Preview of Passwordless FIDO2-based Security Keys’ Support for Hybrid Azure AD

Welcome to join the passwordless secure authentication environment.

Microsoft announced a public preview of Hybrid Azure AD support for FIDO2-based passwordless sign-in.
The preview delivers users with a fast, easy, passwordless and secure way to access Windows devices and all Azure-connected apps and services.

Microsoft’s passwordless authentication currently supports Windows Hello for Business and FIDO2 security keys. Windows Hello for Business is available for employees using dedicated computers; The FIDO2 security key can be used for both employees who use a dedicated computer and those who may use shared PCs in their workplace.

AuthenTrend is a member of both the FIDO Alliance and the Microsoft Intelligent Security Association (MISA). Our series of security keys include ATKey.Pro and ATKey.Card are fingerprint-based FIDO2 biometric keys. Based on FIDO2 standard, the private key or any fingerprints info would never leave in the security key, or can it be copied or accessed from the device.

If you are interested in any of our ATKeys’ technical details, please feel free to contact us.

Let’s see the process going when a user signs in with a FIDO2 security key: (Read the full version at docs.Microsoft.com)

1. The user plugs the FIDO2 security key into their computer.
2. Windows detects the FIDO2 security key.
3. Windows sends an authentication request.
4. Azure AD sends back a nonce.
5. The user completes their gesture to unlock the private key stored in the FIDO2 security key’s secure enclave.
6. The FIDO2 security key signs the nonce with the private key.
7. The primary refresh token (PRT) token request with signed nonce is sent to Azure AD.
8. Azure AD verifies the signed nonce using the FIDO2 public key.
9. Azure AD returns PRT to enable access to on-premises resources.

 

While there are many keys that are FIDO2 certified by the FIDO Alliance, Microsoft requires some optional extensions of the FIDO2 Client-to-Authenticator Protocol (CTAP) specification to be implemented by the vendor to ensure maximum security and the best experience.

A security key MUST implement the following features and extensions from the FIDO2 CTAP protocol to be Microsoft-compatible:

 

Let’s get started! 

Please check the important requirements and unsupported scenarios before you start. (Read the full version at docs.Microsoft.com)

Requirements

Prepare devices

 

1. Azure Active Directory-joined (AADJ) : Azure AD joined devices that you are piloting during the feature preview must run Windows 10 version 1909 or higher.
2. Hybrid Azure Active Directory-joined (Hybrid AADJ): Hybrid Azure AD joined devices must run Windows 10 version 2004 or newer.
3. ATKey.Pro / ATKey.Card: FIDO2 Security Key

 

Enable the use of security keys for Windows sign-in 

• Enable with Intune

  To enable the use of security keys using Intune, complete the following steps:

  1. Sign in to the Azure portal.
  2. Browse to Microsoft Intune > Device enrollment > Windows enrollment > Windows Hello for Business > Properties.
  3. Under Settings, set Use security keys for sign-in to Enabled.

  Configuration of security keys for sign-in isn’t dependent on configuring Windows Hello for Business.

• Targeted the Intune deployment

  To target specific device groups to enable the credential provider, use the following custom settings via Intune:

  1. Sign in to the Azure portal.
  2. Browse to Microsoft Intune > Device configuration > Profiles > Create profile.
  3. Configure the new profile with the following settings:
     • Name: Security Keys for Windows Sign-In
     • Description: Enables FIDO Security Keys to be used during Windows Sign In
     • Platform: Windows 10 and later
     • Profile type: Custom
     • Custom OMA-URI Settings:
       • Name: Turn on FIDO Security Keys for Windows Sign-In
       • OMA-URI: ./Device/Vendor/MSFT/PassportForWork/SecurityKey/UseSecurityKeyForSignin
       • Data Type: Integer
       • Value: 1
  4. This policy can be assigned to specific users, devices, or groups. For more information, see Assign user and device profiles in Microsoft Intune.

  

• Enable with a provisioning package

For devices not managed by Intune, a provisioning package can be installed to enable the functionality. The Windows Configuration Designer app can be installed from the Microsoft Store. Complete the following steps to create a provisioning package:

1. 1. Launch the Windows Configuration Designer.
   2. Select File > New project.
   3. Give your project a name and take note of the path where your project is created, then select Next.
   4. Leave Provisioning package selected as the Selected project workflow and select Next.
   5. Select All Windows desktop editions under Choose which settings to view and configure, then select Next.
   6. Select Finish.
   7. In your newly created project, browse to Runtime settings > WindowsHelloForBusiness > SecurityKeys > UseSecurityKeyForSignIn.
   8. Set UseSecurityKeyForSignIn to Enabled.
   9. Select Export > Provisioning package
   10. Leave the defaults in the Build window under Describe the provisioning package, then select Next.
   11. Leave the defaults in the Build window under Select security details for the provisioning package and select Next.
   12. Take note of or change the path in the Build windows under Select where to save the provisioning package and select Next.
   13. Select Build on the Build the provisioning package page.
   14. Save the two files created (ppkg and cat) to a location where you can apply them to machines later.
   15. To apply the provisioning package you created, see Apply a provisioning package.

• Enable with Group Policy (Hybrid AAD joined devices only)

For hybrid Azure AD joined devices, organizations can configure the following Group Policy setting to enable FIDO security key sign-in. The setting can be found under Computer Configuration > Administrative Templates > System > Logon > Turn on security key sign-in:

• • Setting this policy to Enabled allows users to sign in with security keys.
  • Setting this policy to Disabled or Not Configured stops users from signing in with security keys.

This Group Policy setting requires an updated version of the credentialprovider.admx Group Policy template. This new template is available with the next version of Windows Server and with Windows 10 20H1. This setting can be managed with a device running one of these newer versions of Windows or centrally by following the guidance in the support topic, How to create and manage the Central Store for Group Policy Administrative Templates in Windows.

 

 

 

 

Sign in with ATKeys

1. Enrolling fingerprint(s) with your ATKeyWindows 10 version 1903 or higher

   1. Users can open Windows Settings on their device > Accounts > Security Key
      
   2. For first-time use, a PIN code is required for the ATKey
   3. Users can change their PIN, update biometrics, or reset their security key

2. Connecting the key with the Windows Azure AD User Account

   

Once logged in, we can seamlessly access Office 365 without further authentication. Passwordless authentication works in offline scenarios as well.

 

 

 

 

If you are interested in any of our ATKeys’ technical details, please feel free to contact us.