The last couple of years there has been a lot of discussions about #passwordless authentication in the IT industry from a security perspective. End users had always been frustrated to remember multiple passwords. Passwordless authentication offers flexibility and smooth user experience containing something you have and something you are or know.
Currently, there are several options for passwordless authentication towards Azure AD which are briefly described below. This blog post concentrates mostly to FIDO2 security key configuration and usage.
Introduction
Windows Hello for Business (WHfB)
Windows Hello for Business has been there a while and it offers passwordless authentication to on-premises and also to cloud services. User credential is tied to a device and uses a biometric or PIN.
Microsoft Authenticator App
Phone sign-in was launched last year (still in preview) and I wrote a blog on how to configure it back in October. Even still in preview, some configurations steps needed have been changed since October 2018. At then, I needed to configure Azure AD policy via PowerShell but nowadays you can enable the feature to selected/all users from the Azure AD portal.
FIDO2 Security Keys (docs.microsoft.com)
FIDO2 security keys are an unphishable standards-based passwordless authentication method that can come in any form factor. Fast Identity Online (FIDO) is an open standard for passwordless authentication. It allows users and organizations to leverage the standard to sign in to their resources without a username or password using an external security key or a platform key built into a device.
For a public preview, employees can use external security keys to sign in to their Azure Active Directory Joined Windows 10 machines (running version 1809 or higher) and get single-sign on to their cloud resources. They can also sign in to supported browsers.
FIDO2 Security Keys
Requirements
- Azure AD tenant with Azure MFA capabilities
- Combined registration preview with users enabled for SSPR
- Compatible FIDO2 security keys
- WebAuthN requires Microsoft Edge on Windows 10 version 1809 or higher
- FIDO2 based Windows sign-in requires Azure AD joined Windows 10 version 1809 or higher
Users relying on WIA SSO that use managed credentials like FIDO2 security keys or passwordless sign in with Microsoft Authenticator app need to Hybrid Join on Windows 10 to get the benefits of SSO. However, security keys only work for Azure Active Directory Joined machines for now. We recommend you only try out FIDO2 security keys for the Windows lock screen on pure Azure Active Directory Joined machines.
The security keys used must have specific feature and extensions from FIDO2 CTAP protocol to be Microsoft-compatible, read more from here.
Configuration
The first task is to enable Credential Provider to devices that will be used in the FIDO2 scenario. The easiest approach is to use Intune for configuration and create necessary profile configuration for AAD Joined Windows 10 devices.
I tried to create and install the package manually but had no luck with it. Happy to take feedback about what might be wrong.
Because I’m curious, I also tried (against MS recommendation) to deploy security keys configuration to Windows 10 device which is only registered to Azure AD, not joined to AAD. The end result is seen from the second pictures below. I also did some troubleshooting but was unable to find a way to get it to work.
The first picture is from installing a provisioning package manually. The second and thirds ones are from Intune deployment test to non-AAD joined device.
Intune Configuration – Create configuration profile for Windows 10 and later devices with following settings
- OMA-URI: ./Device/Vendor/MSFT/PassportForWork/SecurityKey/UseSecurityKeyForSignin
- Data type: Integer, Value 1
- Assign Policy: Pilot group in the first phase
Azure AD Configuration
To enabled FIDO2 security keys to your tenant navigate to aad.portal.com and “Authentication methods” blade. From there select FIDO2 security key and you can configure needed settings.
At the time of writing in preview, all the features do not work, see Microsoft recommendation below “do not change key restriction policies”.
FIDO2 Security Keys – User Experience
When the configuration is ready, the user can self register FIDO2 security keys in to use from https://myprofile.microsoft.com web site and add security key as an additional authentication method.
Note: Currently, administrators cannot manage security keys on-behalf of the users.
When the key has been added successfully, it can be used to sign-in from the W10 lock screen or via supported web browsers.
W10 lock screen
Web Browser
Login with a web browser works currently with Microsoft Edge and Firefox. Sorry about the Finnish language at pictures below, it’s encrypted by default to most of you guys:)
Limitations
As with every new feature which is at preview mode there are some limitations.
- Admins cannot provision the security keys on-behalf of the users
- Azure AD Join device is needed for login with security keys (not apply to web login)
- After UPN change of the user, FIDO2 security key modifications are not available for that specific account
Sam's Corner 
Hi
nice write-up. I’m a bit confused over what advantages the FIDO2 method has over Windows Hello for businesses- seems to be doing very similar password-less authentication? I assume there is some obvious I am missing….
Cheers
Dave
Hi Dave,
It’s an excellent question and I was thinking the same when wrote this blog post. The main difference is when using WHfB you need to have your own designated device (WHfB use the device for storing the keys/certs). There are quite many requirements for WHfB depending on the deployment model (key/cert) and infrastructure architecture.
Naturally, FIDO2 has requirements for the device but it doesn’t require a dedicated device. This means that if a device supports FIDO2 autH you can logon to the environment from any device. This scenario would be extremely useful in workplaces where people tend to switch between places during a day, for example, hospitals, airports, etc.
Both solutions offer much better security than only username+password and FIDO2 is much easier to deploy.