Evaluation criteria for product selection can be a difficult process, especially for items that are rarely purchased. We’ve become accustomed to working out what we want from daily use items such as laptops, and mobile phones which does make that process easier when we refresh them every few years. However, choosing a hardware security token is maybe something you haven’t ever had to do.
So how do I choose a Hardware Security Token? This post outlines some selection criteria I’ve recently used to assist others with answering “Which Hardware Security Token do I need?” with a view to using the tokens for Azure Active Directory Passwordless authentication along with support for other multi-factor scenarios.
In this post I cover;
Hardware Security Tokens come from numerous vendors. Until recently (late 2019) there was only two manufacturers (Feitian and Yubico) that had a hardware token that supported FIDO2 as the FIDO2 standard was only recently endorsed. Thankfully that has now changed, and our options are increasing. That though also compounds the problem. Which vendor do I choose and which of their hardware token products are right for me? Here are some criteria to consider;
In late 2019 there were minimal hardware security tokens that were available that supported multiple protocols (FIDO U2F, FIDO2, TOTP etc AND were bio-metric). Current options are Feitian BioPass, eWBM Goldengate series (FIDO2 and FIDO U2F only) and Yubico indicating they have a Yubikey Bio coming soon. Keep abreast of announcements on the Find Biometrics FIDO2 page here.
Whilst the options above cover what are you going to use the hardware token for, there are other things you should also consider, especially if you are looking to purchase numerous keys for an organisation;
My recommendation is, as a minimum select a;
This is very dependent on the manufacturer and how they have designed and integrated their hardware tokens. Ideally you are looking for full Windows 10 integration in order to not have additional driver and software dependencies to configure/enrol with the key. Before following manufacturer instructions to download additional software go to Windows Settings => Accounts => Sign-in options
Select Security Key
Select Manage
Touch the Security Key
If you got this far, you are on a recent build of Windows 10 (Windows 10 Build 18298 (19H1) or above) and you can manage the key and enrol your finger print(s), set a PIN and reset the key. If you didn’t get this far successfully you will need to install drivers and key management software from the vendor or update your Windows 10 OS.
For bio-metric keys you should see the Security Key Fingerprint options (right image below). Either add additional fingerprints if a user is already enrolled, or enrol fingerprint(s). For both bio and capacitive touch keys you can manage the PIN and reset the key.
Registering a FIDO2 token for Azure AD Passwordless Authentication will vary slightly based on the FIDO2 token you have chosen. Keep this in mind when evaluating your options.
As an Azure Active Directory user in an Azure AD Tenant where Passwordless Authentication is enabled (see below on enabling an Azure AD Tenant for FIDO2 Passwordless Authentication) navigate to the MyProfile Azure User Portal and select the Security Info menu on the left.
From here we can add methods for sign-in. Security key is the method for registering FIDO2 tokens with your user account. Select Add method => Security key => Add
You will be prompted for MFA to validate your credentials again to ascertain that it is actually you that is adding another authentication method to your account. Select Next.
Select the appropriate option for the Security Key you are setting up. NFC or USB FIDO2 Security Token.
Have your key ready. Select Next
Insert your FIDO2 Security Key
Touch your security key
Provide a name for your security key and select Next
Your FIDO2 Security Key should now be associated with your account. Select Done.
Now that you have a FIDO2 Security Key associated with your Azure Active Directory user account you can use it to logon to Windows 10. This does assume that your Windows 10 workstation is joined to your Azure Active Directory. If your Windows 10 machine isn’t joined to Azure Active Directory, see “Joining a Windows 10 machine to Azure Active Directory” at the bottom of this post.
This process will differ slightly depending on the type of FIDO2 security key you have. The left column shows the user experience with a bio-metric token. Authenticating to Azure AD requires inserting the token and passing the bio-metric scan. The right column shows a non-bio key whereby a PIN is used to validate the owner of the key and then a tactile touch of the key completes authentication and login to Windows 10 via Azure AD proceeds.
To enable Passwordless Authentication to Azure AD, configure the Authentication methods under Azure Active Directory in the Azure Portal here.
As this is currently a preview feature you will need to enable the enhanced registration process. Select ‘Selected’ or ‘All’ depending on who you will be enabling this feature for and select Save.
Back in Authentication Methods we can now enable FIDO2 and select Save.
While you are here, you many also want to enable Microsoft Authenticator passwordless sign-in. Note: I won’t be covering mobile base sign-in in this post.
On a Windows 10 machine navigate to Settings => Accounts => Access work or school => Connect => Join this device to Azure Active Directory, then enter your email address/UPN for the Azure AD Environment and press Next.
On next screen you have to enter your password and then you will be prompted for MFA.
Confirm the join by selecting Join
You have then completed joining your Windows 10 machine to Azure AD.
Choosing a hardware token initially looks trivial. However, when you dig a little deeper you quickly learn there are numerous criteria to carefully consider before selecting a token that will become a key item in your pocket/bag and part of your daily authentication routine. Hopefully I’ve given you enough information to allow you to make an educated decision that is right for you.
A few weeks back the Microsoft AI Tour was in Sydney Australia. There was a…
If you're anything like me you always have PowerShell open, and often both PowerShell and…
Decentralised Identity is a technology I'm passionate about and have written many posts and tools…
Over two years ago I authored a PowerShell Module that enabled the automation of 1Password.…
Buried in my PowerShell Snippets Vol 4 post from 2021 is the PowerShell script and…
Short post on how to recovery from "The Windows Subsystem for Linux instance has terminated"…
This website uses cookies.