Passwordless login to Azure AD with hardware security keys.

On July 10, 2019 a new passwordless way of authentication to Azure Active Directory (AAD) reached Public Preview. From now on you can use FIDO2-compliant hardware security keys like those listed here or here to authenticate to Azure AD. Where will you users be able to login with such keys? The supported scenarios include signing on the web to applications and services that make use of AAD for authentication but also logging to Windows 10 machines with Windows Hello for Business on AAD-joined devices. Although you will be able to do it on Windows 10 1809 I strongly recommend Windows 10 1903 for best experience.

Before you start, ensure you have Multi-Factor Authentication (MFA) enabled for the users that will use security keys. This is required for the same reason it is necessary when enrolling users into Windows Hello for Business - the security key is in fact a two-factor authentication (something you have - a key, something you know - a PIN) so to enroll you must already have MFA enabled. If you don't, see these easy to follow steps to enable it - you should have done it a long time ago anyway, shouldn't you?

First of all be sure to check which scenarios are not supported. For example Windows 10 login with security keys is supported on AAD-joined devices only.

Let's see now how it works. First, login to Azure Portal and go to Azure Active Directory. In the left menu, in the Security section, select Authentication Methods.

b01.PNG

For quite some time the only option under Authentication Method was Password protection but now you can also choose Authentication method policy (Preview) to enable passwordless authentication. You should also see an information to enable user for the enhanced registration process preview - we'll talk about it soon.

b02.PNG

Two options available for new passwordless authentication to AAD are FIDO2 security key and Microsoft Authenticator passwordless sign-in. Select the first option and in the options below move the Enable switch to Yes. Optionally, you can target this policy to selected users only or deploy it to the whole organization.

b03.PNG

Leave Allow self-service set up to Yes - administrator provisioning and deprovisioning of security keys is not supported yet. Also, Key restriction policies do not work so don't change these settings and do not enforce key restrictions. Click on Save.

Next, click on the link that says Click here to enable users for the enhanced registration preview. Target the feature to user groups or the all users. Save the changes.

Now each user can go to https://myprofile.microsoft.com and click on Security Info. Then add an authentication method and choose Security Key. If no MFA was registered for the user yet, now she will have to complete this process to continue with security key configuration.

b04.PNG

Choose the type (USB or NFC) of your security key and click Next. Follow the instructions - insert your security key and enter the PIN. You can also assign a name to your key for easier management. Done, now you should see your key in the list of available authentication methods.

05.PNG

Now let's test it. Go to https://portal.office.com or to any other site to which you can authenticate with your AAD credentials and instead of entering your email address, select Login options.

06.PNG

Select Login with Windows Hello or Security Key option.

07.PNG

Insert your security key when prompted, enter your PIN and voila - you've logged in using a passwordless solution - a securit key. No login or password was necessary.