Set FIDO2 minimum pin length in a hybrid environment

%3CLINGO-SUB%20id%3D%22lingo-sub-2605611%22%20slang%3D%22en-US%22%3ESet%20FIDO2%20minimum%20pin%20length%20in%20a%20hybrid%20environment%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2605611%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20there%2C%3CBR%20%2F%3E%3CBR%20%2F%3Ewe%20have%20just%20established%20a%20successful%20pilot%20for%20FIDO2%20security%20key%20usage%20with%20WHfB%20in%20a%20hybrid%20environment.%20The%20key%20which%20has%20been%20registered%20in%20Azure%20is%20able%20to%20authenticate%20the%20user%20on%20all%20cloud%20apps%20and%20at%20the%20Windows%2010%20login%20screen.%3CBR%20%2F%3E%3CBR%20%2F%3EFor%20Windows%20Hello%20for%20business%20we%20have%20used%20the%20Intune%20policy%20which%20requires%20a%20minimum%20PIN%20length%20of%20six%20signs%20(still%20default)%2C%20but%20for%20our%20FIDO2%20security%20key%20it%20is%20possible%20to%20generate%20a%204%20digit%20PIN.%20So%20it%20seems%20the%20WHfB%20policy%20does%20only%20affect%20the%20Windows%2010%20client%2C%20not%20the%20FIDO2%20key.%3CBR%20%2F%3E%3CBR%20%2F%3EIs%20it%20possible%20to%20enforce%20a%20policy%20which%20improves%20the%20security%20key%20requirements%3F%3CBR%20%2F%3E%3CBR%20%2F%3EKind%20regards%2C%3CBR%20%2F%3Ewoelki%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2678697%22%20slang%3D%22en-US%22%3ERe%3A%20Set%20FIDO2%20minimum%20pin%20length%20in%20a%20hybrid%20environment%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2678697%22%20slang%3D%22en-US%22%3EHi%2C%20we%20are%20also%20interested%20in%20any%20answers%20to%20this%20question.%3CBR%20%2F%3ERegards%2C%3CBR%20%2F%3EJames.%3C%2FLINGO-BODY%3E
Frequent Contributor

Hi there,

we have just established a successful pilot for FIDO2 security key usage with WHfB in a hybrid environment. The key which has been registered in Azure is able to authenticate the user on all cloud apps and at the Windows 10 login screen.

For Windows Hello for business we have used the Intune policy which requires a minimum PIN length of six signs (still default), but for our FIDO2 security key it is possible to generate a 4 digit PIN. So it seems the WHfB policy does only affect the Windows 10 client, not the FIDO2 key.

Is it possible to enforce a policy which improves the security key requirements?

Kind regards,
woelki

1 Reply
Hi, we are also interested in any answers to this question.
Regards,
James.