Azure AD Passwordless Authentication with Yubico FIDO2 key

Lately I got the opportunity to test the latest Identity Authentication method with Azure AD. None other than the Passwordless Authentication. I will post few related articles on FIDO2 and what it does rather than re-explaining what has already well explained by the FIDO Alliance and Microsoft.

The good thing is passwordless methods can be activated on top of the standard Azure MFA methods (Authenticator and/or phone SMS).

More on FIDO alliance and how Microsoft uses this technology in Azure AD

FIDO Authentication – FIDO Alliance

How FIDO Works – Standard Public Key Cryptography & User Privacy (fidoalliance.org)

Azure Active Directory passwordless sign-in (preview) | Microsoft Docs

How to go passwordless with FIDO2 supported device?

Below is a FIDO2 USB key from Yubico
Device: YubiKey Series 5 NFC


Passwordless Authentication Flow

Before the steps on how to setup passwordless authentication, I would like to explain the authentication flow. Before the steps on how to setup passwordless authentication, I would like to explain the authentication flow

Diagram that outlines the steps involved for user sign-in with a FIDO2 security key
  1. The user plugs the FIDO2 security key into their computer.
  2. Windows detects the FIDO2 security key.
  3. Windows sends an authentication request.
  4. Azure AD sends back a nonce.
  5. The user completes their gesture to unlock the private key stored in the FIDO2 security key’s secure enclave.
  6. The FIDO2 security key signs the nonce with the private key.
  7. The primary refresh token (PRT) token request with signed nonce is sent to Azure AD.
  8. Azure AD verifies the signed nonce using the FIDO2 public key.
  9. Azure AD returns PRT to enable access to on-premises resources.

source: FIDO2 Security Keys


Azure AD Portal Configuration

Log in to the Azure AD portal and go to Azure Active Directory > Security

Select Authentication Methods under Manage and select FIDO2 Security Key (preview) option

Enable the option and add all users or a single user or a group

Other Settings

Allow Self-Service setup: Get the user to setup their own pin during the device initiliase setup
Enforce attestation: This will be used to check if the certificate is legitimate during the enrollment process
Enforce key restrictions: If Yes, that will give you the option to block some keys

Save the settings and exit the page.


User Configuration

Login to My Account (microsoft.com)

Click Update Info in Security Info box

The user will see all the previously added options here. Phone can be added only once, but you can add more than 1 Security key or Authenticator App

Click on Add Method > Select Security Key > Add

Select the Security Key type. I will be selecting the USB Device option

Clear instructions will be provided on how to continue with the next steps. Hit Next

Once you press Next, you will be redirected to the next step. Press OK

More information will beprovded as below

Press OK for this message and it will ask you to insert the USB key now

Once inserted, it will ask you to set the securty PIN. This will be the key combo that works with this perticular key going forward.

Why a PIN number? This is the PIN number that’s associated with this security key. In other words, its a PIN + Touch combo. If someone steals the USB key and knew the UPN, they still can’t get in because it needs the PIN to complete the authentication.

What if the user’s password is compromised? The standard is you must switch on MFA for user accounts. In this way even if the device is lost or the password is compromised, there is always another way to stop the attacker to come in.

To continue the setup, touch the USB key

As the last step it will ask you to name the key

And the completion notice

An Azure AD GUID will be created for this device

Admins can view the Key info from the user’s Authentication Methods in the Users blade in Azure AD


The Experience

Login to Office.com from any device. I use this address because it’s the one

Enter the email address > This will identify the tenant and the specific Security Features enabled for that account and will show the option to “Sign in with a security key

Once clicked, it will be redirected the below page and also will be prompted to insert the device

User will be prompted to enter the PIN setup in the device setup process

Once entered, the authentication flow will continue and will be prompted the user to touch the USB key

That is all and the user will be prompted to login.


Last words

Going passwordless is the future. Yes there are few steps to get into that state in an Office 365 account. Also you still have to use the password in case you have to fall back to a different method, but that is not getting used and it’s safe guarded by Multi Factor auth.

It would be nice if the IT Administrator can provision these devices as a bulk before sending it to the user. Looks like that feature is on the way so I’m hopeful.

feature image: Usb Sign Icon. Usb Flash Drive Stick Symbol. Vector Stock Vector – Illustration of portable, gradient: 155749652 (dreamstime.com)

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.