Azure Active Directory passwordless sign-in with FIDO2 Security Keys

Azure Active Directory passwordless sign-in with FIDO2 Security Keys

Introduction

In my previous series called Lost in Azure Cloud Identity (you can find the first article here) I described how to secure applications with Azure Active Directory and Azure Active Directory B2C identity services. In this article, I would like to present how to access Tech Mind Factory Corporate Application using FIDO2 Security Keys. Thanks to FEITIAN company I was able to receive two BioPass FIDO2 Security Keys for tests. I want to present how to setup these keys with Azure Active Directory to enable passwordless sign-in in the Tech Mind Factory Corporate Application. Source code of the application is available on my GitHub and its configuration is described in this previous article.

FEITIAN BioPass FIDO2 Security Keys

For tests I used FEITIAN BioPass FIDO2 Security Keys model K26 (USB-C), and K27 (USB-A). It is worth to mention that FEITIAN is a member of Microsoft Intelligent Security Association (MISA).

Image not found

Configuration is straightforward so let me explain the steps.

Enable passwordless in the Azure Active Directory

To enable passwordless authentication method with FIDO2, sign in as administrator to your Azure Active Directory tenant. Then follow below steps:

  1. From the left menu, select Security:

Image not found

  1. Then select Authentication methods:

Image not found

  1. In the next blade, select FIDO2:

Image not found

  1. Enable the FIDO2 authentication method, decide whether you want to enable it for all users (as in my example). There are also two important points to mention:
  • Allow self-service setup - this option should remain set to Yes. If set to no, your users will not be able to register a FIDO key through the MySecurityInfo portal, even if enabled by the Authentication Methods policy.
  • Enforce attestation - when this setting is enabled, it requires the FIDO security key metadata to be published and verified with the FIDO Alliance Metadata Service, and also pass Microsoft’s additional set of validation testing

Great, now users can register and manage their FIDO2 Security Keys used to sign in

User registration and management of FIDO2 security keys

Once the passwordless authentication method is enabled in the Azure Active Directory tenant, we can add our FIDO2 Security Key. Follow the below steps to do it:

1. Sign in to https://myprofile.microsoft.com/

2. Select Security info:

Image not found

3. Remember to plug in your FIDO2 Security pass using either USB-A or USB-C device

4. Select Add method:

Image not found

5. Select Security key from the list:

Image not found

6. To setup security key, we have to sign in with two factor authentication (If there is no Azure AD Multi-Factor Authentication method registered, user must add one first). In my case I have Authenticator app installed on my phone:

Image not found

Image not found

7. Once request is approved in the Authenticator app, we can select security key type - in this case USB device type:

Image not found

8. As I mentioned before, remember to plug in your security key:

Image not found

9. Once we click Next button, we are redirected to the page where we can start the process of registering our FIDO2 security key:

Image not found

Image not found

Image not found

10. First, we have to set the PIN:

Image not found

Then we are asked to touch the key:

Image not found

We have to repeat the process. In the last step we have to name our device:

Image not found

Image not found

That’s it! Now we can use our FIDO2 device to access Tech Mind Factory Corporate Web App.

TMF Corporate Web App passwordless sign-in

Here is the Tech Mind Factory Corporate Web App:

Image not found

After clicking SIGN IN button, we are redirected to the Azure AD page. On this page we have to select Sign-in options:

Image not found

Then Sign in with Windows Hello or security key:

Image not found

Then we have to click Security key:

Image not found

Once we provide the PIN and touch the device, we are authenticated:

Image not found

Image not found

We can access app functionalities now:

Image not found

Summary

In this article, we discussed how to enable passwordless authentication using FEITIAN Security Keys and Azure Active Directory. If you want to learn more, I encourage you to check official documentation provided by Microsoft, and this introduction to passwordless using Azure AD explanation. If you want to check other products from FEITIAN, check this page.

Updated: