AzureAD Passwordless Sign in with FIDO – Part 2

fido

FIDO keys provide you with a hardware-based authentication device. The keys can be used on a number of different sites as well. I use the keys to protect my AzureAD login, GitHub and a few other places as well. In this section, I will go over the process to enable AzureAD.

In part 1, I went over methods for PasswordLess login and set up the Microsoft Authenticator App.

https://craigwilson.blog/2019/09/29/azuread-passwordless-sign-in-part-1/

The below process has been documented using a Yubikey.

AzureAD for Passwordless login set up with FIDO.

To allow passwordless to for FIDO2 security keys,

  • Open Azure Portal and navigate to Azure Active Directory.
  • Scroll down to the Authentication Methods policy (Preview) section.
  • In the FIDO2 Security Key, select Enable and All users, you can just enable a group if you wish.
  • Click Save.

AADEnableFido

Users can self manage their MFA settings via the security portal. The first stage is to make sure you have the Security; then you can add the key to your account.

Make sure your key is not plugged into the computer yet.

Browse to https://aka.ms/mysecurityinfo

  • Click Add Method and choose a Security Key
  • Next select either USB or NFC
  • Follow the prompts and insert your key, select the PIN you want to use
  • Name your security key so you can identify it in the security portal

Once the Key has been set up, you can use it for browser logins and even Windows 10 logins. To test the key, attempt to login via the browser to Office 365.

Signinoptions

  • Select Sign in with Windows Hello or a security key
  • On the next pop up, choose security key
  • Enter your PIN and then touch your key when prompted

At this point, you should be able to login to AzureAD with your security key. The process is the same for a Mac as well. The difference is the login not supported by Safari yet. Using a Chrome browser, the option appears as Sign in with a security key.

MacSignIn

Logging in to a browser with Passwordless works great, but what about desktops. Windows 10 does allow Passwordless login to desktops. I will cover this in the next post, including locking the workstation only to enable fido to keys.

1 Comment

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.