before Microsoft's November 2021 Security updates were pushed out. Before then it was 100% reliable on-premises. This scenario is not acceptable as much of today's workforce is remote working. Here are two specific examples that highlight this flaw when true MFA is enforced / the password option is disabled:

 

1.You are remote working and lose Internet access for the day. You lock your computer to use the restroom, have breakfast, lunch, etc or you walk away and it locks after 5 minutes per company policy, etc). You can no longer use your computer again until you drive into the office and plug it into the LAN if your company does not support connecting to the VPN pre-login. If the company does support VPN pre-login, you have to wait until the Internet comes back up before you can log back in and essentially cannot use the computer.

 

2. You are on an 8 hour flight with no internet access. You lock your computer to use the restroom, when you return you can no longer user the device until you either return from your trip and get back to the office and plug into the network, or if you are lucky and have the ability to connect to the VPN pre-login (this is not possible for many organizations as the VPN is user based and requires passing MFA and conditional access for SAML auth) then you still cannot use the laptop for the rest of the flight. When you arrive at your hotel, if you have not connected to the wifi yet you cannot log in to connect and start the VPN. Just hope you have previously connected your laptop to you cell phone hotspot.

 

I am curious if anyone has been able to successfully implement enforcing FIDO2 for Windows login with password disabled for remote workers since Microsoft's November 2021 patch? I wonder if Windows Hello for Business Cloud Trust will be a solution for this problem?