Windows Hello FIDO2 certification gets you closer to passwordless

 عمل اكثر من رائع تطوير ويندوز 10 والوصول بدون كلمات مرور شكرا لكم فعلا

Yogesh Mehta we are looking at implementing the Yubikey 5 series and have two set up in test now.  I saw your ignite presentation about windows hello from 2017 but it seems like several of the features mentioned then don't work with the security keys.  The windows "components/windows hello for business/configure device unlock factors" in group policy does not seem to apply to security keys.  There doesn't seem to be a way to dynamic lock the computer when the security key is removed from the device.  And I don't see a way to discourage users from leaving the key plugged in to their primary device.

Mike-E That little horror story could have easily be prevented if the one would have secured his Google Account with FIDO U2F which is available since some years already now. Twitter now also supports FIDO U2F since a while, but their implementation is a bit lousy because they still only support the registration of only one security key, which could become an issue if that one gets lost or breaks.

Neil Goldstein 

You did read correctly.

The simple fact that shared secrets are used already makes them less secure, because like they are called already they are shared and saved on your side (Mobile, Tablet, Apps, Screenshots,..) and on the servers. This issues doesn't exist with FIDO U2F/FIDO2 because it's based on public-key cryptography and only the generated public keys are on the servers while the private keys never leaves the hardware.

And yeah I consider WinAuth a good solution to backup those shared secrets, because you can easily set it up to encrypt the database with a HMAC that it generates in a yubikey (Everything is automated and only needs some clicks) so that this yubikey then needs to be plugged in and also needs to be touched before you can generate codes and accessing the secret keys etc. So if someone steals the encrypted database, it's near useless. But it alternatively also supports password and/or encrypting it so that the database can only be decrypted on this specific machine. 

It also has some very convenient features like generating and showing a QR Matrix for each account you added to the database, so that you easily can add/scan it on other devices/apps if needed and of course exporting the whole database in various formats to back it up on a usbstick that you then as an example can put in a safe.

And of course it's also very convenient to have the codes ready to copy&paste without searching the mobile and reading them from screen and type them.

Which now also leads us to another security issue with those generated codes, they aren't phishing proof, because everything that a user needs to enter theoretically also can be phished. Just another issue that doesn't exists with FIDO U2F/FIDO2 because there the users don't need to enter anything and everything happens in the hardware.

I btw. also have a Feitian BiosPass2 K27 for FIDO2, it's a very good and convenient device.

Nirantali 

If I am reading your post correctly you cover two topics:

Security:

You indicated that the Microsoft Authenticator app is not necessarily very secure on a mobile device because.. (paraphrasing here) it isn't hardware secured and it is only as secure as the underlying mobile platform -- and if that platform is weak, or rooted/jailbroken then all bets are off.

You recommend hardware security using U2F (at a minimum?) physical keys, and if you need to use a softkey to use something like WinAuth which can be configured to leverage U2F hardware to unlock the "vault".

Backup of Softkeys:

But if you do use softkeys, all you need to do is either--

1. Screenshot / Archive the QR code or initialization screen
   or
2. Root the android device or even less effort on iPhone to get access to the Microsoft Authenticator database of shared-keys?

If I am reading your information correctly then the Microsoft-Authenticator or any non-hardware secured software tokens is... well not so secure. Scary.

Thank you for sharing and please let me know if my re-phrase/summary is incorrect.

(I am really hoping that I am misunderstanding you re:  Microsoft Authenticator)

JonasBack 

Jonas,

I have picked up the Feitian BiosPass2 K27 https://www.ftsafe.com/Products/FIDO2

----

Windows 10 Fido2 Key usage notes:

Disclaimer: I am NOT in the AzureAD Fido2 preview please don't assume that anything I am saying is correct for when AzureAD supports Fido2. (I hope not)

The out of the box experience with just Windows 10 1903 Pro/Enterprise has been as follows:

• BAD:  Windows 10 so far does not seem to support using Fido2 Key as part of the windows login process (i.e. <ctrl-alt-del> OR when a elevation of privilege's occurs [such as Run As Administrator])
• GOOD: WebAuthN with Edge and EdgeChromium-Dev-channel build is working for websites that support AuthN login. 

I really hope that AzureAD Fido2 can support the <ctrl-alt-del> login scenario even though Microsoft Accounts aren't doing so.

Yeah Nirantali that is valuable information, thank you.  I was not even aware about the QR codes as a lot of this is new to me (and others, it seems) so taking a screenshot didn't even cross my mind, neither did WinAuth which I was not aware of at all.  In fact, the whole obvious impact of backing up codes didn't take root (pun intended? 😆) until after I had all my codes entered and the QR codes were long gone.  In any case, your valuable insight is a little too late in my particular case, as I ended up going with Authy which allows you to backup and sync your codes.

I am in agreement with you however that this seems to be a painful leg towards FIDO2 which sounds very secure and legit.

Along such lines, a little horror story making the rounds today: https://www.zdnet.com/article/sim-swap-horror-story-ive-lost-decades-of-data-and-google-wont-lift-a-finger/ 

Glad to not see MSFT anywhere in there. 😁

Mike-E Migrating Authenticator codes eg. shared secrets is a bit irrelevant, because they are not different than passwords and something you know and not something you have like a hardware security key.

And so anyone can at least take screenshots of the QR Codes containing the shared secrets and save them in case the device where they was added gets lost or blows up (already happened to me with a Samsung S7). It's also easily possible to get the whole databases out of mobiles btw. And how easy it is to 'steal' varies from brand to brand and model to model. Like on the iPhones it's possible to get it without rooting the mobiles, while on androids it isn't possible without rooting the phone.

So my advise is to at least use and add them to multiple Authenticators, like on mobiles and on tablets and also to save a screenshot of the QR Matrix somewhere on a USB Stick that you can put into a safe in case you need to add it somewhere else.

The more secure alternative to simply saving screenshots which could easily be stolen, is to also add all shared secrets to WinAuth (Authenticator Tool that runs on Windows), because you can protect them with a Hardware Security Key there and the tool supports exporting the whole database and even is able to display the original QR on screen in case you need to scan it with a new mobile etc.

So even if it may hurt TOTP/HOTP solutions aren't 2FA at all, they are fake 2FA that don't provide any more security than a additional password. And the shared secrets can also be stolen from the servers or mobiles along with stored passwords. Of course you also can steal Hardware Security Keys, but the difference is they can only be stolen physically what you will notice, while the shared secrets of the TOTP/HOTP can easily be stolen without you knowing, just like passwords.

And so if companies want to provide 2FA they should simply support FIDO U2F and forget all those fake 2FA methods like EMAIL, SMS and App based TOTP/HOTP with shared secrets that can be stolen directly from the servers.

And it's nice that MS now supports FIDO U2F and FIDO2 but it's a bit useless if it intentionally only works with Edge, it should work with every browser that supports it and that are almost all now a day, because I don't want to be dependent of a specific browser. Further I don't want to also have less secure methods (EMAIL, SMS, APP) TOTP/HOTP, Phone or backup codes active that could be abused to downgrade security if I already have several FIDO U2F or FIDO2 Hardware Security Keys registered.

I currently own about 8 FIDO U2F Keys and about 4 FIDO2 Keys where one of them has a finger print sensor to secure the FIDO2 credentials. Unfortunately 99% of all sites and services still only supports fake TOTP/HOTP 2FA or even worse nothing at all. It also may be hard, but such companies somehow reminds me anti-vaxxers and if I would be an insurance company I wouldn't pay a cent in case of a incident if they not at least support FIDO U2F.

I’ve heard public preview is coming at least during 2019 - I hope so too.

Neil Goldstein Out of interest, which key do you have which also has fingerprint?