FIDO2 as MFA token

%3CLINGO-SUB%20id%3D%22lingo-sub-2129157%22%20slang%3D%22en-US%22%3EFIDO2%20as%20MFA%20token%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2129157%22%20slang%3D%22en-US%22%3E%3CP%3EIs%20it%20or%20will%20it%20be%20possible%20to%20use%20a%20FIDO2%20key%20as%20an%20MFA%20token%3F%20(instead%20of%20passwordless%20signin)%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2129157%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%20AD%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2129446%22%20slang%3D%22en-US%22%3ERe%3A%20FIDO2%20as%20MFA%20token%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2129446%22%20slang%3D%22en-US%22%3EHello%2C%20in%20preview%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fauthentication%2Fhowto-authentication-passwordless-security-key%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fauthentication%2Fhowto-authentication-passwordless-security-key%3C%2FA%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2130076%22%20slang%3D%22en-US%22%3ERe%3A%20FIDO2%20as%20MFA%20token%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2130076%22%20slang%3D%22en-US%22%3ESorry%20if%20my%20question%20wasn't%20clear%20enough%2C%20I%20know%20FIDO%20can%20be%20used%20for%20passwordless%20log%20on%2C%20but%20can%20it%20be%20used%20as%20an%20MFA%20token%20(instead%20of%20an%20authenticator%20app%20or%20SMS).%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2130287%22%20slang%3D%22en-US%22%3ERe%3A%20FIDO2%20as%20MFA%20token%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2130287%22%20slang%3D%22en-US%22%3EHi%2C%20perhaps%20some%20misunderstanding%20between%20us.%20Anyway%2C%20see%20this%20article.%3CBR%20%2F%3E%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fwww.rebeladmin.com%2F2020%2F03%2Fstep-step-guide-azure-ad-password-less-sign-using-fido2-security-keys%2F%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fwww.rebeladmin.com%2F2020%2F03%2Fstep-step-guide-azure-ad-password-less-sign-using-fido2-security-keys%2F%3C%2FA%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2132748%22%20slang%3D%22en-US%22%3ERe%3A%20FIDO2%20as%20MFA%20token%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2132748%22%20slang%3D%22en-US%22%3EBart%2C%20if%20you%20purchase%20a%20key%20such%20as%20Yubikey%205%20that%20supports%20OTP%2C%20then%20the%20user%20can%20retrieve%20an%20OTP%20code%20from%20the%20device%20using%20Yubi%20Authenticator%20desktop%20app.%20That%20would%20only%20be%20needed%20for%20apps%2Fbrowsers%20that%20don't%20support%20WebauthN%20protocol%20such%20as%20IE.%20I%20don't%20understand%20why%20you%20would%20want%20to%20get%20the%20OTP%20code%20otherwise%2C%20using%20passwordless%20auth%20is%20much%20simpler%20and%20more%20secure.%20It%20satisfies%20the%20MFA%20requirement%2C%20so%20the%20user%20doesn't%20get%20prompted%20for%20MFA%20when%20using%20FIDO2.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2133332%22%20slang%3D%22en-US%22%3ERe%3A%20FIDO2%20as%20MFA%20token%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2133332%22%20slang%3D%22en-US%22%3EHi%20Bart%3CBR%20%2F%3E%3CBR%20%2F%3ECurrently%20there%20isn't%20a%20way%20to%20setup%20FIDO2%20as%20MFA%20only.%20It%20also%20replaces%20your%20password%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2133383%22%20slang%3D%22en-US%22%3ERe%3A%20FIDO2%20as%20MFA%20token%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2133383%22%20slang%3D%22en-US%22%3EYeah%2C%20as%20noted%20above%20I%20had%20some%20question%20marks%20about%20the%20topic%20and%20only%20posted%20a%20link%20to%20the%20preview%20and%20a%20link%20as%20how%20to%20configure%20step-by-step.%20The%20very%20fundamental%20is%20the%20passwordless%20Multi-Factor%20Authentication%20itself%20so%20to%20speak.%3CBR%20%2F%3E%3CBR%20%2F%3EAnyway%2C%20I%20believe%20this%20sums%20it%20up%20very%20well.%3CBR%20%2F%3E%3CBR%20%2F%3E%E2%80%9DPasswordless%20authentication%20is%20a%20form%20of%20multi-factor%20authentication%20(MFA)%20that%20replaces%20passwords%20with%20two%20or%20more%20verification%20factors%20secured%20and%20encrypted%20on%20a%20user%E2%80%99s%20device%2C%20such%20as%20a%20fingerprint%2C%20facial%20recognition%2C%20a%20device%20pin%2C%20or%20a%20cryptographic%20key.%E2%80%9D%3C%2FLINGO-BODY%3E
Super Contributor

Is it or will it be possible to use a FIDO2 key as an MFA token? (instead of passwordless signin)

 

Thanks!

10 Replies
Sorry if my question wasn't clear enough, I know FIDO can be used for passwordless log on, but can it be used as an MFA token (instead of an authenticator app or SMS).
Hi, perhaps some misunderstanding between us. Anyway, see this article.

https://www.rebeladmin.com/2020/03/step-step-guide-azure-ad-password-less-sign-using-fido2-security-...
Bart, if you purchase a key such as Yubikey 5 that supports OTP, then the user can retrieve an OTP code from the device using Yubi Authenticator desktop app. That would only be needed for apps/browsers that don't support WebauthN protocol such as IE. I don't understand why you would want to get the OTP code otherwise, using passwordless auth is much simpler and more secure. It satisfies the MFA requirement, so the user doesn't get prompted for MFA when using FIDO2.
Hi Bart

Currently there isn't a way to setup FIDO2 as MFA only. It also replaces your password
Yeah, as noted above I had some question marks about the topic and only posted a link to the preview and a link as how to configure step-by-step. The very fundamental is the passwordless Multi-Factor Authentication itself so to speak.

Anyway, I believe this sums it up very well.

”Passwordless authentication is a form of multi-factor authentication (MFA) that replaces passwords with two or more verification factors secured and encrypted on a user’s device, such as a fingerprint, facial recognition, a device pin, or a cryptographic key.”

@A-Zure 

>>  I don't understand why you would want to get the OTP code otherwise, using passwordless auth is much simpler and more secure.

 

True, but we are facing some limitations where a security key with PIN would be an easy to use MFA token:

 

1. In some auth flows we don't see the option to use a security key to log on. (eg If you do a Connect-AzureAD you can use a github account, but you don't get an option to sign in using a security key.)

 

2. We want to our users to register for MFA. Those without a smartphone would be offered a yubikey. But apparently you can't register a security key unless you register another MFA method (authenticator/phone/email) first. 

 

Bart

Hi, can’t say anything about the nr 1 as it’s very brief. I’m sure you’ve checked the prerequisites. 2. Yep.

But as it’s a preview they really want to hear from you :) https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-authentication-password...
Hello Bart, my apologies for not fully understand your question recently. Too much going on to be honest. To answer your question though... it is planned.

”Azure AD now supports FIDO2 security keys in public preview. We’re working on allowing them to be used as a second factor as well (today they are used only first in sequence, but they satisfy MFA).”