FIDO Authentication

In a corporate environment, we can increase the security of user accounts, and often the convenience of users, by deploying Windows Hello for Business. This involves creating credentials (an asymmetric key pair, often protected by a TPM) for a user account in Azure AD (or AD). These credentials are hardwired to a specific device (computer) and cannot be used elsewhere (remotely). The user sets a fingerprint (most often) for login, with a PIN as a backup. This article briefly describes the technology and makes arguments about the increased security.

Windows Hello creates a login credential (an asymmetric key pair, often protected by a TPM) for a user account in Azure AD (or AD) that is hard-coded to a specific device. The user sets a fingerprint (most often) to log in, with a PIN as a backup. In this article, we will describe a possible way to deploy Windows Hello for Business in a hybrid enterprise environment. This is the latest and very simple deployment method called Cloud Kerberos Trust.

Windows Hello creates a login credential (an asymmetric key pair, often protected by a TPM) for a user account in Azure AD (or AD) that is hard-coded to a specific device. The user sets a fingerprint (most often) to log in, with a PIN as a backup. In this article, we will describe the process of enrolling (Provisioning) Windows Hello on a device. It can take place during the first login after power on or via Windows settings. We will mention logging in and resetting the PIN.

Let's take a look at Microsoft support for logging in (authentication) using the FIDO2 security key (in a corporate environment). Within Azure AD, authentication using the FIDO2 security key is supported. In a hybrid environment, we can also use it for logging into Windows and local Active Directory. FIDO2 is among the secure multi-factor authentication without password, moreover, resistant to phishing, and we can significantly increase the security of user accounts. Key login can also be more convenient.

User FIDO authentication with passkeys (access keys). Passkeys are a significantly more secure way to log in to a service than using a password. Private (user's own) and public (stored with the service) keys are used. Passkeys are FIDO credentials according to the FIDO2 standard. In this article we will look at how passkeys work, what their properties are and how they relate to the FIDO2 security key.

We'll look at the practicalities of creating and using passkeys to sign in to online services on Microsoft Windows and Google Android platforms, including Cross-Device Authentication. That is, using an internal authenticator (and local passkeys) or an external authenticator (and passkeys on another device), including the FIDO2 security key. We will try different web browsers. We will test on a Google account for which we will create passkeys on different devices.

Microsoft is currently adding (perhaps better said, expanding) support for passkeys on its accounts, both for personal Microsoft accounts and work or school accounts in Entra ID. Let's look at the options for personal accounts, where usage is looser. We'll look more at corporate accounts that require device-bound passkeys. Additionally, on Android (since version 14) and iOS (since version 17) mobile devices, they can only be found in the Microsoft Authenticator app for now.

Passkeys are generally available in Microsoft Entra ID starting in early 2025. Currently, you can use Device-bound passkeys stored on a FIDO2 security key or in the Microsoft Authenticator app (Windows Hello is not mentioned much). In this article, we will show you how users can create and use passkeys in the Microsoft Authenticator app. Passkeys are a modern and more secure replacement for traditional passwords. They allow you to log in without entering a password using multi-factor authentication. They work with an asymmetric cryptographic key pair.