Get in touch with us!

Password-less and hardware oath tokens with Azure AD

Microsoft 2018 security research | “You can reduce your odds of being compromised by up to 99.9% by implementing multi-factor authentication (MFA).”

I really like the vision of password-less users. Inside of our applications we have done this for a long time already using public/private key cryptography. Now we have technologies like biometrics available on almost all new devices. If you haven’t tested Windows Hello yet, it is time. But also new standards like WebAuthN and FIDO2 that will drive adoption of password-less even more.I am sure, this is the future. There is just no alternative. Maybe we might change the standards(talking to you blockchain adaptors), but the concept will remain.

Microsoft is working hard on this currently in a private preview, Windows 10 and FIDO2 password-less. Check out this video below.

While FIDO2 sign ins into Azure AD is still private preview. Microsoft launched public preview of hardware oath tokens in October last year. I have recently tested it. A great alternative for users without a mobile phone, like the children in our schools or for users that require an extra level of security by using hardware.

Currently there is three providers supported, DeepNet Security, Token2 and Yubico. The one I was testing is Yubico. They have both USB C and USB A with NFC.

I can have multiple keys linked to my account, but as a user I am not able to setup this up by myself. The process is like this:

A key is programed with a secret and username by the administrator or pre ordered from the factory. The administrator uploads a CSV with all the information into Azure AD. Each key will need to be manually activated by the administrator, this will not be fun for the company with 5000 users, hopefully this process will be streamlined in the future. After key activation, the user can pick it up and start using it.

As an end user I will need the Yubico authenticator application installed. When signing into Azure AD I can choice to use a code from my authenticator app just like with the Microsoft authenticator. When the key is inserted into my computer/phone or tapped with the NFC tag, one-time passwords will show up in the Yubico authenticator application.

This works and it will be great for a lot of users, but I am really looking forward testing the FIDO2 sign-in, hopefully it will be a better experience without the need for Yubico authenticator. I am sure there will be some great companies out there providing these FIDO2-devices. Personally I want something like a ring/bracelet.

Until next time,

Submit a Comment

Your email address will not be published. Required fields are marked *