Passwordless login with Yubikey (FIDO2) on Windows 10 (AzureAD)

Last year in November passwordless sign-in became available for Windows 10 but only for Microsoft accounts. Although this was a major step forward in towards a passwordless world, most companies do not use Microsoft accounts but AD or Azure AD accounts to sign in to computers.  About a month ago the public preview of Azure AD support for FIDO2-based passwordless sign-in started. In this blog post I will demonstrate the setup and working of the Azure AD support for FIDO2.

I use the following setup:

  • Windows 10 pro 1903 (Insider Preview build 18947) and Azure AD joined
  • Azure AD (Premium P1 license assigned)
  • Intune (EMS E3)
  • Yubikey 5 NFC
  • Devicegroup used

The configuration consists out of the following parts:

  • Configure the Azure Tenant.
  • Setup the configuration for the windows device.
  • Enroll the end-user with the security key.
  • Testing the configuration with a testdevice.

 

Let’s begin with setting up the Azure Tenant:

 

1. Sign in to the Azure Portal with the Global admin

 

2. Select the “Azure Active Directory” and go to “Authentication methods”

Passwordless sign-in

 

3. The Authentication Methods screen will open. Press the link “Click her to enable users for the enhanced registration preview”

Passwordless sign-in

 

4. Configure which user groups can use the preview features. In this lab I will configure “all” but in a production environment you will probably only allow a group of testuser(s). Press “Save” to save your choice and press “Authentication methods – Authentication method policy (Preview) to continue.

Passwordless sign-in

 

5. Now the FIDO2 Security Key can be enabled by pressing on the text “FIDO2 Security Key”, the FIDO2 Security settings screen will pop-up. Select enable “Yes” to enable FIDO2. In this lab I will configure “all” but in a production environment you will probably only allow a group of testuser(s). I will use the default settings. (On this moment Key Restriction Policy cannot be used in Public Preview). Press “Save” to continue.

Passwordless sign-in

 

 

The Azure Tenant has now been setup, now it’s time for the Device Configuration.

 

1. First create a group containing your test device in the Azure AD this group will be used to assign the deviceconfiguration. Go to “Azure Active Directory” and select “Groups”

Passwordless sign-in

 

2. Select “New group”

Passwordless sign-in

 

3. Select group type “Security” and give the group a recognizable name. In this Lab I will manually assign the devices and therefore select the membership type “Assigned”. Press “Members” to add the Azure AD devices which you want to use. Press “Create” to create the group.

 

4. In the azure portal go to Intune.

Passwordless sign-in

 

5. Select “Device enrollment” -> “Windows enrollment” -> Windows Hello for Business

Passwordless sign-in

 

6. Set use security keys for sign-in to “Enabled” and press “Save” (Configuration of security keys for sign in, is not dependent on configuring Windows Hello for Business.)

Passwordless sign-in

 

 

7.  Go to the “Intune – Overview” and go to “Device configuration” -> “Profiles” -> “Create profile”

Passwordless sign-in

 

8.  Enter Name and Description, select platform “Windows 10 and later” and select the profile type “Custom”.

Passwordless sign-in

 

9. Press settings “Configure”  and press “Add”

Passwordless sign-in

 

10. Add the following lines and press “OK”

Passwordless sign-in

Name:      <Enter a recognizable name of your choice>
OMA-URI:   ./Device/Vendor/MSFT/PassportForWork/SecurityKey/UseSecurityKeyForSignin
Data type: Integer
Value:     1

 

11.  Press “OK” and “Create”. The profile will now be created

 

12. After creation the new Configuration Profile will open. Press “Assignments” to assign the profile.

Passwordless sign-in

 

13. Press “Select groups to include” a new blade will open where the “Intune – testdevices” group can be selected (created at step 3). Select the group, it will appear in the ” selected members” group and press “Select”

Passwordless sign-in

 

 

14. Select “Save” to save the assignment.

Passwordless sign-in

 

15. On the Testdevice go to: “Settings -> “Accounts” -> “Access work or school” and select “Info”

Passwordless sign-in

 

16. Press the “Sync” button to sync with intune. The device has been setup for FIDO2 authentication.

Passwordless sign-in

 

Now for the last part “Enroll the end-user with the security key”

I’ve seen some posts on the internet that it could take some time before the “security key”  method could be added, but I haven’t seen this behaviour on my Azure Tenants.

 

1. Open the browser on the testdevice and go to https://myprofile.microsoft.com and login with your testuser.

 

2. Select “Security info” on the left

Passwordless sign-in

 

3. Press “+ Add method”, select “Security key” and press “Add”

Passwordless sign-in

 

4. If MFA hasn’t been setup for the user the following screen will appear to setup MFA. Press “Next” to continue.

 

5. Download the authenticator app on your phone and follow the instructions.

Passwordless sign-in

 

6. Add your mobile number and verify and press “Next” to continue.

Passwordless sign-in

 

7. The following screen will appear, select what you would like.

Passwordless sign-in

 

8. Now you will be redirected to the mysignins page. (The page will sometimes hang for minutes if this happens just close the window and open a new window. Enter https://mysignins.microsoft.com/security-info) 

The same page as at step 3 will appear but now with two methods added (Phone and Microsoft Authenticator). Select “+ Add method”, select “Security key” and press “Add”

Passwordless sign-in

 

9. Select the Security Key type. I use the Yubikey with both USB and NFC, but I will use USB in this Lab. Therefore I will select “USB device”.

 

10. Press “Next” when prompted to keep your device ready.

 

11. I’m using Firefox to setup the security key, so this message is correct. Press “OK” to continue.

 

12. A notification will pop-up to notify that a credential will be created on the security key. Press “OK” to continue.

Passwordless sign-in

 

13.  Enter the pincode of your security key and press “OK” to continue. (Before you can login on a device with your security key, you will need to unlock the security key with a PIN. This pin is stored in the AzureAD and is not the same as the Windows Hello PIN which is stored local)

 

14. Now press the key on your security key to continue setup.

 

15. Enter a recognizable name for your security key and press “Next” to continue

 

16. The Security Key has now been setup, press “Done” to continue.

 

 

Test the Passwordless login on the testdevice

 

1. Logout any users and go to the start screen

 

2. Plugin the Security key. Enter the PIN code of the Security Key and press “Enter”

 

3. Press the button on the security key.

 

4. The user will now be logged on to the device without entering a username or password

 

5. The desktop appears.

 

 

Conclusion:

Passwordless login with AzureAD is a great improvement. It’s easy to configure and no need for CA servers or third party software.

Pro:

  • Login on all Azuread joined devices with only the Security Key and PIN.
  • Fully managed with Intune, no need for additional scripting.
  • Only a Premium P1 license is needed to get this working.

Con:

  • Still need a pincode to login.
  • Issues with the Myprofile and Mysignin pages which keep loading.

 

Sources:

https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-why-pin-is-better-than-password

https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-authentication-passwordless-security-key

https://techcommunity.microsoft.com/t5/Azure-Active-Directory-Identity/Announcing-the-public-preview-of-Azure-AD-support-for-FIDO2/bc-p/798885#M1407

3 thoughts on “Passwordless login with Yubikey (FIDO2) on Windows 10 (AzureAD)

  1. Microsoft 365

    This method needs at least Microsoft Business Premium plans and it works only with combination of PIN and Yubikey. Is that possible to configure U2F login (same as gsuite) with combination of full password and yubikey in Microsoft 365 Business plans ? It would be great if we could stack up our necessary steps on our own.

    Reply
    1. Aad Lutgert Post author

      I’m not sure if I understand your question, but do you want to know if it’s possible to use a U2F device with a Password for logon to Windows?

      Reply
  2. phil chivers

    Fido does seem to be the way to go (especially with its anti-phishing measures). Hopefully in time location can also be added as an authentication factor (using GPS).

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *