Security: How to enable sign-in with FIDO2 security keys on Windows 10 Devices and Azure AD

About this guide

This guide will give you a step by step guide to setup your Azure AD to allow FIDO2 Security keys, as well as enabling Windows 10 device login using these keys.

The information in this post is used together with Yubico’s Yubikeys -so there may be some differences should you use another vendor.
They have various keys for various devices/needs. They are also working on a key with integrated fingerprint
If you are unfamiliar with Yubico security keys, you can have a look over at their site here:
https://www.yubico.com/

This post is not sponsored by Yubico.

About FIDO2 Security keys

Source(s):
https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-authentication-passwordless 
https://fidoalliance.org/fido2/

FIDO2 security keys are an unphishable standards-based passwordless authentication method that can come in any form factor. Fast Identity Online (FIDO) is an open standard for passwordless authentication. FIDO allows users and organizations to leverage the standard to sign in to their resources without a username or password using an external security key or a platform key built into a device.

For public preview, employees can use security keys to sign in to their Azure AD or hybrid Azure AD joined Windows 10 devices and get single-sign on to their cloud and on-premises resources. Users can also sign in to supported browsers. FIDO2 security keys are a great option for enterprises who are very security sensitive or have scenarios or employees who aren’t willing or able to use their phone as a second factor.

Some highlights:
  • FIDO2 cryptographic login credentials are unique across every website, never leave the user’s device and are never stored on a server. This security model eliminates the risks of phishing, all forms of password theft and replay attacks.
     
  • Users unlock cryptographic login credentials with simple built-in methods such as fingerprint readers or cameras on their devices, or by leveraging easy-to-use FIDO security keys. Consumers can select the device that best fits their needs.
     
  • Because FIDO cryptographic keys are unique for each internet site, they cannot be used to track users across sites. Plus, biometric data, when used, never leaves the user’s device.
     
  • Websites can enable FIDO2 through a simple JavaScript API call that is supported across leading browsers and platforms on billions of devices consumers use every day.

Description on Passwordless authentication for Azure AD

Source:
https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-authentication-passwordless

Multi-factor authentication (MFA) is a great way to secure your organization, but users often get frustrated with the additional security layer on top of having to remember their passwords. Passwordless authentication methods are more convenient because the password is removed and replaced with something you have, plus something you are or something you know.

The basics of MFA

Each organization has different needs when it comes to authentication. Microsoft offers the following three passwordless authentication options that integrate with Azure Active Directory (Azure AD):

* Windows Hello for Business
* Microsoft Authenticator App
*FIDO2 security keys

Convenience VS Security

Authenticating with FIDO2 keys to Azure AD

The following process is used when a user signs in with a FIDO2 security key:

FIDO2 authentication flow
  1. The user plugs the FIDO2 security key into their computer.
  2. Windows detects the FIDO2 security key.
  3. Windows sends an authentication request.
  4. Azure AD sends back a nonce.
  5. The user completes their gesture to unlock the private key stored in the FIDO2 security key’s secure enclave.
  6. The FIDO2 security key signs the nonce with the private key.
  7. The primary refresh token (PRT) token request with signed nonce is sent to Azure AD.
  8. Azure AD verifies the signed nonce using the FIDO2 public key.
  9. Azure AD returns PRT to enable access to on-premises resources.
Requirements 
  • FIDO security key(s) – Yubikeys are used in this guide
  • Admin access to Azure AD/Intune
  • Windows 1809 or higher for just webapps usage – 1903 recommended
  • Windows 10 1903 or higher – for win 10 sign in on Azure AD joined devices
  • Windows 10 Insider Build 18945 or higher for Hybrid joined devices.
    • Azure AD Connect version 1.4.32 or later
    • Fully patched domain controllers (2016/2019)
  • Supported browser (i.e Edge Chromium, Google Chrome)

Enable Security keys in Azure AD

Following, is the steps needed to enable security keys for your Azure AD tenant

Head over to you Azure Active Directory admin portal, in the portal, select “Security” in the left panel:

Azure AD overview>Security

Once in the Security view, click on Authentication methods in the sidebar, select FIDO2 Security key, then set it to Enable, choose your target user(s) – can be all, group or single user if you want, click save.

Authentication Methods

FIDO keys are now enabled for web apps for your tenants, and users can enroll their security key(s).

How to enroll security key for the user

For the user enrolling the key, head over to https://myprofile.microsoft.com
Once in the portal, click “Security Info”, click “+ add method”, choose “Security key” in the dropdown, then click “Add”

Add authentication method

If you get the prompt about needing to sign in with two-factor to do this change, do this as prompted

Sign in with 2FA prompt

After verifying with two-factor, you need to choose what kind of security key you have
Choose your device – most likely USB device

Choose security key type

Depending on your browser, you may get a popup as follows (This is from MS Edge Chromium)

Continue on this prompt

If this is the first time plugging in the key, you may get a prompt to set a PIN for your key, or input the PIN if this is done already
In my case, the PIN is already configured, and I’m asked to input the code and touch the key to continue

Click allow if you get this:

Allow access to see the key

The key is added, and you get prompted to put in a name for the key, This is to help you keep track of your authentication methods – this is especially useful should you get more security keys in time, or should you need to revoke the key later.

Name your key

Your key is added, and ready to be used, and should be listed under your authentication methods

Verify your key is working

To take a quick check to see that your key is working, head over to your office 365 portal at: http://portal.office.com/

At the Sign In prompt, select “Sign-in option”, then select “Sign in with a security key”

Click sign-in options
select Sign in with a security key

You will be prompted to input your security key PIN, and touch the key for verification

If you have the key associated with multiple accounts, you will get prompted to choose the correct account, then click OK.
(Yes, you can use the key for multiple accounts, caveat for that later on)

Select your account – if mulitple accounts

You should now be logged in to your 365 account with the selected credentials.
Notice that you did not have to input either username nor the  password for the account, only the security key – great right?

Logged on to office portal

Enabling security key sign in for Windows 10 via Intune

Now that you have your key enrolled, why not use this key as your login to your windows 10 computer as well?
If you device is managed via Intune, you can accomplish this by doing the following.

Head over to you Microsoft Endpoint Manager admin center here: https://devicemanagement.microsoft.com/#home

Then go to Devices, click Configuration Profiles in the middle menu, click create profile, select Windows 10 as Platform and Custom as Profile then click Create

Create custom profile

Set a name and description for the profile, click next

Name your profile and give it a description

In the next screen, click add, and for the “Add Row” field input the following, and click Add, then Next:

Name: Security Keys for Windows Sign-In
Description: Enables FIDO Security Keys to be used during Windows Sign In
OMA-URI: ./Device/Vendor/MSFT/PassportForWork/SecurityKey/UseSecurityKeyForSignin
Data Type: Integer
Value: 1

Create custom OMA-URI

In the Scope tags scrren, accept the default, click Next
In the Assignments screen, select the group of devices you wish to deploy this to, then click Next

Select your targets

In the Applicability Rules, accept default, click Next
In the Review + Create screen, review your settings, and click Create

Review your settings

Your setup is now complete, when the targeted devices get the policy, you will have the option on the logon screen to sign-in with your security key.

FIDO key available at logon screen

If the device have gotten the policy, and you insert the key to the device, it will ask for your pin directly, then sign in – no need for username and password.

What makes this great?

  • You do not need Windows Hello to be configured to enable FIDO key sign in. This means you will get almost the same convenience as Windows Hello PIN sign in, also on devices that does not have support for this – this will give a better user experience. 
  • Nothing is stored in the machine, all secrets etc are in the key, not on the devices security chip. 
  • The user only need the key, not the username and/or the account password. The key and PIN follows the user, across devices. 
  • In an environment with Shared devices, users can sign in more quickly, as they do not need to change the user from the previous person using the machine – the key signs you in with your account details. 
  • Perfect for hot-seating and other shared workspaces/devices
  • No password is stored on the device in hash format as with traditional username/password logon – means increased security 
  • The simplicity and small time savings here, also means better productivity, while maintaining security. 
  • The users can also use the key on other services that support the same standard – meaning a decreased attack surface from a security standpoint – ie Facebook  & Google. 
  • If you opt-in for a security key that also has OTP support, you can use Yubico authenticator app to generate the OTP codes. This means no more MFA hassle when changing your phone for various reasons – everything is in the key, the phone is just a tool to show the codes. 
  • If using the keys for OTP with the authenticator app, you get yubico authenticator for mobile as well as for windows, linux and mac – the will show the codes when the key is detected. 
  • The 2 options above about OTP, is great for environments where mobile devices are not allowed. 
  • If you have 2 keys, you can register for Googles advanced protection program, to protect your Google account.
    This is a good option to use for a “backup” email account where this is needed when registering for two factor to various services.
    You then have a proberly protected backup email that has special security attached to it.
    This is always a better option than having SMS as a backup method. If using a backup e-mail account, use one dedicated to the purpose, with high security attached, and dont use this for anything else.

Some caveats to be aware of

  • If you also are using Citrix virtual apps/desktops on the devices with SSO to i.e Storefront, you will ned Citrix FAS to get SSO to Citrix when signing in with these keys. This is due to the SSO service for Citrix will not pass the login through when signing in with these, as there are no credentials to pass.
    The same issues goes if users are signing in with Windows Hello for Business – as both uses tokens  instead of passwords, and signing on with these will result in the normal Citrix SSO service not starting with the session.
  • If you have multiple accounts on the key, and they exist in the same Azure AD tenant, be careful to the order in with you add the key to these accounts. The last account added to the key, will be the first one attempted when logging in to a device.

    Where the last account added will be the first one attempted on logon – meaning accounts are added to the key bottom>Up, while authentication is attempted top>down.
    This will mean, that in the figure below, if you add 2 users from the same tenant to the key, say nr2 and 3, the last one added (nr3) will be the one logging on to the computer, as this is attempted before nr 2.

    This will most likely not be a regular issue, but it is something to be aware of when adding multiple accounts from the same tenant to the same security  key.

    For sign in to Web applications, you wil get a list to choose from, and is not an issue.

    Think of it like this:
Accounts on security key

Links

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.