cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Set FIDO2 minimum pin length in a hybrid environment

woelki
Iron Contributor

‎Aug 03 2021 09:08 AM

‎Aug 03 2021 09:08 AM

Set FIDO2 minimum pin length in a hybrid environment

Hi there,

we have just established a successful pilot for FIDO2 security key usage with WHfB in a hybrid environment. The key which has been registered in Azure is able to authenticate the user on all cloud apps and at the Windows 10 login screen.

For Windows Hello for business we have used the Intune policy which requires a minimum PIN length of six signs (still default), but for our FIDO2 security key it is possible to generate a 4 digit PIN. So it seems the WHfB policy does only affect the Windows 10 client, not the FIDO2 key.

Is it possible to enforce a policy which improves the security key requirements?

Kind regards,
woelki

4,243 Views
0 Likes
5 Replies
Reply
5 Replies
jsidwell

‎Aug 24 2021 04:04 AM

‎Aug 24 2021 04:04 AM

Re: Set FIDO2 minimum pin length in a hybrid environment

Hi, we are also interested in any answers to this question.
Regards,
James.
0 Likes
Reply
ForumUser

‎Sep 28 2021 02:22 PM - edited ‎Sep 28 2021 05:06 PM

‎Sep 28 2021 02:22 PM - edited ‎Sep 28 2021 05:06 PM

Re: Set FIDO2 minimum pin length in a hybrid environment

Also interested in the answer to this question for Azure AD passwordless security keys

0 Likes
Reply
ForumUser

‎Sep 28 2021 05:04 PM - edited ‎Sep 28 2021 05:05 PM

‎Sep 28 2021 05:04 PM - edited ‎Sep 28 2021 05:05 PM

Re: Set FIDO2 minimum pin length in a hybrid environment

Oh and it would be nice to find out support for stuff like this too, these are regulatory requirements for some:
-Have no repeating digits (i.e., 112233)
-Prevent sequential patterns (i.e., 123456)
-Prevent PIN to match the Userid.
-Expiration
-Prevent new PIN from matching the previous (X) number of PINs

0 Likes
Reply
woelki

‎Oct 19 2021 11:52 PM

‎Oct 19 2021 11:52 PM

Re: Set FIDO2 minimum pin length in a hybrid environment

I can tell you something about what I have found ou in the meantime. I had a chat with some 3rd party manufacturers and it looks like the minimum PIN lenght or complexity depends on the FIDO sticks themselves. Unfortunately you cannot manage this with Microsoft builtin management tools.

In most cases the standard FIDO sticks from all manufacturers are not able to do this, but the more expensive sticks with FIPS industry standard will let you change your PIN requirements.
0 Likes
Reply
Kalimanne J

‎Oct 29 2021 10:13 PM

‎Oct 29 2021 10:13 PM

Re: Set FIDO2 minimum pin length in a hybrid environment

Can you be more specific?
Please name some examples of FIDO sticks that let you change PIN requirements and what is the process to actually change the PIN requirements?
So, are you saying even these "more expensive sticks" don't have any kind of complex PIN requirement (blocking PINs like 1234 etc.) enabled out of the box by default?
0 Likes
Reply