Azure Active Directory passwordless sign-in with FIDO2 Security Keys
Introduction
In my previous series called Lost in Azure Cloud Identity (you can find the first article here) I described how to secure applications with Azure Active Directory and Azure Active Directory B2C identity services. In this article, I would like to present how to access Tech Mind Factory Corporate Application using FIDO2 Security Keys. Thanks to FEITIAN company I was able to receive two BioPass FIDO2 Security Keys for tests. I want to present how to setup these keys with Azure Active Directory to enable passwordless sign-in in the Tech Mind Factory Corporate Application. Source code of the application is available on my GitHub and its configuration is described in this previous article.
FEITIAN BioPass FIDO2 Security Keys
For tests I used FEITIAN BioPass FIDO2 Security Keys model K26 (USB-C), and K27 (USB-A). It is worth to mention that FEITIAN is a member of Microsoft Intelligent Security Association (MISA).
Configuration is straightforward so let me explain the steps.
Enable passwordless in the Azure Active Directory
To enable passwordless authentication method with FIDO2, sign in as administrator to your Azure Active Directory tenant. Then follow below steps:
- From the left menu, select Security:
- Then select Authentication methods:
- In the next blade, select FIDO2:
- Enable the FIDO2 authentication method, decide whether you want to enable it for all users (as in my example). There are also two important points to mention:
- Allow self-service setup - this option should remain set to Yes. If set to no, your users will not be able to register a FIDO key through the MySecurityInfo portal, even if enabled by the Authentication Methods policy.
- Enforce attestation - when this setting is enabled, it requires the FIDO security key metadata to be published and verified with the FIDO Alliance Metadata Service, and also pass Microsoft’s additional set of validation testing
Great, now users can register and manage their FIDO2 Security Keys used to sign in
User registration and management of FIDO2 security keys
Once the passwordless authentication method is enabled in the Azure Active Directory tenant, we can add our FIDO2 Security Key. Follow the below steps to do it:
1. Sign in to https://myprofile.microsoft.com/
2. Select Security info:
3. Remember to plug in your FIDO2 Security pass using either USB-A or USB-C device
4. Select Add method:
5. Select Security key from the list:
6. To setup security key, we have to sign in with two factor authentication (If there is no Azure AD Multi-Factor Authentication method registered, user must add one first). In my case I have Authenticator app installed on my phone:
7. Once request is approved in the Authenticator app, we can select security key type - in this case USB device type:
8. As I mentioned before, remember to plug in your security key:
9. Once we click Next button, we are redirected to the page where we can start the process of registering our FIDO2 security key:
10. First, we have to set the PIN:
Then we are asked to touch the key:
We have to repeat the process. In the last step we have to name our device:
That’s it! Now we can use our FIDO2 device to access Tech Mind Factory Corporate Web App.
TMF Corporate Web App passwordless sign-in
Here is the Tech Mind Factory Corporate Web App:
After clicking SIGN IN button, we are redirected to the Azure AD page. On this page we have to select Sign-in options:
Then Sign in with Windows Hello or security key:
Then we have to click Security key:
Once we provide the PIN and touch the device, we are authenticated:
We can access app functionalities now:
Summary
In this article, we discussed how to enable passwordless authentication using FEITIAN Security Keys and Azure Active Directory. If you want to learn more, I encourage you to check official documentation provided by Microsoft, and this introduction to passwordless using Azure AD explanation. If you want to check other products from FEITIAN, check this page.
