Azure Active Directory passwordless sign-in with FIDO2

With Microsoft Azure Active Directory you have an amazing capability to grow up your security for every single user in your environment. One of the capability is the method of passwordless sign-in. Passwordless sign-in means, the user can use other options as a password to login:

  • Windows Hello for Business
  • Microsoft Authenticator app
  • FIDO2 security keys

In this blog post I will describe the option of FIDO2 security keys in a easy scenario.

What is FIDO

FIDO means Fast IDentity Online and it comes from the FIDO Allianz. The goal is to develop a standard with which it is possible to authenticate in web with more secure. The FIDO Allianz develop to specifications

  • U2F (Universal 2nd Factor)
  • UAF (Universal Authentication Framework)

Both specifications comes together in FDIO standard.

The FIDO key generate a public key within the private key and with the server address. The public key will be saved on the server and used for authentication. Only with the private key the authorization can be done and successful.

FIDO2 security keys

My decision

With the Yubico FIDO2 key I bought a simple all in one key for a Passwordless authentication. In my case I use the easiest version without NFC (Amazon). In this case you have no possibility to authenticate with you mobile phone and the FIDO2 key.

Workflow if you use FIDO2 with Azure Active Directory

How a FIDO2 key like Yubico make a authentication you can find on Microsoft Docs:

  1. The user plugs the FIDO2 security key into their computer.
  2. Windows detects the FIDO2 security key.
  3. Windows sends an authentication request.
  4. Azure AD sends back a nonce.
  5. The user completes their gesture to unlock the private key stored in the FIDO2 security key’s secure enclave.
  6. The FIDO2 security key signs the nonce with the private key.
  7. The primary refresh token (PRT) token request with signed nonce is sent to Azure AD.
  8. Azure AD verifies the signed nonce using the FIDO2 public key.
  9. Azure AD returns PRT to enable access to on-premises resources

Active Passwordless sign-in in Azure Active Directory

Azure AD Security
Authentication method
combine security info registration
activate combine security info registration
restrict key to use
https://mysignins.microsoft.com/
select USB device
select USB security key
security key ready
configure key
choose a pin
activate security key
finish setup
see the AAGUID

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s