Skip to content

Passwordless

Choosing a FIDO2 Security Key

As I’ve been keeping up with my FIDO2 Security Key roundup, which you can find here, Azure AD: FIDO2 Security Key Roundup and Review – Eric on Identity, I’ve had some folks on occasion ask me what key(s) I would recommend.

In the roundup, while it’s hard to not inject some subjectivity, I try to stay objective, hence my reason to not score/rank the keys. Also, that would be a lot more work.

At the end of this article, I still won’t have provided a ranking of everything out there, but hope the points indicated within can help organizations make some informed decisions.

Note that any lists included within are in brand alphabetical order and does not indicate an order of preference.

An Agile Refresh Of The Passwordless Strategy

Background

The Microsoft passwordless strategy guidance has existed since 2018, and since then it’s continued to be a solid document. You can view the full doc here, Password-less strategy – Windows security | Microsoft Docs, but where the focus usually lands is on the four-step graph at the top of that page:

Figure 1

The Microsoft passwordless strategy

When discussing the strategy with organizations, the focus is usually on Step 1 – develop (deploy) password replacement offerings, and the technology involved, such as Windows Hello for Business, FIDO2 security keys, and MS Authenticator App passwordless sign-in. After all, the strategy is provided as a stepped approach, so you start with the first step, and then move on.

There are three primary issues with the approach:

  • Organizations look at this as a reinforcement that passwordless must be deployed in a waterfall approach.
  • Application authentication modernization is not emphasized strongly enough, and subsequently organizations do not right-size the efforts required.
  • Organizations do not emphasize the pluralization on offerings, and potentially focus on the requirement of one-size-must-fit-all.

While issue three is not specific to this approach as designed, many organizations will take the waterfall approach with a single solution, and then box themselves into only deploying one solution, slowing down progress.

Azure AD: FIDO2 Security Key Roundup And Review

Note

This is a stub for a post, the content has been moved to https://www.fido2reviews.com

This page previously had reviews for the following, which can now be found on https://www.fido2reviews.com

  • AuthenTrend ATKey.Card
  • Feitian ePass K9
  • Feitian MultiPass K16
  • Feitian MultiPass K32
  • Feitian BioPass K27
  • Feitian Fingerprint Card
  • GoTrust Idem Card
  • GoTrust Idem Key
  • Hypersecu HyperFIDO
  • Identiv uTrust FIDO2 NFC
  • Kensington VeriMark Guard
  • SoloKeys Solo 1 Tap
  • Thetis FIDO2 Security Key
  • Token2 T2F2-Bio
  • Token2 T2F2-mini
  • Token2 T2F2-NFC-Slim
  • TrustKey T110
  • TrustKey G320H
  • Yubico YubiKey 5 NFC
  • Yubico YubiKey 5C
  • Yubico YubiKey 5 Nano
  • Yubico YubiKey Bio – FIDO Edition

World Password Day

Forget passwords. Passwords are garbage. To celebrate World Password Day, I’m curating blog articles that can help organizations on their passwordless journey.

While much of the Microsoft documentation on passwordless is quite good, it can tend to be overwhelming at times; the hope is to give you some great leads on some clear, step-by-step instructions on how to get you from a password-filled to a passwordless world in Active Directory and Azure AD.

With each link, I’ve provided a rough time estimate for how long the process should take, given a dedicated effort. There may always be the fringe case or two where passwordless is more complex – if your existing environment has things such as AD FS and using smartcards, or has DC’s older than 2016, you have a bunch of Macs in your environment, as examples. It always helps to review the documentation, which I also link to.

Windows Hello for Business: Hybrid Cloud Trust

When we talk about Windows Hello for Business (WHfB) rollout scenarios, the one that has consistently been the preferred path is Hybrid Key Trust. It is the lowest weight scenario for deployment requirements, and if you already had Active Directory Certificate Services (AD CS), it was only a matter of a few hours to configure your directory to be ready to start a rollout.

While there are some smaller niche limitations, the most common limitation that every organization will encounter with Hybrid Key Trust, is that initial Windows of needing to wait for Azure AD Connect to synchronize the msDS-KeyCredentialLink attribute from Azure AD to the user object in Active Directory.

This process is what informs Active Directory of the public side of the users WHfB key pair, and is what enables the user for certificate-based authentication, through WHfB, to AD. Historically this leaves many organizations needing to communicate to users that it will “take some time” between when they enroll and when they can first start using WHfB – not the greatest way to introduce users into a passwordless experience.