Enable passwordless authentication to Windows 10 with Yubico security keys

Passwordless Authentication

In the past I wrote some security related blog posts with subjects like Windows Hello Multifactor Device Unlock, Self Service Password Reset on the Windows Logon screen and Securing the Azure MFA registration process. This time I`ll have a look at the passwordless sign-in feature to Windows 10 with Yubikey security keys.

This passwordless sign-in feature for Windows 10 is made possible by the support in Azure AD for FIDO2 security keys, which was announced (in preview) by Alex Simons back in July 2019. Supported FIDO2 security keys, provide a passwordless sign-in option, to Saas apps (like the Office 365 portal) or to an Azure AD joined Windows 10 device.

FIDO stands for Fast Identity Online, an open standard to sign-in safely to SaaS apps and computers. The goal of FIDO is to make the sign-in proces more secure and simplified. This is accomplished by sign-in in without using a username and password; passwordless.

To enable passwordless sign-in to Windows 10 devices in my environment, I used Microsoft Intune and Azure AD for the implementation of the required settings. As security key I used a Yubico YubiKey and the Windows device runs Windows 10 1903.

Prerequisites

There are some prerequisites to get the passwordless sign in feature up and running for Windows 10 Azure AD joined devices;

  • Azure Multi-Factor Authentication
  • Combined security information registration
  • Compatible FIDO2 security key (Like the Yubico key I used)
  • WebAuthn requires Windows 10 version 1809 or higher
  • Azure AD joined devices require Windows 10 version 1809 or higher (best experience with 1903 and higher)

Enable security keys for Windows sign-in

We need to enable the the security keys as a sign-in option for our Windows 10 devices in Microsoft Intune. In Intune this can be done by enabling this as part of a tenant wide Windows Hello for Business (WHfB) setting or by deploying an Identity Protection configuration policy.

Using this first option is a tenant wide setting for all users.

Open a browser to sign-in to the Microsoft Intune portal.

  • Sign-in to the Device Management Portal
  • Browse to Devices – Windows – Windows Enrollment
  • Click Windows Hello for Business
  • Set Use Security keys for sign-in to Enabled
  • Click Save

The same can be accomplished by using an Identity Protection configuration policy. The advantage of using a configuration policy is you can assign it to a group of users instead of all users.

  • Browse to Devices – Windows – Configuration profiles
  • Click Create profile
  • Give the policy a Name
  • Enter a Description (optional)
  • Choose Windows 10 and later as Platform
  • Choose Identity protection as Profile type
  • On the Settings tab set Use security keys for sign-in to Enable
  • Click OK
  • Click Create
  • Assign the policy to the security group of choice

The documentation states we also need to deploy the Intune CSP setting UseSecurityKeyForSignin. But during my testing with Windows 10 1903, that setting wasn`t needed (anymore).

Enable combined security information registration

The next step is to enable combined security information registration, which is at the moment of writing, in preview.
The feature needs to be enabled from the Azure (AD) Portal.

  • Sign-in to the Azure AD portal
  • Browse to Azure Active Directory – User settings
  • Click Manage user feature preview settings
  • Select All to switch on the feature for all users
  • Click Save

Enable FIDO2 security keys as Authentication methode

The third step is to enable FIDO2 security keys as Authentication method in Azure Active Directory.

  • Still in the Azure AD Portal browse to Azure Active Directory
  • Browse to Security – Authentication methods
  • Click FIDO2 Security Keys
  • Set Enable to Yes
  • Leave Target set to All or switch to Select users and select a security group
  • Click Save

In above screen we also have the option to block Self-service setup of the security keys and a Key restrictions policy. If you want to block specific security keys or only allow specific security keys, you need the AAGuid of an security key. Those for the security keys of Yubico can be found here.

End-user experience: FIDO key registration

For the end-user to use the FIDO2 security key, the key first needs to be registered in Azure AD. This can be done by visiting https://myprofile.microsoft.com with a browser (like Edge, Chrome, Firefox) which supports WebAuthn.

Signed-in to the portal, click Update info under Security info.

On the Security info page click Add method.

Pick Security key from the drop-down list and click Add.

Select USB Device.

Click Next.

Insert the FIDO2 security key.
Your PC will redirect you to a new window to finish setup.

Follow the instructions described in the new window.
Click Continue in de pop-up screen.

Create a PIN for this security key and enter the PIN a second time. Click OK.

Touch the Security key.

Give your security key a Name, so you can identify your key, and click Next.

You`re all Set! Registration of the security key is finished.
Click Done.

The security key is listed as one of the sign-in methods.

End-user experience: sign-in to a Windows 10 device

Get yourself an Azure AD joined Windows 10 (1809 or later) device.
When you click on Sign-in options on the login Window, the new option is shown.

In the middle we now have the security key icon.

When you click on the security key icon, you are asked to insert the key.

When you insert your FIDO2 security key, you are prompted to enter your PIN code.
After entering your PIN, you are asked to touch your key. After you have touched your key, you are signed-in to Windows without entering your password!

To sign-in to a Windows 10 device it isn`t necessary to choose the security key sign-in option. As soon as you insert the security key, the key is recognized as sign-in option and you are directly asked for the security key PIN.

By using the security key, you are able to sign-in to a device without entering your username and password, completely passwordless! Instead of for example a PIN as part of Windows Hello for Business. Where you first need to authenticatie using a username and password and after that are able to create a PIN for future sign-ins to Windows.

At this moment there is only one time you still need to use your username and password on a Windows 10 device, during the OOBE proces for Azure AD (AAD) authentication. But at Ignite 2019 support for FIDO2 was announced for Windows Autopilot. In the future during OOBE, using Autopilot for authentication to AAD and enrollment into Intune, we can also use security keys!

End-user experience: Sign-in to a SaaS app

The FIDO2 security key cannot only be used to sign-in to a Windows 10 device, but also to sign-in to a SaaS app, like Office 365. Let`s see how that looks like.

Open a browser which supports WebAuthn like to new Chromium based Edge browser. Visit office.com and click Sign in.
On the new page click Sign-in options.

Select Sign in with a security key.

When the security key isn`t inserted yet to your device, it will show below screen.
Insert the security key.

Enter the PIN code from the security key.
Click OK.

Touch the security key.

And we are signed-in to the Office 365 portal without providing our username and password!

The Yubico security key with FIDO2 support I used works just fine. I`m very curious what FIDO2 security keys as a whole, will bring us in the passwordless future.
At this moment we can use the keys, as I showed, to sign-in passwordless to Azure AD joined Windows 10 devices and SaaS apps. But at Ignite was announced these capabilities will be expanded to hybrid environments as we can read here.
Another interesting development, related to the FIDO2 security keys, are biometric security keys, as also announced for YubiKeys at Ignite. This type of security keys supports fingerprint recognition.

Feitian already has a few biometric security keys in their portfolio. A new post about those keys can be read HERE.

Lot of developments around a passwordless future which we should follow.

Happy testing!

6 Comments

  1. Now support for locking the workstation when removing the key. Even enabling the GPO and starting the removal smartcard service Does not lock the system when the key is removes. Got it working with a Self Made tool/script.

Leave a Reply

Your email address will not be published.


*