A few weeks ago I wrote a post with the same subject, passwordless authentication to Windows 10 with FIDO2 security keys. For that post I tested a FIDO2 security key from vendor Yubico. This time I tested several FIDO2 keys from Feitian.
I received multiple keys from Feitian for testing, some standard keys with and without NFC, but I also received a few Bio versions. More on the Bio versions later in the post, first let`s have a look at what passwordless authentication is and the requirements are.
If you have already read my previous post about the Yubico key, you might want to move on to the End-user experience part of the post.
This passwordless sign-in feature for Windows 10 is made possible by the support in Azure AD for FIDO2 security keys, which was announced (in preview) by Alex Simons back in July 2019. Supported FIDO2 security keys, provide a passwordless sign-in option, to Saas apps (like the Office 365 portal) or to an Azure AD joined Windows 10 device.
FIDO stands for Fast Identity Online, an open standard to sign-in safely to SaaS apps and computers. The goal of FIDO is to make the sign-in proces more secure and simplified. This is accomplished by sign-in in without using a username and password; passwordless.
How it works in short with an example. FIDO2 makes use of a public/ private key pair for authentication. The public key is provided to the identity provider (in this case Azure AD) and the private key remains on the device (the FIDO2 security key).
When the user needs to authenticate to Azure AD (AAD) for sign-in to the Windows 10 device or sign-in to Office 365 via a browser, AAD provides the user a challenge. With the challenge, AAD wants to determine if the user is who he claims to be. The challenge is signed with the private key (which is stored on the FIDO2 key) and the result of that signature is send back to AAD. AAD can then verify the signature with your public key and allow logon.
An advantage of this solution is there are no passwords stored at the identity provider. When an Identity Provider is hacked, the hacker only finds a list of useless public keys and no passwords. And because FIDO2 generates unique private/ public key pairs for each Identity Provider, this means they will not be able to link your key to your account.
There are some prerequisites to get the passwordless sign in feature up and running for Windows 10 Azure AD joined devices;
- Azure Multi-Factor Authentication
- Combined security information registration
- Compatible FIDO2 security key (Like the Feitian keys I used)
- WebAuthn requires Windows 10 version 1809 or higher
- Azure AD joined devices require Windows 10 version 1809 or higher (best experience with 1903 and higher)
To enable passwordless sign-in to Windows 10 devices in my environment, I used Microsoft Intune and Azure AD for the implementation of the required settings. As security key I used several Feitian FIDO2 security keys and the Windows device runs Windows 10 1903.
Enable security keys for Windows sign-in
We need to enable the the security keys as a sign-in option for our Windows 10 devices in Microsoft Intune. In Intune this can be done by enabling this as part of a tenant wide Windows Hello for Business (WHfB) setting or by deploying an Identity Protection configuration policy.
Using this first option is a tenant wide setting for all users.
Open a browser to sign-in to the Microsoft Endpoint Manager admin center.
- Sign-in to the Endpoint Manager Portal
- Browse to Devices – Windows – Windows Enrollment
- Click Windows Hello for Business
- Set Use Security keys for sign-in to Enabled
- Click Save
The same can be accomplished by using an Identity Protection configuration policy. The advantage of using a configuration policy is you can assign it to a group of users instead of all users.
- Browse to Devices – Windows – Configuration profiles
- Click Create profile
- Give the policy a Name
- Enter a Description (optional)
- Choose Windows 10 and later as Platform
- Choose Identity protection as Profile type
- On the Settings tab set Use security keys for sign-in to Enable
- Click OK
- Click Create
- Assign the policy to the security group of choice
The documentation states we also need to deploy the Intune CSP setting UseSecurityKeyForSignin. But during my testing with Windows 10 1903, that setting wasn`t needed (anymore).
Enable combined security information registration
The next step is to enable combined security information registration, which is at the moment of writing, in preview.
The feature needs to be enabled from the Azure (AD) Portal.
- Sign-in to the Azure AD portal
- Browse to Azure Active Directory – User settings
- Click Manage user feature preview settings
- Select All to switch on the feature for all users
- Click Save
Enable FIDO2 security keys as Authentication methode
The third step is to enable FIDO2 security keys as Authentication method in Azure Active Directory.
- Still in the Azure AD Portal browse to Azure Active Directory
- Browse to Security – Authentication methods
- Click FIDO2 Security Keys
- Set Enable to Yes
- Leave Target set to All or switch to Select users and select a security group
- Click Save
In above screen we also have the option to block Self-service setup of the security keys and a Key restrictions policy. If you want to block specific security keys or only allow specific security keys, you need the AAGuid of an security key.
End-user experience: FIDO key registration
For the end-user to use the Feitian FIDO2 security key, the key first needs to be registered in Azure AD. This can be done by visiting https://myprofile.microsoft.com with a browser (like Edge, Chrome, Firefox) which supports WebAuthn.
Keep in mind that even if your FIDO2 key supports Bluetooth, like the Feitian AllinPass K33, the key first needs to be registered at Azure AD using USB (or NFC).
Signed-in to the portal, click Update info under Security info.
Pick Security key from the drop-down list and click Add.
If for the end-user two-factor authentication is not setup, below message is shown and two-factor authentication first needs to be setup.
If two-factor authentication is already setup, skip this and the next step.
Complete the setup wizard for two-factor authentication.
When two-factor authentication is setup, move on with the key registration.
Select USB Device.
Insert the Feitian FIDO2 security key.
Your PC will redirect you to a new window to finish setup.
Follow the instructions described in the new window.
Click Continue in de pop-up screen.
Create a PIN for this security key and enter the PIN a second time. Click OK.
Touch the Security key.
Give your security key a Name, so you can identify your key, and click Next.
You`re all Set! Registration of the security key is finished.
The security key is listed as one of the sign-in methods.
End-user experience: sign-in to a Windows 10 device with a standard key
Get yourself an Azure AD joined Windows 10 (1809 or later) device. Below experience is with a standard FIDO2 security key like the Feitian A4B. You need to enter a PIN and touch the key to sign-in to Windows.
When you click on Sign-in options on the login Window, the new option is shown.
In the middle we now have the security key icon.
When you click on the security key icon, you are asked to insert the key.
When you insert your FIDO2 security key, you are prompted to enter your PIN code.
After entering your PIN, you are asked to touch your key. After you have touched your key, you are signed-in to Windows without entering your password!
To sign-in to a Windows 10 device it isn`t necessary to choose the security key sign-in option. As soon as you insert the security key, the key is recognized as sign-in option and you are directly asked for the security key PIN.
By using the security key, you are able to sign-in to a device without entering your username and password, completely passwordless! Instead of for example a PIN as part of Windows Hello for Business. Where you first need to authenticatie using a username and password and after that are able to create a PIN for future sign-ins to Windows.
At this moment there is only one time you still need to use your username and password on a Windows 10 device, during the OOBE proces for Azure AD (AAD) authentication. But at Ignite 2019 support for FIDO2 was announced for Windows Autopilot. In the future during OOBE, using Autopilot for authentication to AAD and enrollment into Intune, we can also use security keys!
End-user experience: Sign-in to a SaaS app
The FIDO2 security key cannot only be used to sign-in to a Windows 10 device, but also to sign-in to a SaaS app, like Office 365. Let`s see how that looks like.
Open a browser which supports WebAuthn like to new Chromium based Edge browser. Visit office.com and click Sign in.
On the new page click Sign-in options.
Select Sign in with a security key.
When the security key isn`t inserted yet to your device, it will show below screen.
Insert the security key.
Enter the PIN code from the security key.
Touch the security key.
And we are signed-in to the Office 365 portal without providing our username and password!
FIDO2 Biometric security keys
This passwordless experience with standard security keys works fine, but we still need to provide a PIN and touch the key when we need to authenticate. An even better experience is provided by Biometric (bio) versions of the FIDO2 security key. With a bio security key we don`t need to provide a PIN during the authentication process, but only touch the key for our fingerprint.
At the moment of writing Feitian already has a few bio security keys in their portfolio like the K26, K27 and K33 which I tested.
End-user experience: Biometric security keys
The setup and registration of a bio key version with Azure AD isn`t different as it is still a USB (or NFC) device, but equipped with a fingerprint module. The extra setup is registering fingerprint(s) on the security key, which can be done direct in Windows 10 as long as you use version 1903 or later.
To register one or multiple fingerprints connect the security key with the Windows 10 device and open Settings. Browse to Accounts, Sign-in options.
Click Security Key and click Manage.
Touch your security key.
Now you have multiple options to control for the security key, like changing the PIN or reset the key, but we are interested in fingerprint.
Click Set up under Security Key Fingerprint.
For security reasons you are asked to provide the PIN of the security key.
Enter the PIN and click OK.
Touch the fingerprint sensor.
Touch the security key multiple times to setup the fingerprint.
The fingerprint is set, click Done.
The fingerprint is not stored in Windows, but stored on the security key in a secure element.
You are able to add multiple finger(prints) by clicking Add another finger.
When we now take a look at the authentication process on a Windows 10 device, we see we don`t need to enter a PIN. We only need to touch the security key with the finger for which we registered the fingerprint.
Below screen is shown as soon as you put in the key in the USB port.
End-user experience: Bluetooth equipped security keys
Feitian has a biometric FIDO2 security which cannot be only used via USB, but also via a Bluetooth connection. The Feitian AllinPas K33 supports Bluetooth Low Energy.
The security key needs to be added to Azure AD using USB or NFC and that`s the same for the first sign-in to a Windows 10 device. But after that, the key can be connected to the Windows device via bluetooth like any other supported bluetooth device.
The advantage of this is you don`t have to put the key in a USB port for authentication, but only switch on the key and touch it with your finger.
The key can be connected to Windows via Settings, Devices. On the Bluetooth & other devices tab click Add Bluetooth or other devices.
On the popup screen choose Bluetooth.
Turn on the K33 key by pressing the button for at least 5 seconds until the blue LED blinks rapidly.
The device shows up with a 6 digit shortname.
Your device is ready to go!
The key is paired with Windows.
The key is shown on the Bluetooth tab. Here you also see the battery level of the key.
Lock the Windows screen. When the key isn`t inserted in the USB port or connected via Bluetooth it shows below message:
Tap, turn on or insert your security key.
Turn on the bluetooth equipped key by oushing the button for five. The BLE LED will blink slowly to indicate it is turned on.
The Bluetooth icon is shown on the lock screen.
Touch the K33 security key with you registered finger and you are signed in to Windows.
When we have a look at the browser sign-in experience it is exact the same as when we insert the USB key in the Windows device. We choose Sign-in options and Sign in with a security key. It shows the Bluetooth icon instead of an USB key icon.
Overview and conclusion
I was able to test several FIDO2 security keys from Feitian. The standard (A4B) key just does what it`s supposed to do, provide passwordless authentication. Put in the key, provide a PIN and touch the key for authentication. It`s just that simple (and secure).
The Biometric keys (K26, K27 and K33) with the fingerprint module make the passwordless authentication experience even more simple; true passwordless. Connect the key through USB (A or C) or Bluetooth and touch the key with your finger. No need to enter a PIN. It only takes some more time to setup the keys, because of adding the fingerprints or connection via Bluetooth. But that`s only a couple of minutes one time and providing a simpler authentication experience every time.
If Bluetooth is an advantage compared to connecting the key to an USB port is probably personal. For just some testing it made no difference for me, but when using a key daily it might.
In an environment with shared devices it makes more sense to use the USB version, but when devices are equipped with NFC readers you can also make use of NFC.
The only protocol I didn`t test (yet) was connecting the device by NFC. A couple of these keys have NFC support, I hope to test that later. Maybe by using Safari on an iPhone, as Apple announced FIDO2 support for Safari in iOS 13.3.