Implementing FIDO2 Security Keys support for Azure Privileged Accounts
Ever heard of Yubikeys by Yubico? Well I'm a bit of a fan myself and have used them for a variety of online accounts for many years now. So what are they?
FIDO2 security keys offer a range of benefits that help to enhance online security and reduce the reliance on passwords. Here are some key advantages:
Stronger authentication: FIDO2 security keys use public key cryptography, which is a more secure method of authentication compared to traditional passwords. The private key never leaves the security key, making it less vulnerable to cyber-attacks.
Phishing resistance: FIDO2 security keys are designed to resist phishing attacks. The key only responds to the legitimate website it is registered with, making it difficult for attackers to trick users into providing their credentials.
Fast and easy authentication: FIDO2 security keys provide a convenient and user-friendly experience. Users can authenticate themselves by simply inserting the key into their device and pressing a button, eliminating the need to remember complex passwords.
Passwordless authentication: FIDO2 enables passwordless login, which means that users can access their accounts without needing a password. This can significantly reduce the risk of password-related security breaches, such as credential stuffing and brute force attacks.
Universal compatibility: FIDO2 security keys are supported by many major platforms, browsers, and devices. This widespread adoption allows users to enjoy seamless and secure authentication across different services and applications.
Privacy protection: FIDO2 security keys don't store any personally identifiable information (PII) on the device, which ensures that user data remains private and secure.
Multi-factor authentication (MFA) support: FIDO2 security keys can be used as a part of multi-factor authentication, adding an extra layer of security to user accounts. MFA typically combines something the user knows (e.g., a password) with something the user has (e.g., a FIDO2 security key).
In summary, FIDO2 security keys offer a more secure, user-friendly, and universally compatible authentication method that protects users from phishing attacks and password-related security risks.
So how do I use a FIDO2 Security Key with Azure?
It's really easy, just follow these simple steps.
Firstly you need a FIDO2 Security Key
To assign FIDO2 to specific accounts, you'll need to set up a Security Group and add the users to that group (see example)
Log in to the Azure Portal, go to Azure Active Directory > Security > Authentication Methods.
In the example screenshot below it shows FIDO2 security key disabled, so to enable it, click on the FIDO2 text.
Next we're going to select Enable and change the target from All users to Select groups. Click Add groups and choose the recently created security group. Click Select.
Click on Configure. Accept the default settings unless you want to enforce key restrictions.
Allow self-service set up should remain set to Yes. If set to no, your users won't be able to register a FIDO key through the MySecurityInfo portal, even if enabled by Authentication Methods policy.
Enforce attestation setting to Yes requires the FIDO security key metadata to be published and verified with the FIDO Alliance Metadata Service, and also pass Microsoft’s additional set of validation testing.
Now it's time to register a new FIDO2 key against the selected account. Login to https://myprofile.microsoft.com/ and click Security info.
Click on Add sign-in method and select Security key from the drop down, then click Add.
Select the appropriate type (in this example I'm using a USB Yubikey)
Make sure the Security key is plugged in and click Next.
Click on External security key or built-in sensor
Touch the Security key with your finger
Enter a suitable PIN and click OK.
Type in a name for your security key and click Next.
You should now see your new Security key listed.
You're all done!
I hope that's helped and good luck with your testing :)
Click here to buy your own Yubikey now