Passwordless authentication in Azure AD with Token2 FIDO2 keys

FIDO2 based Passwordless technology allows users to use a USB key sign in to Azure AD (Microsoft Entra ID) without using passwords. Once enabled, the users will be able to sign in to their accounts and log onto their Windows 10 machines ( Azure AD (Microsoft Entra ID) or Hybrid AD joined ) using FIDO2 Security keys. The access is still protected by two factors in this case: 1) having physical access to the security key and 2) PIN or Fingerprint (on devices with biometrics support) configured on the FIDO2 Security keys
Passwordless authentication in  Azure AD (Microsoft Entra ID) with Token2 FIDO2 keys


In the context of Azure AD (Microsoft Entra ID), FIDO2 Security keys are not a replacement of the standard authentication mechanisms, they are added as an alternative, marketed by Microsoft as one of the Passwordless login methods. Also note that there were changes introduced by Microsoft during the Ignite 2021 conference as described on this page.
The guide below will walk you through the steps required to enable passwordless access using Token2 FIDO2 Security keys.

Requirements

  • An Azure AD (Microsoft Entra ID) tenant which licensed to use  Azure MFA functions
  • A global tenant admin account in Azure AD (Microsoft Entra ID)
  • A regular account to use for the test
  • A FIDO2 compatible security key, any Token2 FIDO2 Keys can be used
  • Windows 10 - 1903 or higher. Only browsers supporting FIDO2 keys can be used as the during enrollment and sign-in


Enable FIDO2 authentication method

Log in to your tenant admin interface and navigate to Azure Active Directory → Security → Authentication methods. 

Passwordless authentication in  Azure AD (Microsoft Entra ID) with Token2 FIDO2 keys

Click on "FIDO2 Security Key" and then select "Enable" and "All Users"

Passwordless authentication in  Azure AD (Microsoft Entra ID) with Token2 FIDO2 keys

After the authentication method has been activated, users are able to enroll their FIDO2 Keys.  

User registration and management of FIDO2 security keys

Note that only end users can perform the enrollment. Administrator provisioning and de-provisioning of security keys is not available in the public preview.

  • Browse to https://myprofile.microsoft.com
  • Sign in if not already
  • Click Security Info
    • If the user already has at least one Azure Multi-Factor Authentication method registered, they can immediately register a FIDO2 security key.
    • If they don’t have at least one Azure Multi-Factor Authentication method registered, they must add one. Alternatively, you can use Temporary Access Pass method (this will allow using FIDO2 keys without setting a password for the user).
  • Add a FIDO2 Security key by clicking Add method and choosing Security key


    Passwordless authentication in  Azure AD (Microsoft Entra ID) with Token2 FIDO2 keys

  • Choose USB device 

    Passwordless authentication in  Azure AD (Microsoft Entra ID) with Token2 FIDO2 keys

  • Have your key ready and choose Next
  • A box will appear and ask you to create/enter a PIN for your security key, then touch the shield or lock icon on the key (the LED indicator is usually blinking at this moment). If the PIN code for your FIDO2 key has already been set, it will ask to enter it. Please note that for biometric-enabled keys, PIN can be replaced by a fingerprint authentication.
  • You will be returned to the combined registration experience and asked to provide a meaningful name for your token so you can identify which one if you have multiple. Click Next.
  • Click Done to complete the process


Changing the PIN and resetting the Security Key

Azure AD (Microsoft Entra ID) requires the security keys to be protected with a PIN code. This can be done during the enrollment, but you can also change the PIN code later if needed. In case you forgot the PIN code, you can reset the security key and re-enroll again (as a new FIDO2 Security device). Changing the PIN and resetting Token2 T2F2 security keys can be done using the Windows Control panel (Control Panel -> Windows Security -> Account Protection -> Windows Hello / Manage sign-in options -> Security Key -> Manage ) 

Passwordless authentication in  Azure AD (Microsoft Entra ID) with Token2 FIDO2 keys 


It is recommended to have more than one security key enrolled. This is why we decided to introduce the FIDO bundle, which comes with a pair of T2F2 keys: one (primary, with a red sticker) to keep with you and one (secondary, with a green sticker) to keep in your desk drawer.


Video

Check out this video review demonstrating the process of the configuration of this method as well as user registration and login experience