Introduction
Some time ago I was asked by FEITIAN if I would like to test their FIDO2 key. I said yes, because I am in a project where we will onboard Microsoft HoloLens’s in production, in that journey, we will make use of FIDO2 keys + Windows Hello for Business to meet our password-less journey and to make the usability much better and stay secure.
On our blog we have already written about FIDO2 and the password less journey here and here, but I wanted to put the HoloLens angle to the use case of FIDO2.
The key I am using is the K40
ePass FIDO® -NFC Series Duo-interface Security Keys | FEITIAN (ftsafe.com)
Here is some scenarios how to determine your authentication model, where we in this blog post will be focusing on the Frontline worker.
|
Persona |
Scenario |
Environment |
Passwordless technology |
|
Admin |
Management tasks |
Windows 10 device |
WHfB and / or FIDO2 |
|
Admin |
Management tasks |
Mobile or non-windows |
Authenticator app |
|
Information worker |
Work |
Windows 10 device |
WHfB and / or FIDO2 |
|
Information worker |
Work |
Mobile or non-windows |
Authenticator app |
|
Frontline worker |
Factory, plant, retail |
Shared windows 10 |
FIDO2 |
Requirements
- AAD P1
- Endpoint Manager
- Microsoft compatible FIDO2 key
- For AAD only Windows 10 1903 or higher
- For hybrid Windows 10 20H1 or higher
- Combined security registration
- MFA
Compatible FIDO’s
Here is a list of compatible FIDO’s. You can also follow the link for more information and with link to the different vendors.
Source: Azure Active Directory passwordless sign-in | Microsoft Docs
Combined registration
Before combined registrations were here, users had to register one place for MFA and again for self-service password reset. Now they are “Combined” and easier to register for the users.
Go to the azure portal https://portal.azure.com/
As you can see new tenants have this setting by default. It has been like this since 15th August 2020.
Best practice is to also create a Conditional Access rule to only allow access to combined registrations from a trusted location. More about that here:
Enable combined security information registration – Azure Active Directory | Microsoft Docs
Enable FIDO2 security key method
Before users will be able to use FIDO as an authentication method, it must be enabled in the tenant. This can be done for all users or only for a specific group.
Sign into the azure portal
Set settings as specified and Save
Seen from the user’s perspective – User registration of FIDO2
Sign into security info
Authenticate with your credentials
Add method
Security key and press add
You will need to provide MFA
Insert the FIDO key into your device
Add a pin
touch the FIDO and hold your finger on it until it prompts for a name.
Give it a name
Not very hard? I Think it is easy but maybe some non-techie would have trouble doing this. Luckily this is only to be done once and then the user will be good to go just using the FIDO.
Configuring Windows Hello for Business for HoloLens
Sign in to https://endpoint.microsoft.com/#home
Create profile
Choose this platform that this profile type. Press create.
Naming structure – HL2 = Hololens 2
Add settings
Before searching for your settings make sure you only search on the platform for what you need your policy to support. Add filter choose Holographic for Business
I’ve chosen to have a minimum of 6 pin length to level up on security.
Also, I require the device to have a TPM.
I allow the device to use security key for sign in.
Click Next
If you do not already have a group for HoloLens’s, you can create one and preferable a dynamic group.
Select and click next
Click next
Click Create
Windows 10 login experience using FIDO
I currently don’t have a HoloLens to do this on, but seen on a regular Windows 10 device, this is the process how to logon.
Insert pin to your FIDO key
Touch the FIDO key so it knows you are physically at the device.
Summary
To raise the security in your company introducing passwordless is a good idea. At the same time, your users might actually love it. Now the FIDO2 scenario and HoloLens 2 are a perfect fit for each other. Go try it out yourself.
Happy testing!
Sources:
Azure Active Directory passwordless sign-in | Microsoft Docs
Passwordless security key sign-in – Azure Active Directory | Microsoft Docs
Limiting password use | Microsoft Docs
Mattias Melkersen is a community driven and passionate modern workplace consultant with 20 years’ experience in automating software, driving adoption and technology change within the Enterprise. He lives in Denmark and works at Mindcore.
He is an Enterprise Mobility Intune MVP, Official Contributor in a LinkedIn group with 41.000 members and Microsoft 365 Enterprise Administrator Expert.
Mattias blogs, gives interview and creates a YouTube content on the channel "MSEndpointMgr" where he creates helpful content in the MEM area and interview MVP’s who showcase certain technology or topic.
Official Contributor here "Modern Endpoint Management":
https://www.linkedin.com/groups/8761296/
