Set FIDO2 minimum pin length in a hybrid environment

%3CLINGO-SUB%20id%3D%22lingo-sub-2605611%22%20slang%3D%22en-US%22%3ESet%20FIDO2%20minimum%20pin%20length%20in%20a%20hybrid%20environment%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2605611%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20there%2C%3CBR%20%2F%3E%3CBR%20%2F%3Ewe%20have%20just%20established%20a%20successful%20pilot%20for%20FIDO2%20security%20key%20usage%20with%20WHfB%20in%20a%20hybrid%20environment.%20The%20key%20which%20has%20been%20registered%20in%20Azure%20is%20able%20to%20authenticate%20the%20user%20on%20all%20cloud%20apps%20and%20at%20the%20Windows%2010%20login%20screen.%3CBR%20%2F%3E%3CBR%20%2F%3EFor%20Windows%20Hello%20for%20business%20we%20have%20used%20the%20Intune%20policy%20which%20requires%20a%20minimum%20PIN%20length%20of%20six%20signs%20(still%20default)%2C%20but%20for%20our%20FIDO2%20security%20key%20it%20is%20possible%20to%20generate%20a%204%20digit%20PIN.%20So%20it%20seems%20the%20WHfB%20policy%20does%20only%20affect%20the%20Windows%2010%20client%2C%20not%20the%20FIDO2%20key.%3CBR%20%2F%3E%3CBR%20%2F%3EIs%20it%20possible%20to%20enforce%20a%20policy%20which%20improves%20the%20security%20key%20requirements%3F%3CBR%20%2F%3E%3CBR%20%2F%3EKind%20regards%2C%3CBR%20%2F%3Ewoelki%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2678697%22%20slang%3D%22en-US%22%3ERe%3A%20Set%20FIDO2%20minimum%20pin%20length%20in%20a%20hybrid%20environment%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2678697%22%20slang%3D%22en-US%22%3EHi%2C%20we%20are%20also%20interested%20in%20any%20answers%20to%20this%20question.%3CBR%20%2F%3ERegards%2C%3CBR%20%2F%3EJames.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2793308%22%20slang%3D%22en-US%22%3ERe%3A%20Set%20FIDO2%20minimum%20pin%20length%20in%20a%20hybrid%20environment%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2793308%22%20slang%3D%22en-US%22%3E%3CP%3EAlso%20interested%20in%20the%20answer%20to%20this%20question%20for%20Azure%20AD%20passwordless%20security%20keys%3C%2FP%3E%3C%2FLINGO-BODY%3E
Frequent Contributor

Hi there,

we have just established a successful pilot for FIDO2 security key usage with WHfB in a hybrid environment. The key which has been registered in Azure is able to authenticate the user on all cloud apps and at the Windows 10 login screen.

For Windows Hello for business we have used the Intune policy which requires a minimum PIN length of six signs (still default), but for our FIDO2 security key it is possible to generate a 4 digit PIN. So it seems the WHfB policy does only affect the Windows 10 client, not the FIDO2 key.

Is it possible to enforce a policy which improves the security key requirements?

Kind regards,
woelki

5 Replies
Hi, we are also interested in any answers to this question.
Regards,
James.

Also interested in the answer to this question for Azure AD passwordless security keys

Oh and it would be nice to find out support for stuff like this too, these are regulatory requirements for some:
-Have no repeating digits (i.e., 112233)
-Prevent sequential patterns (i.e., 123456)
-Prevent PIN to match the Userid.
-Expiration
-Prevent new PIN from matching the previous (X) number of PINs

I can tell you something about what I have found ou in the meantime. I had a chat with some 3rd party manufacturers and it looks like the minimum PIN lenght or complexity depends on the FIDO sticks themselves. Unfortunately you cannot manage this with Microsoft builtin management tools.

In most cases the standard FIDO sticks from all manufacturers are not able to do this, but the more expensive sticks with FIPS industry standard will let you change your PIN requirements.
Can you be more specific?
Please name some examples of FIDO sticks that let you change PIN requirements and what is the process to actually change the PIN requirements?
So, are you saying even these "more expensive sticks" don't have any kind of complex PIN requirement (blocking PINs like 1234 etc.) enabled out of the box by default?