Azure AD: FIDO2 Security Key Roundup and Review

A wall of small lock boxes with some of the doors opened with keys hanging out of them.

Updated: September 15th, 2022

FIDO2 security keys are increasingly becoming the “modern smartcard” for organizations that are looking to go passwordless within the Microsoft ecosystem of cloud and hybrid identity. As with Windows Hello for Business (WHfB), they provide the power of asymmetric key-pair based authentication. But unlike WHfB, where the key-pair is bound to the TPM, FIDO2 security keys allow for secure portability of those credentials. The private key still never leaves the FIDO2 security key, but you have the convenience of using the same set of credentials on whatever device you connect it to.

So here I am, with a smattering of FIDO2 security keys (referred to further within just as security keys or simply keys). While there are a series of articles out there about security keys, most of them focus on the consumer side and the range of features they support – some keys support FIDO U2F, FIDO2, smartcard, OTP, and so on. I’ll be looking at their usability within the enterprise with Azure AD.

While I have an initial round of keys I’m reviewing, I hope to continue adding additional keys over time; I’ll update this post accordingly when the list grows. Even with the initial release, I still have reviews of some keys pending, but I wanted to get the ones I have tested out the door. If during a specific key review or the process I become enlightened about something important, I’ll update this post as well, unless it’s important/big enough to warrant its own.

Before we jump into things, just a few notes:

  • Some of these keys I’ve purchased myself, and some of them have been provided to me by the vendor. Regardless, that does not influence the review of the key. If you are a vendor and see a model missing that you would like within the review, please reach out to me on LinkedIn or Twitter.
  • I’m an identity nerd, not a salesperson. The only thing I want to sell you is going passwordless.
  • I don’t provide an objective score, which is on purpose. I want to provide insight into the devices and let you decide for yourself.
  • Any links to Amazon are affiliate links – it helps pay the bills for the site.
  • I’m aware of some formatting issues of the tables on mobile devices that require a lot of scrolling 🙃

The Contenders

I’m starting off with the following, which is a mix of vendors and types of keys. For a full list of key vendors, you can find that under the Microsoft documentation, FIDO2 Security Key Providers | Microsoft Docs.

VendorModelStyleMS VerifiedBiometricUSBNFCBT
AuthenTrendATKey.CardCardA
FeitianePass K9KeyA
FeitianMultiPass K16FobA5
FeitianMultiPass K32FobC5
FeitianBioPass K27KeyA3
FeitianFingerprint CardCardA67
GoTrustIdem CardCardA8
GoTrustIdem KeyKeyA3
HypersecuHyperFIDOThumb drive2A
IdentivuTrust FIDO2 NFCKeyA31
IDmelonAuthenticator9Mobile app
SoloKeysSolo 1 TapKeyA
ThetisFIDO2 Security KeyThumb drive2A
Token2T2F2-BioThumb drive2A
Token2T2F2-miniNano keyA
Token2T2F2-NFC-SlimKeyA
TrustKeyT110KeyA3
TrustKeyG320HKeyC4
YubicoYubiKey 5 NFCKeyA3
YubicoYubiKey 5CMini keyC
YubicoYubiKey 5 NanoNano keyA
YubicoYubiKey BioKeyA3
  1. Key vendor indicates PIV is the only method supported by NFC
  2. These keys have a form factor like a USB thumb drive, but are not actually USB memory devices
  3. A design and feature parity model exists with USB-C
  4. A design and feature parity model exists with USB-A
  5. Key vendor indicates Windows is not supported with Bluetooth
  6. Key requires a separate USB attachment for providing power
  7. Key requires a separate USB attachment for Bluetooth to function
  8. Key requires a separate USB device for charging
  9. Review is still pending

The Criteria

Microsoft Compatible and Verified

When an organization comes across this, the first thought might be, “does Microsoft have some non-standard, Microsoft special implementation of the standards”. Thankfully, that is not the case.

Per the docs article, Microsoft-compatible security key – Windows security | Microsoft Docs, a security key must support the following optional extensions from the FIDO2 CTAP protocol:

Feature/ExtensionRequirement Reason
Resident keyEnables the security key to be portable
Client pinEnables you to protect your credentials with a second factor
hmac-secretExtension ensures you can sign-in to your device when it’s offline or in airplane mode
Multiple accounts per RPEnsures you can use the same security key across multiple services, such as Azure AD and Microsoft personal accounts (MSA)

And when we enumerate that list of requirements, we can understand why these optional components of the protocol are specified.

The other half of that statement, the verified piece, is based on Microsoft requirements for testing the FIDO2 security key. The entire process is outlined here, Become a Microsoft-Compatible FIDO2 Security Key Vendor for sign-in to Azure AD | Microsoft Docs. Vendors keys that may meet the compatible piece, but have not submitted their key for verification, will fail enrollment. In Azure AD, you can disable Enforce attestation under the FIDO2 Security Key settings, to allow non-verified keys to enroll.

Cost and Ease of Procurement for Testing

Even though purchasing at scale may provide for discounts, depending on the size and shape of the organization, key procurement cost is still important. I’ll be posting both the suggested/listed retail price from the manufacturer (if available), as well as the cost on Amazon.

My baseline for ease of procurement – can I purchase it, and is it readily available, on Amazon. If not, what did I have to go through to purchase the key. If the vendor primarily uses Amazon as its sales channel, that’s the price I’ll list.

Available Features and Management

I won’t dive into how all the other features, such as FIDO U2F function, but I will indicate which models support features beyond FIDO2, as some organizations may have use cases beyond Azure AD for implementation. I’ll also highlight if any management software is available, but with a focus on FIDO2, PIN management and key reset are capable from within the native Windows 11 tooling, so software isn’t of significant importance.

Hardware Design, Build Quality and Features

A quick examination of the style and type of key, and any features that make it stand out, or fall behind, its competitors. Will also explore the ways in which the key can be carried around – will it (easily) attach to a lanyard, or does it belong on a keychain. And looking at the ways in which the key can be used – USB, NFC, or Bluetooth.

The review will also indicate the FIDO Authenticator Certification Level, which you can find more information on here, Certified Authenticator Levels – FIDO Alliance.

Testing Methodology

For enrollment and management of the keys, I’m going to be using a Dell Inspiron 3482, from my stock of lab devices. It may not be a corporate fleet laptop, but it gets the job done.

The enrollment device is running Windows 11 Enterprise 21H2 and is Hybrid Azure AD joined. The same user account, which is a hybrid user, will be used across testing of all security keys.

I’ll be testing usage on a second laptop that is Azure AD Joined only, but part of the same Azure AD tenant. That device is a Dell Inspiron 3195 running Windows 10 Pro 21H2.

After enrollment I’ll test authentication on both the laptops, as well as a Windows device of the Azure AD tenant.

Finally, I’ll test the process of performing a factory reset on the key.

If a key supports multiple methods of use, such as USB, NFC, Bluetooth, I will test all methods for enrollment and use on all devices.

For NFC testing I’m using an ACS ACR1252U USB NFC Reader.

The Results

Images are not to scale and are not to scale relative to each other.

AuthenTrend ATKey.Card

https://www.authentrend.com
AADGUID: d41f5a69-b817-4144-a13c-9ebd6d9254d6

Form FactorCostFIDO ALMS VerifiedBiometricUSBNFCBT
Card$65 AmazonLevel 1A
Country of OriginBody StyleWaterproof Rating
ChinaPlastic ClamshellNone

The ATKey.Card is an interesting bit of technology. It’s the same height and width as an ID badge, however, it’s roughly 4.67x thicker. Along with that, it has a notch in the corner, but it’s not a typical location that an ID badge would be attached to a lanyard. The size also is not wide enough to accommodate the typical button-snap plastic loop of a badge holder; it’s designed for a smaller metal lanyard clip. While the AuthenTrend website shows some conceptual pictures of it hanging horizontal or vertical like a badge, it also will not easily fit within a plastic sleeve due to the width; you also need to be able to access the slide-out USB-A connector to charge and/or use the card.

With all of this, the card just feels a bit odd. The USB connector that extends from the side of it causes it to sag when inserted into a horizontal USB port; it seems having something like this hanging off the side of a laptop could be an easy breaking point. With all the technology packed into this card, I’m surprised it feels as light as it does in construction. There are multiple LED lights embedded into the card, which will light up and flash in different patterns depending on what you are doing with the card. Per AuthenTrends, the ATKey.Card will last through 100-150 fingerprint authentications between charges.

Available Features and Management

As far as features go, from a connectivity standpoint, this card is king – supporting both USB, NFC, and BLE as the means for connecting to your Windows device.

The card itself is geared at FIDO2, but there is also support for FIDO U2F. There is a Windows Store app available from AuthenTrend for card management and providing firmware updates; I’m not sure how often firmware becomes available, but the card was up to date when I checked.

Enrollment and Usage

Fingerprint enrollment was easier using the standalone enrollment mode on the key, helped by reading the directions. The Windows interface for fingerprint biometrics indicates to “lift and touch” the fingerprint reader several times, but when you look through the enrollment directions for the ATKey.Card, it indicates to rub your finger in a circular motion on the reader. There are also several led colors and patterns that the key may show depending on what you want to do with the card and what state it is in – these are useful, but to someone who hasn’t used this card before, it would be confusing to drop onto an end user without proper training.

The key enrolled in Azure AD without issue once I figured out how to operate it.

The key worked consistently after enrollment without issue.

The key was factory reset without issue.🔝


Feitian ePass K9

https://www.ftsafe.com/
AADGUID: ee041bce-25e5-4cdb-8f86-897fd6418464

Form FactorCostFIDO ALMS VerifiedBiometricUSBNFCBT
Key$25 USD | $25 AmazonLevel 1A
Country of OriginBody StyleWaterproof Rating
ChinaInjection MoldedIP67

If you are looking for a vendor that has almost any permutation available of how one might want a FIDO2 security key to look, look no further than Feitian. Examining the ePass K9 key, it has your typical injection-molded design, with a capacitive touch sensor on the top, and an LED light beneath. A slightly curved body lends a bit more of an actual key shape to the ePass K9. The quality of the key feels durable and of high build quality.

Available Features and Management

The ePass K9 also supports FIDO U2F, as well as HOTP. There is software available for key management, which is needed for HOTP.

Enrollment and Usage

The key enrolled in Azure AD without issue.

The key worked consistently after enrollment without issue.

The key was factory reset without issue.🔝


Feitian MultiPass K16

https://www.ftsafe.com/
AADGUID: 310b2830-bd4a-4da5-832e-9a0dfc90abf2

Form FactorCostFIDO ALMS VerifiedBiometricUSBNFCBT
Key$34 USD | $34 AmazonLevel 1A
Country of OriginBody StyleWaterproof Rating
ChinaPlastic ClamshellNone

The MultiPass K16 resembles more of a HID key fob than your typical security key, both in shape and size. The weight of the fob feels well in hand, and it has a generous loop to put it on a keychain or lanyard. The K16 has a Micro USB 2.0 B socket and comes with a short USB-A cable for charging. There is a power led, an authentication led, and a Bluetooth led, along with a single large button in the middle.

Available Features and Management

The MultiPass K16 also supports FIDO U2F.

Where the key falls short is in marketing – depending on where you look, it’s hard to determine what methods are available per operating system. While Windows does have Bluetooth support for security keys, Feitian does not support Windows with this device. Oddly, you can still pair this key with Windows, but you’ll receive a device state error from Windows when attempting to use Bluetooth.

Enrollment and Usage

The key enrolled in Azure AD without issue.

The key worked consistently after enrollment without issue. With the lacking Bluetooth support, it primarily seems designed to be used as an NFC key, but FIDO2 also works with it plugged in via the USB cable.

The key was factory reset without issue.🔝


Feitian MultiPass K32

https://www.ftsafe.com/
AADGUID: 310b2830-bd4a-4da5-832e-9a0dfc90abf2

Form FactorCostFIDO ALMS VerifiedBiometricUSBNFCBT
Key$35 USD | $35 AmazonLevel 1C
Country of OriginBody StyleWaterproof Rating
ChinaPlastic ClamshellNone

The MultiPass K32 is somewhat of a USB-C counterpart to the K16, but in execution the key is disappointing. The weight of the fob feels well in hand, about the same as the K16, and has a similar loop to put it on a keychain or lanyard. The K32 has a USB-C connector on it underneath the bottom cover, which can be used for both charging and authentication. While it has the benefit of not requiring a USB cable, the trade-off is the flimsy USB-C connector cover. The cover has a small elastic band that is supposed to key it attached to the device, however, after 6 uses, the band snapped. While the connector itself isn’t prone to any worse damage than the TrustKey or Yubico counterparts, the fact that it fails to meet its design spec is still a knock on it. The device has three led lights, representing charging, Bluetooth, and authentication.

Available Features and Management

The MultiPass K32 also supports FIDO U2F.

Just like the K16, the device is unclear with the marketing – depending on where you look, it’s hard to determine what methods are available per operating system. While Windows does have Bluetooth support for security keys, Feitian does not support Windows with this device. Oddly, you can still pair this key with Windows, but you’ll receive a device state error from Windows when attempting to use Bluetooth.

Enrollment and Usage

The key enrolled in Azure AD without issue.

The key worked consistently after enrollment without issue. With the lacking Bluetooth support, it primarily seems designed to be used as an NFC key, but FIDO2 also works with it plugged into a USB port.

The key was factory reset without issue.🔝


Feitian BioPass K27

https://www.ftsafe.com/
AADGUID: b6ede29c-3772-412c-8a78-539c1f4c62d2

Form FactorCostFIDO ALMS VerifiedBiometricUSBNFCBT
Key$66 USD | $66 AmazonLevel 1A
Country of OriginBody StyleWaterproof Rating
ChinaUnibody MetalNone

The BioPass K27 could be the heaviest key out of those tested, but that weight provides a quality feel to its smooth metal body. It’s somewhere between a thumb drive and key style – the USB-A end is not a blade, and it’s thicker where the led light is, but the key flattens out by the biometric thumbprint reader. With an ample loop, it easily goes onto a keychain. The key comes with a plastic USB protective cover, but since it’s not attached to the key body, it’s likely to get lost.

Available Features and Management

The BioPass K27 also supports FIDO U2F.

Enrollment and Usage

The key enrolled in Azure AD without issue.

The key worked consistently after enrollment without issue; it does tend to stick in some USB ports, requiring a more than usual amount of force to remove.

The key was factory reset without issue.🔝


Feitian Fingerprint Card

https://www.ftsafe.com/
AADGUID: 8c97a730-3f7b-41a6-87d6-1e9b62bda6f0

Form FactorCostFIDO ALMS VerifiedBiometricUSBNFCBT
Key$70 USDLevel 1
Country of OriginBody StyleWaterproof Rating
ChinaCredit Card (CR80 / ID-1)None Indicated

When you first see it, the Feitian Fingerprint Card looks like it’s the luxury version of AuthenTrend ATKey.Card. Looks can be deceiving. When working with customers in the past on FIDO2 implementations and testing with Azure AD, many that were familiar with smart cards wanted a security key like this – something that can go on a lanyard, be potentially integrated with a corporate ID, and supports NFC.

The card itself packs a lot of technology into a body the same dimensions as a credit card, having Bluetooth, NFC, status LEDs and a fingerprint reader. Being that it is a Java Card Operating System (JCOS) device there likely is a mix of technologies you could implement on the card beyond it just being a security key. On the other side of the demo unit, there is an example print of an ID badge, showing organizations that this has a lot of potential flexibility. Physically the card feels exactly as one would expect and it has the same flexibility and feel as your typical plastic credit card. The LED lights provide status relative to operation and success (green), Bluetooth (blue) and any errors (red). Note that the card itself has no battery within it and requires using a USB holder for providing power for Bluetooth support.

Card with the Bluetooth power accessory.

Available Features and Management

Feitian does not indicate if there is any further out of the box support beyond FIDO2 on their datasheet, but as noted they design this to be flexible as far as card programming goes, even though that certainly ramps up the potential cost and complexity beyond FIDO2.

Testing the card purely as a security key, the enrollment of a fingerprint on the card is complex. Native in Windows, the card never was recognized as having a fingerprint reader, so when going into the security key options, there is nothing available for fingerprint management. This leaves us with Bluetooth, the power adapter, and the mobile app for enrollment. Note that Feitian has three similar looking apps in the Apple App Store for managing fingerprints, but only one works with this card, which is here, Fingerprint Card Manager on the App Store (apple.com). You can enroll up to eight fingerprints on the card per Feitian, but I did not test more than one.

Enrollment and Usage

The key enrolled in Azure AD without any issue on the Azure AD side, however, it was a bit finicky on the NFC reader, and even though it would power up, at certain angles it would seem to not be recognized and Windows would throw an error. Note that I was not using a Feitian NFC reader, but the reader has had no issues with other NFC security keys.

The key worked consistently after enrollment without issue prior to enrolling a fingerprint.

After fingerprint enrollment, again, the key would be fussy as to how it was placed on the NFC reader, and even though it would have power the entire time, Windows would time out the authentication. The key had to stay motionless on the NFC reader while you are performing biometric authentication with your finger.

Interestingly you can Bluetooth pair the key to your Windows device, but it can’t be used as a Bluetooth security key. I’m not sure it really matters considering at that point you’ve plugged it into a USB port anyway. And speaking of USB, the power adapter is just that – using the adapter as a means of USB for authentication is not an option.

The key was factory reset without issue.🔝


GoTrust Idem Card

https://www.gotrustid.com
AADGUID: 9f0d8150-baa5-4c00-9299-ad62c8bb4e87

Form FactorCostFIDO ALMS VerifiedBiometricUSBNFCBT
Key$60 AmazonLevel 1
Country of OriginBody StyleWaterproof Rating
UnknownCredit Card (CR80 / ID-1)None Indicated

The Idem Card, like the Feitian Fingerprint Card, packs a lot of technology into a small footprint. Unlike the Fingerprint Card, the Idem Card swaps out biometrics for an integrated battery. The overall design is both nice in quality and unassuming. Along the right side of the card is a touch sensor for turning on Bluetooth, and there are three integrated LED lights, red and green for charge status, and a blue light for Bluetooth status. GoTrust indicates one charge will take two hours and can handle up to ten authentications a day for up to 60 days, or standby for 120 days.

Along with the card there is a USB-A charging adapter included. The adapter itself has a quality feel to it. The one negative – while the USB cable stores itself in the adapter, it’s so short that depending on the orientation of the USB port, the adapter may be upside-down. This can interfere with the visual of the LED charging light status.

The included charging adapter

Available Features and Management

Along with FIDO2, it supports FIDO U2F and provides smartcard support.

The card is FIPS 140-2 compliant, but note that unlike the Idem Key, the Idem Card is only a FIDO Certified Authenticator Level 1.

Enrollment and Usage

Prior to enrollment through Bluetooth, you need to pair the key to your Windows device. It’s a bonus that the key presents itself with Idem Card in its Bluetooth device name, making it easy to pick out of the list, and the pairing code is printed on the back. Pairing is easy once you’ve read the directions, but unfortunately the QR code on the bottom of the packaging brings you to a 404 page on the GoTrust site, which is where they indicate you can find said directions. This I’ll be reaching out to them about.

After pairing, a simple tap on the Touch here part of the card turns on Bluetooth. For NFC, you don’t need to provide any touch, and as an NFC card it worked excellent regardless of how it was oriented on the reader.

The key enrolled in Azure AD without issue with both NFC and Bluetooth. Note that the provided adapter is only for power, you can’t use it as a means of key enrollment or usage via USB.

The key worked consistently after enrollment without issue.

The key was factory reset without issue.🔝


GoTrust Idem Key

https://www.gotrustid.com
AADGUID: 3b1adb99-0dfe-46fd-90b8-7f7614a4de2a

Form FactorCostFIDO ALMS VerifiedBiometricUSBNFCBT
Key$22 AmazonLevel 2A (C)
Country of OriginBody StyleWaterproof Rating
TaiwanInjection MoldedIP68

Looking at it, the Idem Key is quite identical to most other FIDO2 security keys, albeit this key has a slightly contoured design on the top and is of slightly larger dimensions. Same standard exposed blade, same capacitive touch sensor depressed into the top of the key. The key has a led light under the sensor; overall quality feels high.

The only spot I would mark it slightly lower than its competition, the blue LED is not necessarily noticeable when plugged in. It might seem like nitpicking, but when all the keys are so similar, the trivial things are what you notice.

Available Features and Management

Along with FIDO2, it supports FIDO U2F and certificates to be used as a smartcard.

This is one of the two keys tested that is FIDO Certified Authenticator Level 2 and is FIPS 140-2 compliant.

Enrollment and Usage

The key enrolled in Azure AD without issue.

The key worked consistently after enrollment without issue.

The key was factory reset without issue.🔝


Hypersecu HyperFIDO

https://www.hypersecu.com
AADGUID: 9f77e279-a6e2-4d58-b700-31e5943c6a98

Form FactorCostFIDO ALMS VerifiedBiometricUSBNFCBT
Thumb drive$19 AmazonLevel 1A
Country of OriginBody StyleWaterproof Rating
UnknownUnibody MetalNone

The HyperFIDO key stands out from the crowd because it looks more like a USB thumb drive than a FIDO2 security key. With a rectangular metal body, the top provides for a mechanical button as the mechanism for providing presence; there is also a small LED light next to it. Even though the key is not of the normative form factor, it’s still small, and can easily hang from a keychain. The key has the expected weight to it, it feels high-quality and nice in the hand.

Available Features and Management

The HyperFIDO key supports both FIDO2 and FIDO U2F, as well as HOTP with the Hypersecu HOTP Programmer software.

Enrollment and Usage

The key enrolled in Azure AD without issue.

The key worked consistently after enrollment without issue.

The key was factory reset without issue.🔝


Identiv uTrust FIDO2 NFC

https://www.identiv.com
AADGUID: 73402251-f2a8-4f03-873e-3cb6db604b03

Form FactorCostFIDO ALMS VerifiedBiometricUSBNFCBT
Key$21 USD | $14 AmazonLevel 1A
Country of OriginBody StyleWaterproof Rating
United StatesInjection MoldedNone

The Identiv uTrust FIDO2 NFC distinguishes itself from the group with a glossy-white injection molded key design. The USB-A model has the standard exposed blade, and the capacitive touch sensor has a multi-color LED integrated within. The key is just slightly larger than the rest of the competition but offers a generous keyring opening on the end. It is the only key that, with a little effort, can fit onto the loop of your standard badge lanyard. The key feels of high-quality and has a nice weight to it in hand.

Available Features and Management

The NFC+ supports FIDO2 as well as FIDO U2F, HOTP, TOTP, and PIV. Unfortunately, despite searching their site, I was not able to find a download link to their uTrust Key Manager software, which is needed to use/manage some of the features. Focusing just on FIDO2, that does not matter as I was able to manage the key with Windows native tools.

Where things go downhill as far as features – when you dig into their documentation, you find out that NFC is only for PIV. This answers why, when trying to enroll the key through NFC, it would continually fail. However, being someone who just rips the package open and gives the key a whirl, I was confused at first; the name is misleading considering the limitations.

There is a Gov model that is FIPS 140-3.

Enrollment and Usage

After getting past the fact that the FIDO2 functionality of the key does not support NFC, the other wall I hit is that the key is not Microsoft verified. And while Microsoft does not indicate this brand on their list, if you look at this site, Works with uTrust FIDO – Identiv, they indicate Azure AD on there. I’ll be reaching out to Identiv to see if this is in process and will update this review accordingly.

Update 9/1/22: I’ve attempted to reach out to Identiv regarding their lack of Azure AD verification, opening both a support case as well as reaching out on Twitter. Unfortunately, I have not heard back from them.

Aside from the enrollment issues, once I disabled attestation in Azure AD, I was able to enroll the key without problems.

The key worked consistently after enrollment without issue.

The key was factory reset without issue.🔝


SoloKeys Solo 1 Tap

https://solokeys.com/
AADGUID: 8976631b-d4a0-427f-5773-0ec71c9e0279

Form FactorCostFIDO ALMS VerifiedBiometricUSBNFCBT
Key$35 USDLevel 1A
Country of OriginBody StyleWaterproof Rating
ItalyPCB with Silicon SleeveNone

SoloKeys started as a Kickstarter campaign back in 2018, with the Solo and Solo Tap, and since then has garnered enough success to work on a Solo V2 model. Driven by the desire to have an open-source security key, the code for the device is made available, but to be clear, the Solo 1 Tap is locked down as would any other security key be.

The Solo 1 Tap is very similar in size and shape to it’s key-shaped counterparts, if just slightly thicker once you slide the silicon sleeve over it; the one I received came with a red and black sleeve. The USB-A model sports your typical exposed blade, and the device has a mechanical touch sensor on it, that falls under the S logo on the sleeve. Two LED status lights illuminate from underneath the silicon. The key has a quality construction feel to it, even though the silicon case could be potentially polarizing from a design perspective.

Available Features and Management

The Solo 1 Tap supports FIDO2 as well as FIDO U2F.

Enrollment and Usage

The most prominent hurdle is that this key is not Microsoft verified. While neither Microsoft nor SoloKeys claims that it is, using an unverified key requires disabling attestation in Azure AD. Understandably that was likely not a priority when first launching the product, but would love to see it go through the rounds with Microsoft so that there is easier integration. I’ll reach out to SoloKeys to see if that’s on their roadmap.

Aside from the need to disable attestation, I was able to enroll the key without problems, both using USB and NFC.

The key worked consistently with USB and NFC after enrollment without issue.

The key was factory reset without issue.🔝


Thetis FIDO2 Security Key

https://thetis.io
AADGUID: bbf4b6a7-679d-f6fc-c4f2-8ac0ddf9015a

Form FactorCostFIDO ALMS VerifiedBiometricUSBNFCBT
Thumb drive$31 USD | $32 AmazonLevel 1A
Country of OriginBody StyleWaterproof Rating
ChinaPlastic unibody with metal housingNone

With a black aluminum body and swivel mechanism, the Thetis BLE FIDO2 Security Key stands out from the crowd, not only in form factor, but in size. It’s a plastic body in thumb drive style, which is protected with the aluminum outer body. The top of the key is equipped with a button that is used for presence detection, and that button also has a blue LED light embedded within it. The top of the key has the standard notch necessary to attach it to a keychain.

Compared to the other thumb drive style key in this test, and to most of the other keys, this one has a lot of bulk to it – both due to the thickness of the aluminum outer body, but also the inner key itself. The reason, though, is because this is one of the few keys to support Bluetooth; the key has a battery within it.

Available Features and Management

The Thetis key supports FIDO2 as well as FIDO U2F, and with associated Thetis Key Manager software can provide HOTP and TOTP. The key can be reset, and the PIN changed within the software as well.

As noted, this is one of the few keys that provides Bluetooth for FIDO2.

Enrollment and Usage

Enrolling the Thetis key through either Bluetooth or USB worked the first time. Pairing of the key could have been slightly improved, because the device presents itself with its serial number when trying to pair it; it would stand out more if it prefaced itself with something like Thetis.

Aside from the initial pairing confusion, using the Thetis key via Bluetooth was easy, you just press the button on the top of it to turn it on. I also appreciate that if you insert it into another computer via USB, it turns off Bluetooth.

Obviously the one downside to Bluetooth is that you need to sign into the device to be able to initially pair, so for a workforce moving between devices frequently, they’ll have to either use USB or another mechanism for that initial authentication.

The key worked consistently after enrollment without issue.

The key was factory reset without issue.🔝


Token2 T2F2-Bio

https://www.token2.com
AADGUID: ab32f0c6-2239-afbb-c470-d2ef4e254db7

Form FactorCostFIDO ALMS VerifiedBiometricUSBNFCBT
Thumb drive$37USDLevel 1A
Country of OriginBody StyleWaterproof Rating
UnknownPlastic unibody with metal housingNone

Not to be outdone by the Thetis key, the Token2 T2F2-Bio key is a monster in size – measuring lengthwise roughly 2.5″ (63mm) closed and 4″ (101mm) open. Like the Thetis, it has a plastic body in thumb drive style, protected with an aluminum outer body. When you swivel the key open, the fingerprint reader is exposed, and underneath the opaque plastic are two status LED lights. Relative to the size of the key, it feels of proper weight, and the build quality itself seems nice. If you really don’t love yourself it has a loop for a keychain on the end.

While many biometric keys in the past have sported a larger size, if we look at the Feitian BioPass K27 as an example, YubiKey has recently shown us it doesn’t have to be this way – from a rough volume perspective you could fit 10 YubiKey Bio keys in the same space as one T2F2-Bio.

With a black aluminum body and swivel mechanism, the Thetis BLE FIDO2 Security Key stands out from the crowd, not only in form factor, but in size. It’s a plastic body in thumb drive style, which is protected with the aluminum outer body. The top of the key is equipped with a button that is used for presence detection, and that button also has a blue LED light embedded within it. The top of the key has the standard notch necessary to attach it to a keychain.

Available Features and Management

The T2F2-Bio supports FIDO2 as well as FIDO U2F, and with associated Token2 companion software can provide HOTP and TOTP.

Enrollment and Usage

The key enrolled in Azure AD without issue.

The key worked consistently without issue from an authentication functionality, however, the fingerprint reader does seem a bit more finicky than others; I had a few times that it seemed to not initially want to read my fingerprint.

The key was factory reset without issue.🔝


Token2 T2F2-mini

https://www.token2.com
AADGUID: 833b721a-ff5f-4d00-bb2e-bdda3ec01e29

Form FactorCostFIDO ALMS VerifiedBiometricUSBNFCBT
Nano Key$18USDLevel 1A
Country of OriginBody StyleWaterproof Rating
UnknownLaminated PCBNone

Like the YubiKey 5 Nano, this key is designed to be left within the device, with its nano form-factor. Slightly larger that the 5 Nano, the T2F2-mini also is easier to remove from a USB port when needed, thanks mostly to the little “wings” on the end. When I received this key, I thought it looked quite familiar, and while I do not have definitive proof, the key looks very much like a rebadged Feitian K10; Feitian is known to manufacturer security keys for other companies. That being said, even if it’s a rebadged Feitian the key comes in a few bucks cheaper than the K10.

The end of the key is the capacitive touch sensor, and on the underside of it a blue LED will glow when the key is plugged in. The build quality is solid, not that there is much really to a key this small.

Available Features and Management

The T2F2-mini supports FIDO2 as well as FIDO U2F and HOTP.

Enrollment and Usage

The key enrolled in Azure AD without issue.

The key worked consistently after enrollment without issue.

The key was factory reset without issue.🔝


Token2 T2F2-NFC-Slim

https://www.token2.com
AADGUID: ab32f0c6-2239-afbb-c470-d2ef4e254db7

Form FactorCostFIDO ALMS VerifiedBiometricUSBNFCBT
Nano Key$18USDLevel 1A
Country of OriginBody StyleWaterproof Rating
UnknownPlastic ClamshellNone

The T2F2-NFC-Slim is the Token2 take on a smaller NFC enabled key. While they also have the T2F2-NFC, that key has a large thumbdrive style form factor. The key is about as slim as the TrusKey models, but not as thin as YubiKey, presumably related to the style of manufacturing – plastic clamshell vs injection molded. The key stands out with some graphics printed on the matte case, and it feels lighter than it may look. There is a capacitive touch sensor on the outer edge next to the keychain hole. There also is a white LED status light on that end of the key.

Available Features and Management

The T2F2-NFC-Slim supports FIDO2 as well as FIDO U2F and with the associated companion software, HOTP and TOTP.

Enrollment and Usage

The key enrolled in Azure AD without issue.

The key worked consistently as a USB security key. On the NFC side, I was finding the key to be a bit particular in usage. The key would only seem to consistently work when placed on the NFC reader with the USB contacts face down; face up it would seem to struggle to stay connected, even with trying to adjust the placement. Considering I’ve had no issues with other NFC devices, I’m not sure if my test key is just an odd-one out or if there is a design flaw here.

The key was factory reset without issue.🔝


TrustKey T110

https://www.trustkeysolutions.com
AADGUID: da776f39-f6c8-4a89-b252-1d86137a46ba

Form FactorCostFIDO ALMS VerifiedBiometricUSBNFCBT
Key$16 USD | $16 AmazonLevel 1A
Country of OriginBody StyleWaterproof Rating
South KoreaPlastic ClamshellNone

The TrustKey T110 is your very standard looking key-shaped FIDO2 security key. With a typical exposed USB-A blade, and a capacitive touch sensor on the top of the device, it’s a typically sized key. The key has a status light above the touch sensor. Overall, the key feels good in hand and of a high-quality build.

The only notable downside – the key is of a clam-shell design which one could theorize may not be as durable long-term compared to injection molded.

Available Features and Management

The T110 supports both FIDO2 and FIDO U2F. With the TrustKey Key Manager software, it also supports TOTP and HOTP.

The T110 is FIPS 140-2 compliant.

Enrollment and Usage

The key enrolled in Azure AD without issue.

The key worked consistently after enrollment without issue.

The key was factory reset without issue.🔝


TrustKey G320H

https://www.trustkeysolutions.com
AADGUID: 87dbc5a1-4c94-4dc8-8a47-97d800fd1f3c

Form FactorCostFIDO ALMS VerifiedBiometricUSBNFCBT
Key$45 USDLevel 2C
Country of OriginBody StyleWaterproof Rating
South KoreaPlastic ClamshellNone

Similar in shape to the T110, the TrustKey G320 is the sibling that supports biometric authentication. A stubby USB-C connector sticks off the end, and the biometric sensor is on top of the device, replacing the usual capacitive touch sensor. Same design with a status led light above the biometric sensor. Overall, the key feels good and of a high-quality build.

TrustKey was one of the first vendors to have a biometric FIDO2 security key on the market.

The only notable downside – the key is of a clam-shell design which one could theorize may not be as durable long-term compared to injection molded.

When I purchased the G320H, it was available on Amazon, but at the time of posting this, I only can find it directly available from TrustKey.

Available Features and Management

The T110 supports both FIDO2 and FIDO U2F. With the TrustKey Key Manager software, it also supports TOTP and HOTP.

This is one of the two keys tested that is FIDO Certified Authenticator Level 2 and is FIPS 140-2 compliant.

Enrollment and Usage

The key enrolled in Azure AD without issue.

The key worked consistently after enrollment without issue.

The key was factory reset without issue.🔝


Yubico YubiKey 5 NFC

https://www.yubico.com
AAGUID: 2fc0579f-8113-47ea-b116-bb5a8db9202a

Form FactorCostFIDO ALMS VerifiedBiometricUSBNFCBT
Key$45 USD | $45 AmazonLevel 1A
Country of OriginBody StyleWaterproof Rating
United States or SwedenInjection MoldedIP68

The YubiKey 5 NFC is probably the most well-known USB key. With the classic exposed USB-A blade, the capacitive touch sensor on the top of the key; the Yubico “Y” logo lights-up green on the key when inserted into the USB port, letting you know that it’s inserted properly. The entire key feels high-quality when you hold it, and it slips onto a keychain with ease.

Available Features and Management

Just like its siblings in the YubiKey 5 range, the 5 NFC offers FIDO2 as well as FIDO U2F, HOTP, TOTP, smartcard, OpenPGP, and secure static password – some of those features requiring the associated YubiKey Manager software to leverage.

There is a FIPS 140-2 version that costs $55 USD.

Enrollment and Usage

The key enrolled in Azure AD without issue.

The key worked consistently after enrollment without issue.

The key was factory reset without issue.🔝


Yubico YubiKey 5C

https://www.yubico.com
AAGUID: ee882879-721c-4913-9775-3dfcce97072a

Form FactorCostFIDO ALMS VerifiedBiometricUSBNFCBT
Mini key$50 USD | $50 AmazonLevel 1C
Country of OriginBody StyleWaterproof Rating
United States or SwedenInjection MoldedIP68

The YubiKey 5C is the only mini key form-factor tested and is what I would consider properly sized for a mini key; the USB-C connector helps with being able to shrink the width of the key. With an injection molded semi-gloss black body, it has a small but slightly hard to notice LED light on the corner by the keychain hole. The capacitive touch sensors are located on the sides of the body of the key. The key feels high-quality, is light, which one would expect for a small key, and fits onto a keychain without issue.

With only a 5-dollar difference, the real trade-off of the key compared to its bigger sibling is NFC support vs size. But just like the 5 NFC, these keys are towards the higher price point – this is a $50 dollar key that only provides USB support.

Available Features and Management

Just like its siblings in the YubiKey 5 range, the 5 Nano offers FIDO2 as well as FIDO U2F, HOTP, TOTP, smartcard, OpenPGP, and secure static password – some of those features requiring the associated YubiKey Manager software to leverage.

There is a FIPS 140-2 version that costs $70 USD.

Enrollment and Usage

The key enrolled in Azure AD without issue.

The key worked consistently after enrollment without issue.

The key was factory reset without issue.🔝


Yubico YubiKey 5 Nano

https://www.yubico.com
AADGUID: ee882879-721c-4913-9775-3dfcce97072a

Form FactorCostFIDO ALMS VerifiedBiometricUSBNFCBT
Nano key$50 USD | $50 AmazonLevel 1A
Country of OriginBody StyleWaterproof Rating
United States or SwedenInjection MoldedIP68

If you could take a YubiKey and saw off the USB blade, you would have the YubiKey 5 Nano. The nano key form factor really makes this key one that really suits scenarios where you are looking to leave the key within the system. Much of the body is the USB connector, with a small sliver of plastic with Yubico emblazoned onto it, and the capacitive touch presence sensor on the end combined with a tiny loophole and a tiny status LED on the side of the device.

It may be obvious, but the primary use case of the 5 Nano, because of its size would be on a device where the key is to be left within it – think something like a Windows Hello for Business alternative but emphasizing that the key stays within the device. The loophole on the end of it is too small for most keychains and depending on how the device it’s being inserted into is manufactured, the key itself can be recessed within. On one test device I had to use a bent paperclip to remove the key.

Available Features and Management

Just like its siblings in the YubiKey 5 range, the 5 Nano offers FIDO2 as well as FIDO U2F, HOTP, TOTP, smartcard, OpenPGP, and secure static password – some of those features requiring the associated YubiKey Manager software to leverage.

There is a FIPS 140-2 version that costs $70 USD.

Enrollment and Usage

The key enrolled in Azure AD without issue.

The key worked consistently after enrollment without issue, but again note the limitations in the ease of removing the key.

The key was factory reset without issue.🔝


Yubico YubiKey Bio – FIDO Edition

https://www.yubico.com
AADGUID: d8522d9f-575b-4866-88a9-ba99fa02f35b

Form FactorCostFIDO ALMS VerifiedBiometricUSBNFCBT
Key$80 USDLevel 1A
Country of OriginBody StyleWaterproof Rating
United States or SwedenInjection MoldedIP68

Good things come to those who wait. The YubiKey Bio – FIDO Edition is the first biometric entry from Yubico, and it’s a pretty slick package. This is the only biometric key tested that comes with a waterproof rating, likely thanks to it’s injection molded build. Where the usual capacitive touch reader would be with a y Yubico logo on other keys, this has the biometric fingerprint reader. Above the reader are two integrated LED lights – one green and one amber that help provide the status of the key to the end user. Sporting the same dimensions at the Yubikey 5 NFC, it has a nice weight to it and feels of quality construction, as all Yubico products do.

It comes at a premium price, almost double the cost of the TrustKey G320H ($35 USD more), but Yubico does indicate there is a discount on bulk pricing.

Available Features and Management

Unlike it’s relatives in the YubiKey 5 family, the YubiKey Bio is limited to FIDO functionality – FIDO2 and FIDO U2F; would suspect it’s why YubiKey highlights FIDO in the name. While FIDO2 suffices for Azure AD, it is something to make note of.

Enrollment and Usage

The key enrolled in Azure AD without issue.

The key worked consistently after enrollment without issue, but again note the limitations in the ease of removing the key.

The key was factory reset without issue.🔝


Final Notes

If your organization is not already on the path to exploring passwordless, you are falling behind. The journey to a passwordless environment is not always a short one. Many times, it’s working to identify and modernize the underlying applications that are the longest part of the journey. Organizations that find success in moving the needle on passwordless operate in a more agile fashion – find the places you can make the wins, find the ways to start implementation now, and help set the stage so that your organization is well positioned for strong authentication to keep growing.

If you are interested in understanding more about the position of Microsoft and how FIDO2 security keys fit into the picture, an episode of a Microsoft security podcast, Security Unlocked, has an excellent interview with Alex Weinert [@Alext_T_Weinert], who is the Directory of Identity Security at Microsoft. Check it out here, All Your Pa$$w0rd Are Belong to Us – Security Unlocked | Acast.

About this posts featured image

The chosen photo is the work of Emiel Maters, used under the Unsplash license.

Eric Woodruff
Eric Woodruff

Leave a Reply

Your email address will not be published.

Writing about all things identity and identity adjacent in the Microsoft ecosystem of Azure AD and Active Directory.

Read More
Mailing List

Subscribe to posts here

Categories