Search This Blog

Monday, June 7, 2021

Passwordless using FIDO2 security key with HoloLens 2

Introduction

Some time ago I was asked by FEITIAN if I would like to test their FIDO2 key. I said yes, because I am in a project where we will onboard Microsoft HoloLens’s in production, in that journey, we will make use of FIDO2 keys + Windows Hello for Business to meet our password-less journey and to make the usability much better and stay secure.

On our blog we have already written about FIDO2 and the password less journey here and here, but I wanted to put the HoloLens angle to the use case of FIDO2.

The key I am using is the K40

ePass FIDO® -NFC Series Duo-interface Security Keys | FEITIAN (ftsafe.com)

clip_image002

 

Here is some scenarios how to determine your authentication model, where we in this blog post will be focusing on the Frontline worker.

Persona

Scenario

Environment

Passwordless technology

Admin

Management tasks

Windows 10 device

WHfB and / or FIDO2

Admin

Management tasks

Mobile or non-windows

Authenticator app

Information worker

Work

Windows 10 device

WHfB and / or FIDO2

Information worker

Work

Mobile or non-windows

Authenticator app

Frontline worker

Factory, plant, retail

Shared windows 10

FIDO2


Requirements

  • AAD P1
  • Endpoint Manager
  • Microsoft compatible FIDO2 key
  • For AAD only Windows 10 1903 or higher
  • For hybrid Windows 10 20H1 or higher
  • Combined security registration
  • MFA

 

Compatible FIDO’s

Here is a list of compatible FIDO’s. You can also follow the link for more information and with link to the different vendors.

clip_image004

Source: Azure Active Directory passwordless sign-in | Microsoft Docs

Combined registration

Before combined registrations were here, users had to register one place for MFA and again for self-service password reset. Now they are “Combined” and easier to register for the users.

Go to the azure portal https://portal.azure.com/

clip_image006

clip_image008

clip_image010

 

As you can see new tenants have this setting by default. It has been like this since 15th august 2020.

clip_image012

 

Best practice is to also create a Conditional Access rule to only allow access to combined registrations from a trusted location. More about that here:

Enable combined security information registration - Azure Active Directory | Microsoft Docs

 

Enable FIDO2 security key method

Before users will be able to use FIDO as an authentication method, it must be enabled in the tenant. This can be done for all users or only for a specific group.

Sign into the azure portal

https://portal.azure.com/

clip_image013

clip_image015

clip_image017

clip_image019

 

Set settings as specified and Save

clip_image021

clip_image023

 

Seen from the user’s perspective - User registration of FIDO2

Sign into security info

https://aka.ms/mysecurityinfo/

Authenticate with your credentials

Add method

clip_image025

 

Security key and press add

clip_image027

 

You will need to provide MFA

clip_image029

clip_image031

 

Insert the FIDO key into your device

clip_image033

clip_image035

clip_image037

 

Add a pin

clip_image039

 

touch the FIDO and hold your finger on it until it prompts for a name.

clip_image041

Give it a name

clip_image043

clip_image045

Not very hard? I Think it is easy but maybe some non-techie would have trouble doing this. Luckily this is only to be done once and then the user will be good to go just using the FIDO.

 

Configuring Windows Hello for Business for HoloLens

Sign in to https://endpoint.microsoft.com/#home

clip_image047

clip_image049

clip_image051

Create profile

clip_image053

 

Choose this platform that this profile type. Press create.

clip_image055

 

Naming structure – HL2 = Hololens 2

clip_image057

 

Add settings

clip_image059

 

Before searching for your settings make sure you only search on the platform for what you need your policy to support. Add filter choose Holographic for Business

clip_image061

clip_image063

 

I’ve chosen to have a minimum of 6 pin length to level up on security.

Also, I require the device to have a TPM.

I allow the device to use security key for sign in.

Click Next

clip_image065

clip_image067

 

If you do not already have a group for HoloLens’s, you can create one and preferable a dynamic group.

Select and click next

clip_image069

 

Click next

clip_image071

 

Click Create

clip_image073

 

Windows 10 login experience using FIDO

I currently don’t have a HoloLens to do this on, but seen on a regular Windows 10 device, this is the process how to logon.

clip_image075

 

Insert pin to your FIDO key

clip_image077

 

Touch the FIDO key so it knows you are physically at the device.

clip_image079

 

Summary

To raise the security in your company introducing passwordless is a good idea. At the same time, your users might actually love it. Now the FIDO2 scenario and HoloLens 2 are a perfect fit for each other. Go try it out yourself.

Happy testing!

 

Sources:

Azure Active Directory passwordless sign-in | Microsoft Docs

Passwordless security key sign-in - Azure Active Directory | Microsoft Docs

Limiting password use | Microsoft Docs

No comments:

Post a Comment