Passwords, the most common thing to authenticate with for years. Everyone knows about it and/or uses it. Since passwords are a weak security feature, and are the prime target for attacks something needs to change. Microsoft promotes the passwordless logon for quite some time. In this blog Microsoft describes exactly why we should get rid of passwords. But, how do u configure passwordless logon and what does replace the good old password?
Being able to logon with a Security Key requires some configuration in the tenant and by the users. Microsoft has released a passwordless deployment wizard here. This will help you to plan and deploy the passwordless configuration for your endpoints and user identities. The complete documentation on Passwordless logon can be found here.
In my tenant I’ve already configured FIDO2 authentication. The status is therefor shown as “On”. If your tenant does not have FIDO2 enabled it will show “Off”. Because my tenant is already prepared I’ll skip this wizard and tell you how it’s done.
Administrator: Enable FIDO2 Authentication
- Enable the FIDO2 Security Key setting.
- Depends on your strategy. I prefer testing with a pilot group. Therefor i chose “Selected users“.
- Selected the Azure AD group with pilot users (if step 2 was “Selected users“).
- Switch to “Configure” and make sure “Allow self-service set up” is set to “Yes“.
At this point nothing really happened to your users or tenant. They are still able to logon with the current logon methods used until now. We only allowed users to configure a FIDO2 authentication device for their authentications. That’s basically everything we should do as an administrator!
Administrator: Prepare devices with Endpoint Manager
Prepare the devices for Security Key logon, if not yet configured. This can be done via either two ways:
- Endpoint Manager -> Devices -> Windows Hello for Business
- Endpoint Manager -> Devices -> Configuration profiles -> Create or modify the current Windows Hello for Business policy
I prefer the second option. Makes it easy to separate a pilot user(group) from the production users. See all Windows Hello for Business documentation here. Make sure the following setting is deployed to devices:
- Use security keys for sign-in
This setting is available for devices that run Windows 10 version 1903 or later, or Windows 11. Use it to manage support for using Windows Hello security keys for sign-in.
- Enable – Users can use a Windows Hello security key as a sign-in credential for PCs targeted with this policy.
- Not configured – Security keys are disabled and users can’t use them to sign in to PCs.
Assign the policy to a Device Group, not a User Group. Give it some time to deploy the configuration, to your device. Give the device a reboot after 15 minutes or so.
User: Register the Security Key
Users can now register a FIDO2 device like a Security Key in their identity. Microsoft has a support matrix which shows all supported FIDO2 providers. I chose the FEITIAN ePass FIDO NFC for this. They also offer 10% discount for new users! See the link before to get the discount code! Security key registration can be done via two ways. I’ll show you my favorite.
- Navigate to https://mysignins.microsoft.com. Login as the user who becomes the owner of the security key
- Navigate to “Security Info”.
- Click “Add method”
- Select Security key
My FEITIAN Security key supports NFC. Therefor I decided to chose for NFC device.
- Click OK twice.
This screen is a bit confusing. A user will think they should fill in a PIN code but that’s not the case. Just press or touch the security key. In my case i touch the NFC reader which results in a automatically filled in PIN code. Do this twice, for the initial and confirm field.
Last, Windows asks me to touch the security key once to verify.
Configuration completed! In the last screen you can give the security key a name. This could be usefull for a identity which has more than one security key configured.
Security key in action (User experience)
For this blog i used my FEITIAN ePass FIDO NFC. This one requires me to touch the fingerprint sensor found in the middle of the security key. The key is quite stable while touching which is perfect for my USB-A slot 🙂 . So, i attached the Security Key while booting my system. After Windows booted completely it asks me to tap the security key.
While my system booted i simply touch the fingerprint reader on my Secure Key. Windows logs on immediately without asking for a password or PIN code. Mission accomplished! Passwordless logon!
Office 365 (Online) logon:
Open a browser and navigate to (e.g.) https://portal.office.com. Click “Sign-in options“
Click “Sign in with a security key“
Touch the NFC reader once. The PIN is entered automatically.
Touch the security key once more.
There we are! A logon to my Windows device and my Office portal without a single password!
Sign-in reports Azure AD
You probably want to know if people are using the security keys for logon. My Sign-in report looks like this. I can see that this logon to application “Windows Sing-in” was completed with a FIDO2 Security Key. Open Azure Active Directory -> Users -> Find the user -> Sign-in logs and verify your logon reported FIDO2 Security Key.
Check your current logon method report. Azure Active Directory -> Usage & insights -> Authentication methods -> New Authentication methods Activity reports -> Usage. In my case users still use the password to much but these password logons are known to me and will decrease soon 😉 .