With Microsoft Azure Active Directory you have an amazing capability to grow up your security for every single user in your environment. One of the capability is the method of passwordless sign-in. Passwordless sign-in means, the user can use other options as a password to login:
- Windows Hello for Business
- Microsoft Authenticator app
- FIDO2 security keys
In this blog post I will describe the option of FIDO2 security keys in a easy scenario.
What is FIDO
FIDO means Fast IDentity Online and it comes from the FIDO Allianz. The goal is to develop a standard with which it is possible to authenticate in web with more secure. The FIDO Allianz develop to specifications
Both specifications comes together in FDIO standard.
The FIDO key generate a public key within the private key and with the server address. The public key will be saved on the server and used for authentication. Only with the private key the authorization can be done and successful.
FIDO2 security keys
My decision
With the Yubico FIDO2 key I bought a simple all in one key for a Passwordless authentication. In my case I use the easiest version without NFC (Amazon). In this case you have no possibility to authenticate with you mobile phone and the FIDO2 key.
Workflow if you use FIDO2 with Azure Active Directory
How a FIDO2 key like Yubico make a authentication you can find on Microsoft Docs:
- The user plugs the FIDO2 security key into their computer.
- Windows detects the FIDO2 security key.
- Windows sends an authentication request.
- Azure AD sends back a nonce.
- The user completes their gesture to unlock the private key stored in the FIDO2 security key’s secure enclave.
- The FIDO2 security key signs the nonce with the private key.
- The primary refresh token (PRT) token request with signed nonce is sent to Azure AD.
- Azure AD verifies the signed nonce using the FIDO2 public key.
- Azure AD returns PRT to enable access to on-premises resources
Active Passwordless sign-in in Azure Active Directory
Martin Alter 