FIDO2 security keys– Planning and Implementing Authentication
Physical tokens, such as the Fast Identity Online 2 (FIDO2)-based token or security key, are another password-less option that can be used. While the Microsoft Authenticator app is a soft token, FIDO2 tokens are physical pieces of hardware that are typically either connected to the computer (in the form of a USB device) or that communicate wirelessly (via Bluetooth or NFC).
You can access the security key login process during a browser session by selecting the Sign in with Windows Hello or a security key option from the sign-in page:
Figure 7.5 – Password-less authentication dialog with FIDO2 security token
The data flow for a FIDO2-based login follows a similar pattern as both WHFB and the Microsoft Authenticator app. For example, to log on to a device using FIDO2, this process is followed:
Figure 7.6 – FIDO2 authentication sequence
The steps are as follows:
- The user plugs in a FIDO2 security key.
- Windows detects the security key.
- Windows sends an authentication request to Azure AD.
- Azure AD responds by sending a nonce back to the login device.
- The user authenticates to the FIDO2 key, unlocking the secure storage area containing the private key.
- The FIDO2 key signs the nonce with the private key and sends it to Windows.
- Windows generates a PRT request and sends it with the signed nonce to Azure AD.
- Azure AD verifies the signed nonce with the FIDO2 device’s public key.
- Azure AD returns the PRT to the login device.
FIDO2, such as Windows Hello, has specific requirements for supported hardware.
Supported FIDO2 security tokens
You can see an up-to-date list of supported FIDO2 security keys or tokens here: https://learn.microsoft.com/en-us/azure/active-directory/authentication/concept-authentication-password-less#fido2-security-key-providers.
As you’ve seen from the diagrams, each of the password-less options (Windows Hello, Microsoft Authenticator, and FIDO2) follows a similar authentication workflow, based on PKI.