Skip to content

2022

Choosing a FIDO2 Security Key

As I’ve been keeping up with my FIDO2 Security Key roundup, which you can find here, Azure AD: FIDO2 Security Key Roundup and Review – Eric on Identity, I’ve had some folks on occasion ask me what key(s) I would recommend.

In the roundup, while it’s hard to not inject some subjectivity, I try to stay objective, hence my reason to not score/rank the keys. Also, that would be a lot more work.

At the end of this article, I still won’t have provided a ranking of everything out there, but hope the points indicated within can help organizations make some informed decisions.

Note that any lists included within are in brand alphabetical order and does not indicate an order of preference.

An Agile Refresh Of The Passwordless Strategy

Background

The Microsoft passwordless strategy guidance has existed since 2018, and since then it’s continued to be a solid document. You can view the full doc here, Password-less strategy – Windows security | Microsoft Docs, but where the focus usually lands is on the four-step graph at the top of that page:

Figure 1

The Microsoft passwordless strategy

When discussing the strategy with organizations, the focus is usually on Step 1 – develop (deploy) password replacement offerings, and the technology involved, such as Windows Hello for Business, FIDO2 security keys, and MS Authenticator App passwordless sign-in. After all, the strategy is provided as a stepped approach, so you start with the first step, and then move on.

There are three primary issues with the approach:

  • Organizations look at this as a reinforcement that passwordless must be deployed in a waterfall approach.
  • Application authentication modernization is not emphasized strongly enough, and subsequently organizations do not right-size the efforts required.
  • Organizations do not emphasize the pluralization on offerings, and potentially focus on the requirement of one-size-must-fit-all.

While issue three is not specific to this approach as designed, many organizations will take the waterfall approach with a single solution, and then box themselves into only deploying one solution, slowing down progress.

  • in MFA
  • 4 min read

Authenticator App: IOS Multiple Passwordless Account Support Is Here!

For anyone who lives in a world of multiple Azure AD accounts and the Authenticator App, you can finally rejoice over not having to make the difficult decision over which account is the one you enable for passwordless… or potentially not having to carry multiple devices.

To date, you could enroll one Azure AD account and one personal Microsoft Account (MSA) for passwordless in the Authenticator App. Even with multiple Azure AD accounts in the same tenant, only one could go passwordless.

With this update, not only can you go passwordless for multiple accounts in the same Azure AD tenant, but across multiple tenants as well.

Azure AD: Which SSO Is The Right SSO?

It’s great having choices, except when you are not sure which choice to make.

For organizations that are on a hybrid journey with Azure AD, the question of single sign-on (SSO) almost always comes up. And with that, people turn to the documentation with questions. Do we need hybrid join? Do we need Azure AD Seamless SSO? Do we need both? Can we configure both? Why isn’t hybrid join listed as an SSO mechanism in the docs? If hybrid join is preferred, why does Azure AD Seamless SSO mention seamless, isn’t it better?

While there is one paragraph contrasting the two choices in the docs, Azure AD Connect: Seamless Single Sign-On – Microsoft Entra | Microsoft Docs, the question still comes up often. Which brings us here – gaining clarity on the SSO choices for Azure AD. To keep the article focused, we are going to be exploring SSO for corporate owned and managed Windows devices that are joined to an Active Directory domain.

And for the camp out there that firmly believes everything should just go straight to Azure AD Join (AADJ), and forget hybrid… this article is for those that have their reasons to stay with hybrid join for the moment. Even though you should go cloud-native with AADJ.

Azure AD: FIDO2 Security Key Roundup And Review

Note

This is a stub for a post, the content has been moved to https://www.fido2reviews.com

This page previously had reviews for the following, which can now be found on https://www.fido2reviews.com

  • AuthenTrend ATKey.Card
  • Feitian ePass K9
  • Feitian MultiPass K16
  • Feitian MultiPass K32
  • Feitian BioPass K27
  • Feitian Fingerprint Card
  • GoTrust Idem Card
  • GoTrust Idem Key
  • Hypersecu HyperFIDO
  • Identiv uTrust FIDO2 NFC
  • Kensington VeriMark Guard
  • SoloKeys Solo 1 Tap
  • Thetis FIDO2 Security Key
  • Token2 T2F2-Bio
  • Token2 T2F2-mini
  • Token2 T2F2-NFC-Slim
  • TrustKey T110
  • TrustKey G320H
  • Yubico YubiKey 5 NFC
  • Yubico YubiKey 5C
  • Yubico YubiKey 5 Nano
  • Yubico YubiKey Bio – FIDO Edition