Passwords: with or without you

A couple of days ago, I had a small conversation with John Nabil Iskander on twitter:

So, here we go. As announced last Ignite conference in 2018, Microsoft customers can live without passwords now. After phone sign-in and Hello of course, we now have security key support, which means you can now sign in to your Windows 10 AAD joined device by the use of those little friends here:

(There are also other hardware suppliers)

Microsoft is currently rolling out the public preview of this feature to all tenants worldwide. When it is enabled in your tenant, you will find a new item under AAD / Authentication Methods in the Azure Portal called “Authentication method policy”:

As you can see above, the methods are empty. You might have to enable the preview feature for some or all of your users:

After a few minutes (yes, please crab a coffee or two), the new authentication methods appeared in my tenant:

In the meanwhile, you could configure an Intune device configuration policy to target those users that you would like to enable to sign in with their security key. Therefore, go to Intune / Device Configuration / Profiles / Create Profile / Custom.

Configure the new profile with the following settings

  1. Name: Security Keys for Windows Sign-In
  2. Description: Enables FIDO Security Keys to be used during Windows Sign In
  3. Platform: Windows 10 and later
  4. Platform type: Custom
  5. Custom OMA-URI Settings:
    1. Name: Turn on FIDO Security Keys for Windows Sign-In
    2. OMA-URI: ./Device/Vendor/MSFT/PassportForWork/SecurityKey/UseSecurityKeyForSignin
    3. Data Type: Integer
    4. Value: 1

(source)

Then assign this policy to the audience of your choice.

Then, when the authentication methods have arrived in your tenant, you can click one of those methods to enable and configure them:

Do not change the “key restriction policy” settings. This functionality will be available when the product goes GA. After enabling FIDO2 security key, I also enabled “Authenticator passwordless sign-in”:

After this configuration is done, you can go to https://myprofile.microsoft.com, click on “Security Info” and then add “security key” as a new sign-in method (you can use Edge to do that, however, it looks like the Chredge (Edge Beta) is not supported yet):

I chose a USB device then:

Get your key ready:

Now the browser is interacting with the operating system:

I then had to touch the Yubikey and could then finish the installation:

Now, lets see how this looks like:

Conclusion

Security keys are a secure alternative to Hello for Business with PIN login, when you have older devices that do not support biometric authentication. Other than just relying on a device PIN, with security keys, you do not enable your co-worker to just watch you typing in your PIN and enable them then to logon to your machine, while you are drinking coffee. Now, you take your security key with you, which adds an extra portion of security.

I am still waiting for the ability to disable certain authentication methods for specific users from an admin perspective (I would love to disable password sign-in for example) – however, what we got today is a big step into a password-less world.