Preview of FIDO2 Security Keys for Hybrid Azure AD Joined Environments

Journey into Passwordless world in Hybrid Azure Joined Environments

We recently participated in the private preview Microsoft conducted for using FIDO2 security keys to sign-in to Hybrid Azure AD Joined Windows 10 devices. This preview provides the users with a quick, convenient, passwordless and secure sign-in to their Windows devices and single sign-on (SSO) access to either on premises or cloud resources.

Microsoft's passwordless authentication includes support for Windows Hello for Business, and roaming FIDO2 security keys. Windows Hello for Business is suitable for employees that use a dedicated computer. It allows the employee to log in using either biometrics or PIN without the use of a password. FIDO2 security keys may also be used for those employees with a dedicated computer as well as those who may use multiple computers throughout the day or week.

eWBM is a board member of the FIDO Alliance and has created the Goldengate series of FIDO2 security keys. These are the world's first (and currently ONLY) FIDO2 Level 2 certified security keys. All of eWBM's security keys are fingerprint-based FIDO2 biometric keys. eWBM has also recently become a member of the Microsoft Intelligent Security Association (MISA).

It's important to note that the FIDO2 standard is based upon public key cryptography. Private keys or any biometric secrets never leave the security key nor can they be copied or accessed from the device.

The scope of our testing covered the use of both Windows Hello (for dedicated computers) and our FIDO2 security keys which can also be used for dedicated computers as well as shared PC or roaming environments. Note that this blog entry isn't intended to be a how-to post. Please feel free to contact us if you're interested in any technical details of our testing process at eWBM.

TL;DR

Microsoft's support for passwordless Windows authentication will help enterprises greatly improve their security as well as reduce access issues and associated support costs through the use of Windows Hello for Business, FIDO2 compatible security keys and the Microsoft Authenticator App. eWBM's security keys are available today at eWBM.com.

Passwordless Authentication via FIDO2

Passwordless authentication is enabled via the FIDO2 specification. This isn't a proprietary effort by Microsoft, but rather the result of their participation in developing the FIDO2 standard via the FIDO Alliance. Here's a link to all the board member companies of the FIDO Alliance. FIDO2 moves beyond two factor authentication (2FA) by supporting a far more user-friendly and secure experience.

Microsoft Azure Active Directory

So how is Microsoft accomplishing passwordless authentication? The preview features we tested support two different mechanisms, both involving the use of Azure Active Directory:

  1. Hybrid Azure Active Directory-joined (Hybrid AADJ)
  2. Azure Active Directory-joined (AADJ)

Hybrid Azure Active Directory-joined (Hybrid AADJ)

The term hybrid refers to the combination of an on-premise AD + Azure AD. This preview for FIDO2 security keys was limited to AADJ and Hybrid ADJ and does not work for pure on-prem deployments.

Azure Active Directory-joined (AADJ)

For organizations that don't have an on-premise Active Directory, the AADJ option allows them to manage their PCs and users with a cloud-only option. Microsoft has recently announced during Ignite that FIDO2 authentication for Hybrid environments is coming in Q1 2020

The Testing

Hybrid AADJ

We started by setting up an on-premise AD test environment. The specifics of setting up the test environment are a bit beyond the scope of this blog post. We'll only highlight the major steps and include some useful links in setting up the environment at the end of the post.

On-Premise AD Configuration

  1. To start, we set up a standard on-premise AD using virtual machines on Windows Hypervisor. The AD consisted of a single domain controller running Windows Server 2016 Standard edition.
  2. After that, an Insider Server build version of Windows Server 2016 was added to the test domain as a second domain controller.
  3. Once the server was built and configured, the domain was joined to Azure AD via the Azure AD Connect. The Azure AD Connect must be installed on an AD server WITH the Windows GUI installed, and so was installed on our Windows Server 2016 machine.

AADJ

Using a Windows Insider Fast Ring build of Windows 10, we joined our FIDO2-enabled Azure Active Directory tenant. Note that Microsoft had to "white-list" our tenant domain for testing to enable the new FIDO2 support. Security key sign-in is enabled on the Azure portal by navigating to Intune and updating the Security key for sign-in settingunder Device Enrollment > Profiles> Windows Hello for Business > Settings.

Windows Azure Intune

Client PCs

Testing also required an insider build of Windows 10 (fast ring). We used VirtualBox. VirtualBox, unlike Windows' built-in Hypervisor, allows mapping of USB devices to the virtual machine, thus allowing the use of a FIDO2 security key. VirtualBox is incompatible with Windows Hypervisor, and so needed to be installed on a separate host PC (Host 2). We created two separate client virtual machines, one for the hybrid AADJ and the other for AADJ testing.

Below is a diagram of our test environment.

Test Environment

Security Key

We tested using our new G310 security key. Note that the G320 is a USB-C version of the same key.

G310

In order to use the security key, these two basic steps are required:

  1. Registering fingerprint(s) with the key
  2. Associating the key with the appropriate Windows Azure AD User Account

For first-time use, a PIN is required for the security key. This provides additional security and is used whenever the key is modified with a new fingerprint.

PIN and Fingerprint registration for the security key can be accomplished using the built-in Security Key configuration process under Windows Sign-in options.

Security Key Configuration

Key Setup

Once the key was configured with a fingerprint (up to three may be stored on the key), the key was associated with the Azure AD account using myprofile.microsoft.com. You can see the sign-in methods registered as shown below:

Security info

After key setup was complete, we were able to log into Windows on both AADJ and Hybrid AADJ configured PCs. Once logged in, we were seamlessly able to access Office 365 without further authentication. In the hybrid AADJ configuration, we were also able to access network shared folders again without further authentication required.

Passwordless authentication also works in offline scenarios. We disconnected the client host PC from the network and were still able to log in using both Windows Hello and our security keys.

Windows Login

Conclusion

The weaknesses caused by the use of passwords in user authentication are well documented as the primary target of phishing attacks which have proliferated in recent years. More complex password requirements have led to passwords that users can't remember, or the repeated use of common passwords which often are compromised and listed online. Microsoft's new passwordless support for Azure AD is an important step towards eliminating passwords in the corporate environment. By enabling passwordless authentication in the Windows Login process, Microsoft is removing one of the primary hurdles holding back the adoption of this important initiative.

References

FIDO Alliance.

FIDO2, Fast IDentity Online v2.

Your Pa$$word doesn't matter

Active Directory Setup in Windows Server 2016