FIDO keys provide you with a hardware-based authentication device. The keys can be used on a number of different sites as well. I use the keys to protect my AzureAD login, GitHub and a few other places as well. In this section, I will go over the process to enable AzureAD.
In part 1, I went over methods for PasswordLess login and set up the Microsoft Authenticator App.
The below process has been documented using a Yubikey.
AzureAD for Passwordless login set up with FIDO.
To allow passwordless to for FIDO2 security keys,
- Open Azure Portal and navigate to Azure Active Directory.
- Scroll down to the Authentication Methods policy (Preview) section.
- In the FIDO2 Security Key, select Enable and All users, you can just enable a group if you wish.
- Click Save.
Users can self manage their MFA settings via the security portal. The first stage is to make sure you have the Security; then you can add the key to your account.
Make sure your key is not plugged into the computer yet.
Browse to https://aka.ms/mysecurityinfo
- Click Add Method and choose a Security Key
- Next select either USB or NFC
- Follow the prompts and insert your key, select the PIN you want to use
- Name your security key so you can identify it in the security portal
Once the Key has been set up, you can use it for browser logins and even Windows 10 logins. To test the key, attempt to login via the browser to Office 365.
- On A Windows 10 device
- Browse to https://portal.office.com
- On the login page select Sign-in options
- Select Sign in with Windows Hello or a security key
- On the next pop up, choose security key
- Enter your PIN and then touch your key when prompted
At this point, you should be able to login to AzureAD with your security key. The process is the same for a Mac as well. The difference is the login not supported by Safari yet. Using a Chrome browser, the option appears as Sign in with a security key.
Logging in to a browser with Passwordless works great, but what about desktops. Windows 10 does allow Passwordless login to desktops. I will cover this in the next post, including locking the workstation only to enable fido to keys.