In this tutorial we’ll explain and walk through the configuration of passwordless authentication in Azure AD, based on FIDO2 authentication.
Before diving into all of the required steps, let’s first explore and understand the basic concepts.
What the heck is FIDO2?
FIDO2 is an acronym for Fast Identity Online, which basically is a joint effort between the W3C (World Wide Web Consortium) and the FIDO Alliance. It consists of the WebAuthn (W3C) and CTAP (FIDO) standards and specifies a standard authentication protocol where the endpoint consists of a cryptographic authenticator (such as a hardware key) and a WebAuthn Relying Party, also known as a FIDO2 server.
In a nutshell, FIDO2 enables organizations and users to use a USB key, smart card or smartphone to sign in to (online) services and identity providers like Azure AD. It combines two factors: something you know or are (such as a fingerprint or PIN) and something you have (i.e. smartphone or USB key), also known as multi factor authentication.
Why would I no longer use passwords?
These are the most common answers to this question:
- People reuse their passwords over and over again, which makes it easy to abuse one captured password against multiple services.
- Passwords can be vulnerable for brute force attacks, for example using dictionary attacks.
- Passwords can be captured during input, for example by using a hardware or software keylogger, or by sneaking over someone’s shoulder.
- And so on….
In addition, FIDO2 offers the following benefits:
- FIDO2 doesn’t rely on a pre shared key (like a password), but uses a public-private key pair for authentication. The identity provider (like Azure AD) holds the public key, while the private key remains on your own device (such as a Yubikey). You’ll need both keys in able to authenticate successfully.
- FIDO2 isn’t vulnerable for social engineering (such as password capture scenario above) since the attacker would need your device holding the private key.
- Each key is uniquely attached to each online identity (such as login.microsoft.com) so that it cannot be reused for other identities.
Sounds promising, doesn’t it? Well, let’s get started with integrating FIDO2 passwordless authentication in Azure AD!
What you’ll need
- An active Azure AD tenant which is able to leverage Azure MFA functions.
- A global admin account in Azure AD
- A test account with normal privileges in Azure AD
- A FIDO2 compatible security key.
In this tutorial I’m using a YubiKey (by Yubico)
No rocket science, right?
Enable FIDO2 authentication method
First you’ll need to enable the following feature preview setting:
- Go to the Azure Portal (https://portal.azure.com) and log in using your Global Admin account.
- Navigate to the Azure Active Directory blade > User settings.
At section User feature previews click: Manage user feature preview settings.
- Enable feature Users can preview features for registering and managing security info – enhanced.
You can choose between All users, or a selected group of users. I would recommend by selecting a pilot group first.
- Now go back to the Azure Active Directory blade, and navigate to the menu-item Authentication methods.
- Click FIDO2 Security Key, switch it on by clicking Yes and configure your target. Preferably you select the same group as selected at step #3. Finally click Save.
- From administrative perspective you’re done now.
It’s time to switch over to the test account on which you are going to connect the security key.
Register FIDO2 key with Azure AD account
First, make sure you use Microsoft Edge as browser in able to connect the FIDO2 security key.
- Navigate to the following link, and sign in using the test user.
- At tab Security info , add a method by clicking + Add method.
- Choose Security key, and then click USB device.
- Edge will now prompt to insert the USB key (if not present already).
In my case, I’ve used a Yubico key 2 which will require to add a PIN code since the key lacks a fingerprint or NFC reader.
- You can now sign out, and sign back in again to test if the key is working properly.
Note! There might be a chance that the needed authentication prompt will be bypassed by (seamless) SSO. If this occurs, please use another PC or VM.
That’s it, you’re done! 🙂
Keep in mind, this feature is currently (as of July 19) in public preview and isn’t released as GA yet.
In addition, you can also enable FIDO2 passwordless authentication on Windows 10 sign-in.
I’ve written a second part of this tutorial here . Here’s a sneak preview:
Learn more about passwordless authentication in Azure at the following website: