Forum Discussion

AdityaMitra5102's avatar
AdityaMitra5102
Copper Contributor
Apr 10, 2024

Doubt about passwordless authentication

I have security keys enrolled for the users on my organization. Now I want them to sign in to an app with delegated access. They are able to open the app, it redirects to the Microsoft login page, there they choose to sign in with security keys, connect the key to the USB port, type the pin of the security key, tap the key and it logs in.

 

I would want a method to be able to disable the user verification, since it is slowing down the log in process. The app is not a sensitive app. I would like the users to be able to just insert the security key into the USB port, and touch the key to be able to log in, instead of typing the pin of the security key.

 

P.S. The users use Yubikey 5.

  • Entra ID or the Yubikey do not provide this pin. Windows requires a pin to be used for authentication with a FIDO2 key.
    • AdityaMitra5102's avatar
      AdityaMitra5102
      Copper Contributor

      JosvanderVaart Not really. When you are trying to authenticate to Entra ID, the Entra ID creates something called publicKey Options. The public Options contain three major fields, 'challenge', 'rpId', and 'UserVerification'. The challenge is a random cryptographic challenge. The UserVerification governs whether the PIN is required. UserVerification can have any one of the three values 'required', 'preferred' or 'discouraged'. If it is required or preferred, Windows asks for the Pin of the Yubikey. If it is 'discouraged', it doesnt. I tried to inspect the publicKey options created by Entra ID and it always contains UV to be 'required', that enforces the PIN. If there is a way for Entra ID to create the publicKey options with UV 'discouraged', it wont ask for the pin. I am asking whether there is a way to configure that.

       

      (Reference: Web Authentication API from MDN docs)

Resources