Using your smartphone as a FIDO security with IDmelon

PASSWORDLESS

I have been using several different FIDO2 security keys in the past year to passwordless sign-in to my Azure AD accounts. The used keys are from different vendors like Authentrend, Feitian, and Yubico. I have one connected to my docking station in my home office for daily usage. I have one in my laptop bag if I go to my employee’s office. And a key is laying around in the living room to use when I’m working downstairs. So most of the time when I need a FIDO key, I have one with me.

But to be honest, I’m sometimes too lazy to grab my FIDO key from the other side of the room, when I’m sitting on the couch. Or sometimes I don’t have a key with me. Then I still use my password combined with Authenticator notification, as my phone is always near me. The solution is recently tested solves this ‘issue’, it’s from IDmelon.

IDmelon has a different approach from most other FIDO security key vendors. IDmelon provides a mobile application, which turns our smartphone into a FIDO security key. And as most people carry a smartphone always and everywhere, it’s an interesting approach which I tested, and for certain circumstances works very well!

Actually, IDmelon delivers several different solutions. The first solution is used on personal (non-shared) devices, for which we need the IDmelon mobile app on our smartphone and the IDmelon Pairing Tool on our Windows device. No further hardware is needed.
The second solution is designed for shared device environments, like healthcare or manufacturing. For this solution, we need the mobile app and the IDmelon Reader. The reader is a USB hardware device.

And with that Reader, IDmelon delivers a third solution, as the Reader has two functions. It functions as a reader, but we can also turn it into a USB FIDO2 security key, which can be used as a standalone FIDO key like delivered by other vendors.

I will explain the three solutions in more detail later in this blog post. First some information regarding the mobile app and the Reader.

The IDmelon mobile app

Let’s first have a look at the IDmelon mobile app by installing and configuring the app.

We can download the mobile app for free for Android and iOS.

When installed, start the app to set it up as a FIDO security key.
Click Getting Started.

Provide your email address to receive an activation link and activation code.

When the activation email is received, click the activation link to move on.

Or enter the activation code in the app.

Provide you Personal information.

Confirm you want to activate the security key on your phone.

Direct from this screen we can pair our phone with a PC.

Or you can pair the phone with the PC from the home screen of the app.

When installed and activated, we can see the status of the app on the home screen.

On the Accounts tab, we can see at which accounts we registered our mobile security key. As you can see I registered the app at several (Office 365) accounts.

A benefit of this solution, we can set an account as default, as only the default account is used to sign in to Windows.
Just hold the account name and we have the option to set the account as default or delete it.

From the accounts tab, we can also access the activities.

The third tab is the Settings tab, from where we can manage the notifications and access the list of paired PCs.

An overview of the paired PCs, from where we can pair with new PCs or log out an existing PC.

The IDmelon Reader

IDmelon delivers a physical USB device, which can function as a reader and as a ‘normal’ FIDO security key. On the side of the key, we find a little button, to switch between the reader and security key. On the top of the key, we see a LED with different colors which indicates in which mode the reader is operating.

We can easily switch between modes by holding the button for 3 seconds. A short beep is heard when you can release the button. Wait for about 15 seconds until the LED stops blinking, and the Reader is switched to the other mode.
If the LED blinks blue, it is in the Reader mode to let you experience the tap-n-login experience (on a shared PC).
If the LED blinks green, it can be used as a normal hardware security key.

When you connect the Reader the LED blinks, so you can determine in which mode the Reader is operating.

Configure IDmelon for non-shared devices

The solution for non-shared devices consists of the IDmelon app on our mobile device (Android or iOS) and a software installation (Pairing Tool) on our Windows device. Because we need to install software on a Windows device and pair the devices, this is considered a solution for non-shared devices. This solution isn’t plug-and-play, instead of the solution with the Reader.

When we install the Pairing Tool the IDmelon services is installed, which runs in the background. And a small program with a GUI is installed. The service sends notifications to the paired smartphone when an authentication process asks us to touch the key like we usually touch our physical USB key. Notifications are sent over the internet, like notifications we receive in an Authenticator app.
Via the GUI of the application, we can pair our smartphone and see if the smartphone is connected.

Let’s set this all up!

On your Windows device download the Pairing Tool from the IDmelon site and install the application.

On your smartphone, start the IDmeldon app and on the home screen tap the QR icon on the top right corner.

Switch over to the PC, start the Pairing Tool and click Pair a new smartphone.

A QR code is shown.

Switch back to the smartphone and scan the QR Code with the IDmeldon app. The smartphone is paired with the PC. Enter a name for the phone.

Pairing is finished and the smartphone is connected to the PC and ready to send notifications to the smartphone. We now can use our smartphone as FIDO security key!

In below video the setup of the mobile app is shown. Also shown is how to pair the devices.

To use our smartphone as a security key with Office 365/ Azure AD, we first need to register the security key to our account via the Security info page. This process is the same as we add a USB security key to our account.

Click Add method, choose Security key, USB device and follow the further instructions.

But the big difference in this is, we don’t tab our security key or provide a PIN when this is asked, we approve this on our smartphone.

When we authenticate with our smartphone, a notification is sent. We need to approve the request and after this use biometrics (face recognization or our fingerprint) for additional security.

We can now unlock our Windows device using our smartphone.

Or we can use our phone to sign in to Office 365 via the browser.

Configure IDmelon for shared devices

The solution for shared devices consists of the mobile app on our mobile device and the physical IDmeldon Reader.
The solution works by taping the phone to the reader when authentication is done. There is no need to install additional software on the Windows device.

An ideal solution for example for healthcare, retail, or manufacturing where users share their PCs. Every shared PC should be equipped with a reader. The user just taps the phone to the reader and is signed in to the PC.

So to get started the user downloads the mobile app from the Play Store or the App Store and configures the app as described earlier in this post.

Plugin the IDmelon reader and we’re ready to set this up.

To use the tap-n-login experience, we first need to register our phone as a security key in Office 365. Sign in to the Security info page, click Add method, choose Security key, USB device and follow the further instructions.

The registration process with the Reader is shown in the below video.

After the registration is done, we’re able to sign in to every shared Windows device in our environment equipped with an IDmeldon Reader.

IDmeldon as a standalon security key

The IDmeldon reader can also be used as a FIDO2 security key. Handy for example when you’re traveling and don’t have internet access to receive the approval notification.

To use the Reader as a security key, make sure it blinks green. If it blinks blue, hold the button for 3 seconds to change the operating mode.

The Reader itself needs to be registered separately in Office 365 as a security key. And can be managed via the Windows settings, like any other hardware security key. It is secured with a PIN code, as it’s not a bio version.

Get started yourself

For individual users, the non-shared solution is free as long as you activate the IDmeldon authenticator mobile app before the end of 2021! I think this is a great offer from IDmelon to get familiar with their solution, but also to get familiar with passwordless authentication if you don’t have a FIDO2 security key yet. Download the needed software and get started yourself!

Business users are charged a Dollar per user, per month. For businesses, IDmeldon provides a management panel with several features that can help the system admins to deploy a FIDO2 passwordless security key for their workspace.

That’s it for this blog post. I don’t have a shared device environment, but since I installed the IDmelon app on my personal device, I don’t use my password anymore when being lazy on the couch 🙂 So I really like the solution they offer. And I assume this is also really interesting for others.

Thanks for reading and happy testing!




9 Comments

  1. Hi Peter,

    Firstly, thanks for the amazing blog post!

    After pairing my phone with the pairing tool it says it paired succesfully, but when I re-open the tool it says “No smartphone is paired.”

    Also when I try to add the security key under security info > Add method > USB it keeps searching for a real USB instead of my phone.

      • Hi Peter,

        Yes, it shows in the app as a paired device. When I pair it with the tool, set a name and click done, the tool closes. When I re-open the tool “No smartphone is paired.”

        My test setup is an AADJ device logged in with an AAD user.

        Thanks for the answer. I’ll try and contact IDmelon support.

  2. This is the dumbest thing i have seen this year so far.

    The security of FIDO2 is that it’s a device that has a secure key storage, is OFFLINE, and can register on basically infinite sites with no “cloud” communication required.

    This retarded app is adding key storage is an online device. It requires a fracking account(!) and is saving a list of all sites you registered on… like what?

    And then you need a friggin huge dongle anyway to authenticate with it… Have you seeeeeeen how tiny the security keys are, get a yubikey, or a solo, stick it in and keep it there, forever.

    This is harmful to the FIDO2 name.

    • Thank you very much for your opinion Gunnar. Fortunately, it’s not my opinion.
      I’ve no relation with Idmelon, in whatever way. I only tested their solution, like I tested several other FIDO solutions. So I’m going to ‘defense’ this solution.
      But IDmelon is certified by the FIDO Alliance, so I can’t imagine it’s an unsafe solution. Even if the credentials private key is stored on a smartphones (it’s stored inside the smartphone’s secure element).
      And when you leave the FIDO key always connected to a PC, which is mostly connected to the internet, how offline is that 😉

      Regards,

      Peter

  3. Hi Peter,

    Great article – thank you.

    I went ahead and added multiple Keys for various client AAD User Accounts that I use.

    Unfortunately, when trying to authenticate the IDMelon App ONLY presents the User’s Display Name (from AAD, in my case always ‘David Masters’) and that it’s a Microsoft Key. The UPN is not displayed, making selection of the desired Key impossible. Do you know if it’s possible to edit the Name?

    Cheers
    David

Leave a Reply

Your email address will not be published.


*