Recently I received two security keys from AuthenTrend, the ATKey.Pro in a USB A and USB C version. These are both FIDO2 certified keys with fingerprint, which enables passwordless authentication for Azure AD and Microsoft (Outlook) accounts.
As I received two new FIDO2 keys, it`s a good moment to write a short review about the ATKey.Pro keys and also make people aware FIDO2 keys can be used to secure multiple accounts.
The ATK.Pro is delivered in a small box with on the backside specifications of the key and a QR code for the user guide.
The keys are smaller than those of many competitors. They look solid, but they seem less robust to me than, say, such a flat key from Feitian. However, that does not mean that I expect them (in normal use) to break down quickly. The key is delivered with a silicon keychain, to protect the key when it`s in your pocket with the other keys.
This key is equipped with a fingerprint scanner, which makes logging into an account even faster than using a standard key with only PIN. The key is equipped with a LED light, which is very useful. The LED indicates the status of the key and whether recognizing the fingerprint was successful or failed.
There is no driver needed to use with your Windows 10 device, just put the key in your laptop and in a few seconds, the key is ready for use.
On macOS, the key works fine to authenticate to your web app when using the Edge browser. Also on macOS, plug in the key and it`s ready to use.
I have not tested it, but referring to the specifications on the website, the key is also compatible with Chrome OS.
You can register up to 10 fingerprints with this key, which seems enough for me :). And fingerprint recognition is very fast. Just tap the key on the side and the finger is recognized immediately.
The keys can be used for passwordless authentication combined with your Azure AD (Office 365) and (personal) Microsoft account as these are FIDO2 certified. Besides that, you can also use the keys as second authentication factor (MFA) for things like Google (Gmail), Twitter, Facebook, etc as the keys are also FIDO U2F certified.
These features are the default for FIDO2 security keys like these, but there are two things that are unique to competitors. The first unique future is the standalone enrollment of the key, which is shown in the below video of AuthenTrend.
You can enroll the key, right out-of-the-box, using a power bank without first setting up the key in Windows and setting a PIN. If you register the key after the standalone enrollment in your AAD account, it is ready to use to sign-in to a Windows 10 device or a web app.
The second unique feature; keys can also be used as a hardware password manager with a fingerprint. I will describe that in a future blog post.
In the next part of the post, we see how the key is set up using a Windows 10 device and how we can use the key with multiple accounts.
Setup the ATKey.Pro in Windows 10
We can not only register multiple fingerprints with the key, we can also use the key with multiple accounts, even as these are all Azure AD accounts. This is for example very handy when you manage multiple Azure tenants with different accounts.
When the key is new, we first need to set up the key. In the latest Windows 10 builds (since build 1903) this can be done directly from Windows settings, with no need for additional software.
A separate driver isn`t needed, we just plug in the key and in a few seconds, the key is installed.
To use the key, we need to set a PIN code first on the key, which is not required when using standalone enrollment. After that, we can add our fingerprints.
- Open Settings
- Browse to Accounts – Sign-in options
- Click Security Key – click Manage
- Connect the security key to the laptop or desktop
- Touch your security key
- Click Add under Security Key PIN
- Enter a PIN (twice)
- Click OK
- Click Set up under Security Key Fingerprint
- Touch the fingerprint sensor on the key
- Touch the sensor multiple times to cover the whole finger top
- All set!
- The key can now be used with this fingerprint
- Click Add another finger or click Done
- When finished click Close
The key itself is setup. Below a short video of this setup.
The ATKey.Pro key is now ready for use with your accounts.
The next step is to register the key in your Azure AD/ Office 365 account.
Register the key in Azure AD as end-user
There are some pre-requisites to use a FIDO2 security key for passwordless authentication with an Azure AD account. The pre-requisites depends on the environment, cloud-only Azure AD or Hybrid Azure AD. For both at least Multi-factor Authentication and Combined security information registration need to be enabled. If you want to read the whole setup, read one of the previous posts.
To use the key, it needs to be registered first as authentication method. Below the steps for an Office 365 account.
- Sign-in to your account via https://aka.ms/mysecurityinfo
- Click Update info under Security info
- Click Add method
- Choose Security key from the drop-down list
- Click Add
- Click Next
- Click USB device
- Have your key ready
- Click Next
- Click OK
- Click OK
- Connect the key to your device
- Touch your security key
- Enter a name for this security key
- You`re all set!
The security key is listed as one of the authentication methods.
Below you see the complete registration of a security in a short video.
The FIDO2 security key is registered in your Azure AD account. Perform the same steps for all your AAD accounts and also for your personal Microsoft account.
Passwordless authentication to multiple accounts
In below video, I use one ATKey.Pro FIDO2 security key which I have registered to multiple Azure AD accounts and an Outlook.com account. I don`t have to enter my password (and a MFA challenge) to sign-in to these accounts. Just connect the key to your laptop, click (or enter) the account name and touch the key to authenticate and sign-in to my accounts.
I will not end this post with a conclusion about the ATKey.Pro, I have added that to the follow-up story about the hardware password manager feature.
At the moment of writing this article, AuthenTrend and Microsoft are running a pilot passwordless program for SMBs and Service Providers. If you are interested in receiving such a security key, have a look at this website.
Securing multiple accounts with a FIDO2 key isn`t unique to this key, so if you have such a key available, secure all those accounts!