iphase.dk Michael Mardahl, MVP
Passwordless journey with FIDO2 - Part 1 - Getting started with Security keys
>> Why Passwordless?
FIDO2, Multifactor Authentication, passwordless, Windows Hello for Business, Microsoft Authenticator, Security keys - these security buzzwords are taking the spotlight, and with good reason.
(https://msendpointmgr.com/wp-content/uploads/2019/10/fido2.png)
(https://msendpointmgr.com/wp-content/uploads/2019/10/AzureAD.png)
In a time of targeted ransomware attacks, a password alone is no longer enough. The benefits of going passwordless with FIDO2:
* No more shoulder surfing
* No more account hijacking
* No more forgotten password helpdesk requests
* No more password phishing
* No more password reuse
* No more typing "October2019#" several times a day
* No more passwords!
If you're on the fence, check out Microsoft's whitepaper: Go Passwordless (https://aka.ms/gopasswordless)
>> The Requirements
* AZURE AD JOINED DEVICES required for Windows 10 sign-in with FIDO2 (Hybrid-Joined support was in preview)
* Token must support specific FIDO2 CTAP protocol features
* FIDO2 Security key authentication enabled in your Tenant
* Combined security information registration enabled
* A browser that supports WebAuthN
* Windows 10 1809 or newer
For Hybrid-Joined or Azure AD registered-only devices, passwordless is limited to websites via WebAuthN browser support.
>> The First Few Hurdles
Registering keys via the mysignins (https://mysignins.microsoft.com) portal is simple after enabling the new registration experience, but watch out for:
* Proxy/firewall blocking Microsoft sites causing infinite reload loops
* Occasional "Sorry, we can't sign you in" glitch that resolves in seconds
Once in, manage your security keys:
For Windows 10 sign-in, I had to refresh (re-install) my 1903 machine to get the FIDO security key option on the lock screen:
>> The Token Vendors
Microsoft partnered with Feitian Technologies, HID Global, and Yubico at launch. Others have since joined.
>> Yubico
(https://msendpointmgr.com/wp-content/uploads/2019/10/yubico_logo.png)
* Swedish/US based, Microsoft partner at launch
* FIDO2 Certified (Level 1)
* Wide range of keys, international shipping
YUBIKEY 5 NFC (USB-A) AND YUBIKEY 5C (USB-C):
Full FIDO2 CTAP protocol support. The USB-C key is tiny - maybe too tiny. Durable and waterproof.
Features overview: Yubico YubiKey 5 (https://www.yubico.com/products/yubikey-5-overview/)
>> eWBM
(https://msendpointmgr.com/wp-content/uploads/2019/10/ewbm_logo.png)
* Korean/US based, Microsoft Intelligent Security Association member
* Integrated biometrics
* FIDO2 CERTIFIED (LEVEL 2) - world's first and only at time of writing
GOLDENGATE SECURITY KEY G310 (USB-A) AND G320 (USB-C):
Endorsed by Microsoft, biometrics are fast, no NFC support. More durable than Yubikeys. Register multiple fingers but no finger index.
Features: eWBM Goldengate series (https://www.ewbm.com/page/Goldengate)
>> Solokeys
(https://msendpointmgr.com/wp-content/uploads/2019/10/Solokeys_logo.png)
* US based, crowdfunded
* First open-source FIDO2 key
* Not really a passwordless key per their FAQ
* Not very robust - users will break them
SOLO TAP USB-A (NFC):
Not officially supported by Microsoft for Azure AD. Has a real push button and NFC (Android only).
>> The end of part 1
Next part: Passwordless journey with FIDO2 - Part 2 - Usage experiences (https://msendpointmgr.com/2019/11/18/passwordless-journey-with-fido2-part-2-usage-experiences/)
C:\IPHASE\POSTS\IDENTITY\PASSWO~3.TXT
1 Help 3 Home 5 About 7 Posts 8 Contact 10 LinkdIn
imagevwr.exe