Passwordless Authentication, Part 1: Azure Active Directory & Yubikey

Passwordless Authentication today can be achieved using different methods towards different services. There has been work going on for several years now between different companies and vendors to establish a new authentication standard where goals have been to increase both security and productivity. This standard is called FIDO2 and has been established by what is called the FIDO Alliance. https://fidoalliance.org/fido2/

Quickly explained, FIDO2 is a combination of the two protocols called Client to Authenticator Protocol (CTAP) and WebAuthn. Basically the standard allows organizations to utilize a standard for signing in to their resources, without username and password and instead use an external security key.

Azure Active Directory & Yubikey

In the following example I will focus on Azure Active Directory as the IDP and Yubico as the provider for the hardware based key which will be used for attestation and authentication. One thing to note here is that Microsoft requires specific optional extensions which hardware vendors need to implement into their hardware keys for them to be fully secure and compatible with Azure Active Directory.

Yubico’s keys are neatly called YubiKeys. They come in different flavors and they support hundreds of different services, products and applications. Each key supports multiple methods for authentication. They are batteryfree and utilizes asymmetric cryptography (public and private key cryptography). In the following example, I selected YubiKey 5C Nano which is part of the Nano-series and meant to be attached into the device all the time connected to a USB-C port. There are other variants aswell, for example the YubiKey 5 NFC which is shaped more like a tradtional key and can be used both in a PC or a Mobile Device (using NFC).
 

YubiKey 5C Nano

It’s length is just above 1 centimeter and it’s 0,5 centimeter wide. As you can see connected to my computer it’s very small.

Surface Book 3 with YubiKey 5C Nano

Common use cases for FIDO2 certified Keys are:

  • Strong Authentication
  • Securing Privileged Accounts
  • Passwordless Authentication
  • Shared Devices
  • Personal Security (Cloud Storage, Password Managers, Social Accounts)

Setting up a Security Key for an end user in Azure Active Directory

Before we actually can use a FIDO2 Certified key as a Passwordless method in our AzureAD-tenant, we need to make sure the following technical pre-requisites are in place:

To get started when the methods are available for the end users, navigate to this URL to start the process:
https://mysignins.microsoft.com/security-info

  1. The end user signs in with their credentials. When the page has loaded: Add Method
  1. And then we select security key as method
  1. Press Add
  1. Confirm with Next
  1. Press Next and setup Azure MFA for the end user.
  1. When the MFA setup is complete, now when you Add method again we can select between two types of security keys. Since I’m using YubiKey 5C Nano, I select USB device .
  1. Then we should be ready with our Security Key. Press Next
  1. We are then redirected to the Security Key setup. Press OK.
  1. Confirm with OK.
  1. Let’s create a PIN for the security key, then press OK.
  1. Touch the security key.
  1. Success! Enter a name for the security key, press Next.
     
  1. Finished! Press Done.

Sign-in to Microsoft 365 using a Security Key

  1. Let’s sign in to Microsoft 365 as our next step. We start by navigating to the URL (https://portal.office.com) and then clicking on Sign-in options.
  1. Select, Use a security key.
  1. Select Credential, in this case select Security key
  1. Enter the PIN, press OK
  1. Touch your security key.
  1. Sign-in successful!

Technical Details – Authenticator Attestation GUID

Based on the FIDO 2 specification, each security key provider needs to include a specific GUID used for the each key during it’s attestation.
The Authenticator Attestation GUID aka AAGUID is a 128-bit identifier indicating the key type (make and model).
This AAGUID must be identical between all similar keys (make/models) but different from all other AAGUIDS.
The reason for that is to make sure that the requirements of the specification are met and the respective key types security not tampered with.

To view details of a specific registered FIDO2 security key, we navigate to Azure Active Directory, Users then select a specific user. Then select Authentication Methods.

If we then click on the three dots to the right on the FIDO2 security key, we can view the security key details and it’s AAGUID.

1 comment

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: