Sign-in with FIDO2 security key

Note: This article focuses on hybrid environments (On-Premises AD with Azure AD) with Hybrid Azure AD Joined devices.

Basic Principle of FIDO2

• FIDO2 security keys
• FIDO2 - FIDO Alliance

The FIDO (Fast IDentity Online) Alliance created the FIDO2 project. It's a strong authentication standard for the web, replacing password-based authentication with asymmetric key pairs. It's based on WebAuthn (W3C Web Authentication) and CTAP2 (FIDO Client to Authenticator Protocol 2). It's built on the previous U2F (Universal 2nd Factor = CTAP1) standard.

FIDO2 is an open standard for multi-factor authentication (MFA) that is passwordless (Passwordless Authentication). It's considered a Phishing-resistant authentication method (along with FIDO2 keys, this includes Windows Hello for Business and Azure AD certificate-based authentication). Unlike Phone sign-in in the Microsoft Authenticator app, where we can approve a login happening somewhere on the internet, with FIDO2 we must log in locally on the device where we have the key connected. The user uses a cryptographic authenticator (security key), which for Azure AD must be hardware-based.

It works similarly to Windows Hello for Business with an asymmetric pair of private and public keys. When we register a FIDO2 security key with an online service (Azure AD), the key creates a new pair of cryptographic keys. The private key is stored in the FIDO2 security key (similar to TPM), which it never leaves (cannot be extracted). The public key is stored (registered) with the user's account in Azure AD.

During login, the user must locally unlock access to the private cryptographic key on the FIDO2 security key using a gesture. This key signs data received from Azure AD (nonce). Azure AD verifies it using the public key, then verifies the returned nonce and logs the user in (obtains PRT with MFA claim).

Added on 24.3.2024 - I additionally found out that Windows Hello has been a certified FIDO2 authenticator (platform / internal) since Windows 10 1903. Just as a FIDO2 security key is an external / roaming authenticator. I've written more information about FIDO authentication in the new article FIDO passkeys part 1 - passkeys for authentication.

FIDO2 Security Key

A FIDO2 security key is a hardware device. For Azure AD, it must be Microsoft compatible. It's often a USB device (with USB-A or USB-C connector), but it can also use wireless connection via Bluetooth or NFC. It always has a touch button, and more expensive models are equipped with a fingerprint reader. The hardware device increases login security. During authentication, keys are used and no form of user password is sent.

FIDO2 keys use a PIN (primarily) to protect the private key, some models also support biometrics (fingerprint). The gesture to unlock the key is stored locally on the device and is not sent over the network. The cryptographic keys are unique for each service.

There are many Microsoft-compatible FIDO2 security keys, see the list of FIDO2 security key providers. We can get them from a few hundred to thousands of crowns. More expensive models support fingerprint reading, which is convenient for users.

FIDO2 Security Keys Available in Our Country

In our country, apparently only a few brands and models of security keys are sold. Moreover, descriptions in e-shops are often inaccurate (some state that YubiKey Bio FIDO Edition supports NFC, many places state that VeriMark IT Fingerprint Key supports FIDO2, which are both untrue). So it's important to always look at the manufacturer's website.

Probably the most sold and often recommended are YubiKey from Yubico. Unfortunately, they are also more expensive. The basic key that supports FIDO2 and PIN verification is the YubiKey Security Key NFC. We can get it for around 700 CZK without VAT and choose USB-A or USB-C version, it also supports NFC. The more expensive model YubiKey 5 can be bought from 1,300 CZK without VAT, we choose the type of interface and NFC support. Besides FIDO2, it also supports other functions like Smart card, OATH, YubiKey OTP, Secure Static Passwords. The most expensive is YubiKey Bio Fido Edition priced around 2,300 CZK without VAT. It supports biometric authentication (fingerprint), but otherwise only FIDO2. We choose USB-A or USB-C version (does not support NFC).

Note: Some models list Android and iOS as supported OS. This support is probably very limited, we can connect via USB-C or NFC, but FIDO2 doesn't work. We can use the Yubico Authenticator app and OATH verification code for MFA (similar to Google Authenticator, for example).

Another brand that can be purchased in our country is FEITIAN. A range of different models with USB-A or USB-C connector, or with NFC support. For example, FEITIAN ePass A4B can be bought for around 400 CZK without VAT. Besides FIDO2, it also supports OATH. The FEITIAN BioPass K49 model costs around 1,580 CZK without VAT and supports biometric authentication (fingerprint), again without NFC. The FEITIAN BioPass K50 with USB-A interface is not sold in our country, but apparently the older FEITIAN BioPass K45 is.

The last manufacturer is Kensington and the VeriMark products, but we must be careful, only two models support FIDO2 (others can be used as fingerprint readers for Windows Hello). VeriMark Guard Fingerprint Security Key with USB-A or USB-C interface costs around 1,450 CZK without VAT. It's a small device with support for biometric authentication (fingerprint).

I marginally came across TrustKey FIDO2 Security Key. The G320 model with biometric authentication (fingerprint) for about 1,050 CZK without VAT. Although the manufacturer is listed on the list of Microsoft-compatible keys, this model does not meet the attestation requirements (the problem is described further in the article).

Azure AD and FIDO2

Azure AD supports FIDO2 security keys as one of the authentication methods. In On-Premises Active Directory, there is no support. But if we have a hybrid environment, FIDO2 login can work thanks to Azure AD Kerberos.

We register a FIDO2 security key as a login method for our Azure AD account. Similar to Microsoft Authenticator or a phone number. The user must verify using MFA. It is thus added as another login option to existing ones.

We can use the security key to log in with an Azure AD account to web applications (modern authentication) in a supported browser. Or to log in to a Windows 10/11 computer that is Azure AD or Hybrid Azure AD Joined.

Microsoft states in the documentation that it cannot be used to connect to a remote desktop using RDP (or VDI, Citrix), run an application with Run as, and some other situations. Currently, we can now use a FIDO2 key for RDP as well (description at the end of the article).

Note: Here we're talking about use in a Microsoft corporate environment, but FIDO2 (security key) can be used to log in to Google, Facebook, Apple ID accounts, etc.

Logging into Windows

When we log in using FIDO2 to a computer that is Hybrid Azure AD Joined, we normally log in to Azure AD. SSO login to local AD can also occur (we get a partial TGT). Azure AD Kerberos must be deployed and at least Windows 10 20H1 (version 2004) is required (for logging in with an Azure AD account to a web application, an older version is sufficient).

When logging in for the first time using a FIDO2 security key to Windows, internet and a domain controller must be available. In subsequent cases, cached sign-in can be used.

By default, we cannot use FIDO2 to log in with a privileged account to On-Premises resources. These are accounts that are in the Domain Admins, Account Operators, Server Operators, Print Operators groups, etc.

Comparison of Passwordless Authentication Methods

The use of the FIDO2 security key is quite similar to Windows Hello for Business. It's no surprise since both methods utilize the FIDO2 standard. There is no dependency between them. In Windows Hello for Business, the keys are stored (optimally) in the TPM chip (an internal authenticator), and thus tied to a specific computer. In FIDO2, the keys are stored in a hardware security key (an external authenticator) and can be carried around (and used on different devices). It is also similar to the third passwordless sign-in option that Microsoft offers, Passwordless sign-in/Phone sign-in using the Microsoft Authenticator app on a mobile phone.

Each method supports different scenarios for sign-in. For example, Microsoft Authenticator cannot yet be used for signing into Windows, but it is universal for signing into web applications from any device. The most secure (considering universality) is the use of the FIDO2 security key. We use mobile phones for many activities, so theoretically, an attacker could also access the Microsoft Authenticator app.

Enabling authentication using FIDO2 security keys

• If we want to enable sign-in using FIDO2 security keys to an Azure AD account, we must enable this authentication method.
• If we want to enable sign-in to Windows, we must set it up on individual computers.
• To enable sign-in to Active Directory Domain Services (AD DS), we must deploy Azure AD Kerberos.
• Registration of security keys is done by users for their Azure AD account.

Enabling FIDO2 security key in Azure AD

• Enable passwordless security key sign-in

Note: We are using the new authentication methods settings, so we also have combined registration enabled. The new portal Microsoft Entra Admin Center is used for settings, which replaced the Azure Active Directory Admin Center, but we will mention both paths.

• Microsoft Entra Admin Center - Protect & Secure - Authentication methods - Policies
• Azure Active Directory admin center - Security - Authentication methods - Policies
• Select the FIDO2 security key method
• Enable for all or selected users (group)
• You can adjust settings, by default Allow self-service set up, Enforce attestation, and Enforce key restrictions are enabled

Note: Enabling Enforce attestation means that the key must have published and verified metadata through the FIDO Alliance Metadata service and also pass additional verification tests by Microsoft.

Enabling FIDO2 sign-in to Windows using Group Policy

• Enable passwordless security key sign-in to Windows 10 devices with Azure Active Directory

To use FIDO2 sign-in to Windows, we must enable the FIDO Credential Provider (its GUID is {F8A1793B-7873-4046-B2A7-1F318747F427}).

Using Group Policy, this is the setting Turn on security key sign-in in the path

Computer Configuration/Policies/Administrative Templates/System/Logon 

which we must enable and apply to computers.

Note: We need sufficiently new ADMX templates, see the description in Windows Hello for Business - Cloud Kerberos Trust deployment.

Enabling FIDO2 sign-in to Windows using Intune

For new devices, we can enable it within

• Microsoft Endpoint Manager admin center - Devices - Enroll devices - Windows enrollment - Windows Hello for Business

The item Use security keys for sign-in. This setting applies only during Intune enrollment (it does not affect already enrolled devices).

Standard enabling is done using a configuration profile:

• Microsoft Endpoint Manager admin center - Devices - Configuration profiles
• Create a profile from the Windows Custom template
• Manually set OMA-URI ./Device/Vendor/MSFT/PassportForWork/SecurityKey/UseSecurityKeyForSignin, type Integer, value 1

Azure AD Kerberos

• Enable passwordless security key sign-in to on-premises resources by using Azure AD

Note: Domain controllers must be at least Windows Server 2016 with KB3534307 installed, Windows Server 2019 with KB4534321.

When signing in with a FIDO2 security key to Windows, it results in a sign-in to Azure AD. To also sign in to On-Premises AD, Azure AD Kerberos is used. During sign-in, Azure AD issues users a partial TGT, which the domain controller exchanges for a standard TGT.

In the local AD, a computer object Read Only Domain Controller AzureADKerberos, a user object krbtgt_AzureAD (TGT encryption key), and a Service Connection Point (SCP) CN=900274c4-b7d2-43c8-90ee-00a9f650e335,CN=AzureAD,CN=System, are created. In Azure AD, a KerberosDomain object is created.

It works the same as for Windows Hello for Business with the deployment of Cloud Kerberos Trust. The setup of Azure AD Kerberos is described in Windows Hello for Business - Cloud Kerberos Trust deployment. If it has already been done, no further action is needed.

Checking registration in Azure AD

When a user correctly registers a FIDO2 security key, a new authentication method is added to their account in Azure AD. In the user details under Authentication methods, the FIDO2 security key authentication method will be visible.

• Microsoft Entra Admin Center - Users - All users - select the user - Authentication methods

Note: The FIDO2 key can be deleted here, thus disabling it.

We can view a summary of registered user authentication methods, where we can filter by FIDO2 security key.

• Microsoft Entra Admin Center - Protect & Secure - Authentication methods - User registration details

When a sign-in occurs, details can be found in the user's sign-in log. Here, applications like Windows Sign In or Microsoft Remote Desktop and the Authentication method as FIDO2 security key (with its name and ID in the details) can be found.

User settings and usage

Registration of the FIDO2 security key

• User registration and management of FIDO2 security keys

Registration of FIDO2 keys is done by users in the web interface of the authentication methods management under their account My Account in the Security info section.

• Add a new method Add method and select Security key (if not already signed in, sign in using MFA)

• Choose whether it is a USB or NFC device

• A Windows window will appear where you agree to the configuration and set a PIN

• Finally, name the key and receive confirmation of the successful addition of the method

Error during registration

During testing of the TrustKey G320 key, we encountered an issue. At the end of the key registration to the user account, after naming it, an error appeared:

We detected that this particular key type has been blocked by your organization. Contact your administrator for more details and try registering a different type of key.

It seemed that Enforce key restrictions was enabled and this AAGUID was not allowed. However, in our case, the policy was not set.

It turned out that the registration was blocked by the enabled Enforce attestation. Thus, the key likely did not pass attestation and was therefore blocked. After disabling the setting, the registration succeeded, but it is necessary to consider whether such keys should be used.

Signing into a web application using FIDO2

• Sign in with passwordless credential

Note: We need at least Windows 10 1903, which supports WebAuthN. And a web browser that supports the WebAuthN protocol. Browser support of FIDO2 passwordless authentication

When signing in with an Azure AD account in a supported web browser, we can select the registered method Use a security key. Then enter the PIN and touch the key or use biometrics.

If we are on the sign-in dialog where the username is entered, we can directly select Sign-in options and Sign in with Windows Hello or a security key and sign in without entering a username.

Signing in to Windows using FIDO2

• Sign in with FIDO2 security key

Note: We need at least Windows 10 20H1 (for Azure AD joined, Windows 10 1909 is sufficient).

To sign in to Windows, simply connect the FIDO2 security key and enter the PIN and touch the key or use biometrics. Alternatively, switch the credential provider (USB key icon) by clicking on Sign-in options.

Sign-in logs for Windows can be found in Event Viewer under

Applications and Services Logs - Microsoft - Windows - WebAuthN - Operational

Note: It seems that if we have multiple accounts (passkeys) on the FIDO2 security key, we can only use the last registered one to log in to Windows.

Managing security keys in Windows

• Manage security key biometric, PIN, or reset security key

Configuration of the FIDO2 key, such as resetting the key, changing the PIN, setting up fingerprints, can be done in Windows settings

• Settings - Accounts - Sign-in options - Security Key - Manage

Device identification in Windows

When we look into Device Manager in Windows, we can verify that the system correctly recognizes the hardware devices. For Windows Hello for Business, we find devices like Fingerprint Sensor or Face Device under the Biometric devices category.

When we connect a USB security key that supports FIDO2, we should find HID-compliant fido (device type FIDO HID device) under the Human Interface Devices category. If we look into Devices (Devices and Printers or Bluetooth & other devices), we will see one or more devices (if the key also includes, for example, a Smart Card or HID keyboard). The device is usually labeled with the manufacturer's/model name and description, such as YubiKey FIDO or Biopass FIDO2. The properties show the device's functions.

Remote Desktop - connecting to a remote desktop

Note: We need at least Windows 10 20h2 with the Cumulative Update 2022-10 installed.

Microsoft's official documentation states that signing in with a FIDO2 security key cannot be used for the RDP protocol - Unsupported scenarios, Unsupported scenarios. Fortunately, this is not true, but it likely changed in October 2022 when the Azure AD Authentication option was added. The description is in the article Connect with Azure AD Authentication.

The source (local) computer must have a supported version of Windows. There are no requirements for it to be domain-joined, Azure AD, or hybrid. The target (remote) computer must also have a supported version and must be either Hybrid Azure AD Joined or Azure AD Joined.

To connect, use the Remote Desktop Connection application (mstsc.exe).

• Enter the address of the remote computer, use the name (corresponding hostname - FQDN/NetBIOS) and not the IP address, the username does not need to be filled in
• Switch to the Advanced tab and check the option Use a web account to sign in to the remote computer

• A Microsoft authentication window will open, select or enter the username in the format user@domain.com and sign in with the FIDO2 key

• When connecting to a new computer, we must allow remote desktop connection (up to 15 connections can be remembered for 30 days, so it won't ask again)

When reconnecting to the remote computer, Single Sign-On (SSO) occurs for a certain period. The administrator can adjust the behavior using the Conditional Access Policy. The application Microsoft Remote Desktop (a4a365df-50f1-4397-bc59-1a1564b8bb9c) is configured.

Note: The lock screen of the remote session does not support Azure AD authentication tokens or passwordless authentication methods like FIDO keys. Therefore, when locked, the session is disconnected.

Remote Desktop - usage on a remote desktop

We can also use the FIDO2 security key on a remote computer connected via Remote Desktop Connection. On the source computer where the key is connected, we must have a newer version of RDP, and in the local resources settings, we see the option to redirect WebAuthn (Windows Hello or security keys). It works for me when the target computer is Windows 11 22H2. Initial short tests were conducted on Windows 10 22H2, where it was not successful.