Passwordless Authentication, Part 2: Temporary Access Pass, Security Key enrollment & Windows-Sign in

In my previous blogpost I demonstrated a basic enrollment of Passwordless authentication
into Azure AD with a FIDO2 Security Key.

Generally speaking, common use cases for FIDO2 certified hardware keys are as follows:

  • Strong Authentication
  • Securing Privileged Accounts
  • Passwordless Authentication
  • Shared Devices
  • Personal Security (Cloud Storage, Password Managers, Social Accounts)

In this post I will focus on provisioning Temporary Access Pass to end users for them being able to add a FIDO2 Security Key as Authentication Method for themselves in Azure AD.
FIDO2 Security Key can then be used as strong authentication during Windows Autopilot enrollment and is an alternative when mobile devices isn’t an option as MFA method.
Finally I will demonstrate that from there, the end user can either:

  • Provision their credentials into Windows Hello for Business (Security Key as MFA method)
  • Use FIDO2 Security Key as Sign-In method into Windows (recommended for a shared device)

Part 1. Temporary Access Pass and FIDO2 Security Key Enrollment

To provision a Temporary Access Pass we need to be able to enable the method and target it to a group (or All Users). This is done in Azure Active Directory \ Security \ Authentication Methods

We should note here that the properties and lifetime of the TAP-method can be adjusted as seen on the screenshots below. In my example I configured it like this:

When the method is enabled and targeted, we can add a TAP to a user graphically in the Azure Portal.
Select the user and Authentication Methods then select Add authentication method.

Select Temporary Access Method (preview) as method, then select Add.

The details are then provided for us and the next step should be to send the information to the end user for registration.

We can also provision TAP with Powershell instead of the GUI. See the example below:

# Install module
Install-module Microsoft.Graph.Identity.Signins -Scope CurrentUser
# Connect to Microsoft Graph API using Device Authentication and with correct API permissions
Connect-MgGraph -Scopes UserAuthenticationMethod.ReadWrite.All
# Switch to beta API
Select-MgProfile -Name beta
# Specify User ID (Object ID in Azure AD on the User Object)
$UserID = "ABC123-b688-0000-1111-2b6afd1bf95f"
# Show TAP for Specific User
Get-MgUserAuthenticationTemporaryAccessPassMethod -UserID $UserID
# Create a TAP (one-time use), valid for 30 minutes
$TAP = New-MgUserAuthenticationTemporaryAccessPassMethod -UserID $UserID -IsUsableOnce -LifetimeInMinutes 30
# View the newly created TAP
$TAP.TemporaryAccessPass
view raw gistfile1.txt hosted with ❤ by GitHub

Part 2. Use TAP as Sign-in for enabling strong authentication method (FIDO2 Security Key)

The end user navigates to My Security Info and then enters their email.

Instead of being prompted for their password, the end user will be prompted to enter their Temporary Access Pass instead.

Sign-In successful!

Let’s add Security Key as authentication method. Select Add method, choose Security key and click Add.

Select the type of the security key-

Insert the Security Key into the PC, then select Next.

Verify with OK, twice.

Time to create a PIN for this security key.

Verify with OK.

Finish the setup by touching the security key.

Finally, the end user needs to name the security key.

All Set!

We see that Security key now is available as an authentication method besides Temporary access pass.

Part 3. FIDO2 Security Key Sign-In, Autopilot Enrollment and Windows Hello for Business Provisioning

The end user has a new Windows 10 device which is in Windows Autopilot and the end user has access to the newly enrolled Security Key. Computer is powered on and the end user goes through the initial OOBE-steps until the end user arrives at the Sign-in.

Insert the security key into the PC. Here, the end user selects Sign in with security key. The end user then enters their security key PIN. And confirms their presence by touching the security key.

After successful Sign-In, Autopilot Enrollment is initiated.

Scenario A – Personal Device (WHfB Enrollment)
If the user or device is targeted with a Windows Hello for Business-policy (from MEM) the WHfB Enrollment will initiate usually at next Sign-in. This is the most suitable authentication method if the device is a personal device. When the Autopilot provisioning is done, the end user is prompted for setting up Windows Hello for Business.

Windows Hello for Business enrollment is initiated and since the PC has fingerprint sensor that method is presented first.

The end user then sets up the PIN for WHfB, encrypted and safely stored locally in the PCs TPM chip.

Success! Enrollment and Sign-In without using a password!

Scenario B – Shared Device (FIDO2 Windows Sign-in)
When the Autopilot provisioning is done (and Windows Hello for Business-policy is not targeted at the user), the end user can now Sign in into Windows with their Security Key instead of a password. This is the ideal authentication method when the device is shared or when mobile devices isn’t an option as MFA method.

The end user selects Sign-in options, then selects FIDO security key and inserts the key into the PC.

Enter PIN, then touch the security key.

Success! Enrollment and Sign-In without using a password!

For Passwordless Sign-In into Windows, see these Specific requirements for Azure AD Joined and Hybrid Azure AD Joined devices. If the device is using Windows 10 version 1903 or higher the end users themselves can adjust their security key biometric, PIN or reset their security key.
Windows Settings > Accounts > Security Key

As noted on Known Issues, administrator provisioning and de-provisioning of security keys is not yet available. However, we can at least as administrators remove the authentication method In Azure AD.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: