“By 2022, Gartner predicts that 60% of large and global enterprises, and 90% of midsize enterprises, will implement passwordless methods in more than 50% of use cases”. Using Fast Identity Online (FIDO) Security Keys is one way to make this move.
Why go Passwordless?
Passwords are going to be a thing of the past in the next number of years. By going passwordless you can reduce the IT overhead, simplify the remembrance of passwords by not having to remember or reuse the same one. We will talk about one way to make this move, using security keys. There are other ways also, such as using the Authenticator app from Microsoft.
Pre-Requisites
- Admin access to Azure AD
- Security Key (I used Yubikey 5 NFC here)
- Windows 10 Device Azure AD Joined (1809 or later)
- MFA Enforced account (At least 1 MFA method)
- Intune license if managing devices
Step 1: Configure Azure AD
- Go to Azure AD Admin Centre
- Go to the Security blade
- Select Authentication Methods
- Enable FIDO2 Security Key
- Enable Enhanced Registration
Step 2: Setup the Security Key
- Go to https://myprofile.microsoft.com/
- Click Security Info
- Click Add Method
- Select Security Key
- Connect your Security Key (If using a VM, you can confirm it is seen by the VM by using the Yubikey Manager)
- Setup a PIN for your Security Key
- Test Sign-in using a supported browser (Recent Build of Windows 10 and Edge)
Step 3: Configure Intune for Windows 10 Sign in
This step is required as, by default, there is no security key sign in option.
- Go to Intune>Devices>Configuration Profiles
- Create a new custom Profile with the following settings
- Name: Anything
- Description: Anything
- Platform: Windows 10 and Later
- Profile Type: Custom
- Add a OMA-URI under settings with the following
- Name: Enable Windows 10 Security Key Sign In
- Description: Anything
- OMA-URI: ./Device/Vendor/MSFT/PassportForWork/SecurityKey/UseSecurityKeyForSignin
- Data Type: Integer
- ./Device/Vendor/MSFT/PassportForWork/SecurityKey/UseSecurityKeyForSignin
- Data Type: Integer
- Value: 1
- Save your profile
- Assign your profile to devices and ensure it is successful
Step 4: Sign in to Windows 10 with your Security Key
- Go to Windows 10 Sign in page on a device that has the above policy successfully applied
- Select the Security Key option to Sign in
- Enter your PIN for your Security Key
- Sit back and relax while you are signed in without a username or password
Notes
- This is in public preview at the time of making
- If you are doing this in a VM, you probably need to edit your VMX and ensure your FIDO Key is passing through successfully
References
- Microsoft Docs https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-authentication-passwordless-security-key-windows
- VMware VMX Edit https://support.yubico.com/support/solutions/articles/15000008891-troubleshooting-vmware-workstation-device-passthrough