FIDO2 as MFA token

bart_vermeersch
Steel Contributor
Feb 12, 2021
Sorry if my question wasn't clear enough, I know FIDO can be used for passwordless log on, but can it be used as an MFA token (instead of an authenticator app or SMS).
- A-Zure
  Copper Contributor
  Feb 14, 2021
  Bart, if you purchase a key such as Yubikey 5 that supports OTP, then the user can retrieve an OTP code from the device using Yubi Authenticator desktop app. That would only be needed for apps/browsers that don't support WebauthN protocol such as IE. I don't understand why you would want to get the OTP code otherwise, using passwordless auth is much simpler and more secure. It satisfies the MFA requirement, so the user doesn't get prompted for MFA when using FIDO2.
  - bart_vermeersch
    Steel Contributor
    Feb 14, 2021
    A-Zure
    >> I don't understand why you would want to get the OTP code otherwise, using passwordless auth is much simpler and more secure.
    
    True, but we are facing some limitations where a security key with PIN would be an easy to use MFA token:
    
    1. In some auth flows we don't see the option to use a security key to log on. (eg If you do a Connect-AzureAD you can use a github account, but you don't get an option to sign in using a security key.)
    
    2. We want to our users to register for MFA. Those without a smartphone would be offered a yubikey. But apparently you can't register a security key unless you register another MFA method (authenticator/phone/email) first.
    
    Bart
- ChristianBergstrom
  Silver Contributor
  Feb 12, 2021
  Hi, perhaps some misunderstanding between us. Anyway, see this article.
  
  https://www.rebeladmin.com/2020/03/step-step-guide-azure-ad-password-less-sign-using-fido2-security-keys/

Forum Discussion

Share

Resources