Multi-factor authentication (MFA) is a great way to secure your organization, but users often get frustrated with the additional security layer on top of having to remember their passwords. Passwordless authentication methods are more convenient because the password is removed and replaced with something you have, plus something you are or something you know.
Multi-factor authentication comes in many ways. If we look at the Microsoft stack, we can currently use multiple ways to authenticate. The below mentioned methods allows organisation to go Passwordless:
- Windows Hello for Business
- Microsoft Authenticator app
- FIDO2 security keys
Multifactor Authentication is based on the the following principles:
- Something you know – Knowledge factors are passwords, PIN codes, security questions. These are the general methods of online user authentication.
- Something you have – Ownership factors are something the user owns/has in their possession. This could be a physical key, ID Card, security token)
- Something you are – Inherence factors are something that a user is or does. This is something like a fingerprint, retinal scan, voice pattern recognition or even a DNA sequence.
As an security consultant I always try to be up-to-date with the latest developments in the field of software and hardware. Even in the world of cyber security, suppliers of security products know their way to provide us with the latest security devices. Today I was introduced to the Feitian K26 security key!
The Feitian K26 Security Key
It’s nice designed USB-C key with a fingerprint reader on top. To make the security key part of your day to day travel, a keyring-hole is provided, so you can easily attach it to your keychain.
I have the USB key attached for 2 months now on my keychain and it seems to be really durable for daily use. With daily use I mean; dirt, rain/water resistance! And putting it in your pocket and grab the keychain multiple times a day! The key still seems to be undamaged!
For the observant viewers; it’s true that I have 2 security keys! One from Yubico Yubikey 5 with NFC and now the Feitian K26 with fingerprint sensor!
PRO TIP: It is recommended to have at least two security keys setup! If you lose or break one, you still got a spare key! You can leave the second key somewhere safe. For example in a vault at home or office.
Setup the Key and go Passwordless!
To setup the key, I went to https://www.ftsafe.com/ and downloaded the BioPass FIDO2 Manager. This small executable allows you to enrol your fingerprints. It is really easy to set-up! You will be able to setup multiple fingers as well! This whole process just takes 1 minute for 2 fingers. Easy as that. If you company allows; you can either configure your fingerprints through the Windows Hello (settings) menu.
Set-up with Azure AD / Office 365
Now that the key has been set up. We are able to make it a personal identification device to Azure.
Please note; in this demo I’ll show it from an end-user perspective. Before you can allow these kind of devices to your organisation, you need to perform some configuration and prerequisites on your Azure tenant.
3rd-party MFA partner integration is a feature that requires Azure AD Premium P1 subscription licenses
First of all, login on to your Office 365 tenant. And click on your image and then go to “My Account”.
Click on “Security and privacy” and then on “Additional security verification”. You will be redirected to your account page where you will be able to setup alternative authentication methods.
Or you can directly navigate to the new (in preview) portal: https://mysignins.microsoft.com/
Click on the “Add method” and followed by the “Security Key” in de prompted drop-down menu.
Based on the type of key, you can add a NFC-enabled key. (for example for usage with mobile phones, or when your laptop has a NFC reader, you can use this option as well. The most common/standard for now is USB device.
In the next step, you can plug in your security key and press the button or sensor (in this case the fingerprint reader).
Testing logging on to SharePoint Online
As the key is set up for Azure and Office 365. You will now be able to sign in with a press on the security key. (of course with the correct finger!) 😉
First go to the SharePoint page of your company. (in my case this is Portiva):
Don’t enter your username/e-mail, but click on the “Sign-in options“
Then select the “Sign in with Windows Hello or a Security key”.
The following screen will ask you to insert the USB key and (if done) to touch the button or put your finger on the fingerprint reader.
Now you are successfully authenticated and you may proceed to Office 365 !
Want to know more about going passwordless with your organisation?