FIDO2 - Frequently Asked Questions

Here are answers to the most commonly asked questions about FIDO2 with Azure AD and Windows 10.

FIDO2 authenticators

What is a FIDO2 security key?

A security key is a physical device that you can use instead of your username and password to sign in. Since it’s used in addition to a PIN or a fingerprint, even if someone has your security key, they won’t be able to sign in without the PIN or the fingerprint that you registerd on the key.

What’s the difference between a PIN and password?

A PIN is different than a password. The purpose of the PIN is to unlock the security key so it can perform its role. A PIN is stored locally on the device and is never sent across the network. In contrast, a password is sent across a network to the service for validation. To learn more, you can read the following article “Why a PIN is better than a password”.

Remember that a PIN is just one of the two factors. A PIN is tied to the specific hardware device it was set up on. Without the device, the PIN is useless. If someone stole your PIN and wanted to sign into your account, they’d need your physical device too.

If I’m using a FIDO2 biometric key, do I need to use a PIN?

A PIN is an alternative to verify the user before responding a registration or authentication request. If the biometric validation fails, the user will be prompted to type a PIN. The PIN is used as a backup method.

What is password-less authentication?

Passwordless authentication is any method of verifying a user’s identity without requiring the user to provide a password. For example, the principle behind FIDO2 is to replace shared secrets, such as passwords, with public key cryptography. FIDO2 is based on public key cryptography and is intended to solve multiple user scenarios including strong first factor (password-less), strong second factor, and multi-factor password-less authentication.

What is Two-factor Authentication?

Two-factor authentication (2FA) is also known as two-steps verification or multifactor authentication. Two-factor authentication delivers strong authentication and provides additional security step by requiring a second form of authentication.

Two-steps verification is not necessarily the same as password-less authentication especially if the first step involves typing a password.

What is Strong Authentication?

Strong authentication works by requiring two or more of the following authentication methods:

• Something you know (typically a password)
• Something you have (a trusted device like a phone or a security key)
• Something you are (biometrics) 

Support of FIDO2 Security Keys with Azure AD

Does Microsoft Azure AD support FIDO2?

Yes, at the time of the writing (March 2020) the support of FIDO2 password-less authentication in Azure Active Directory is a public preview feature.

Azure AD supports passwordless authentication for cloud only, synchronized and federated users. Azure AD administrators can turn on and configure FIDO2 for their Azure AD tenant and allow their employees to set up their own security keys for their account. Additionally, administrators can control the deployment and turn on FIDO2 security keys registration to users and groups of users.

Is there a license level required for Azure AD to register a FIDO2 security key?

Azure Active Directory comes in four editions—Free, Office 365 apps, Premium P1, and Premium P2. The free edition of Azure AD is enough to register a FIDO2 security key.

Which FIDO2 security keys are compatible by default with Azure AD?

For a list of fully certified FIDO2 security keys that have been tested to be Microsoft-compatible visit the partner page on the Microsoft website.

Can I register multiple security keys with my Azure AD account?

Yes, you can register multiple FIDO2 security keys with your Azure AD account and it’s a best practice to do so. For example, you can start by registering at least two keys at the time of setup, so you have one primary and one backup.

Can you describe how FIDO2 authentication is working with Azure AD?

When you create and register a FIDO2 credential, the FIDO2 device generates a private and public key on the device. The private key is stored securely on the device and can only be used after it has been unlocked using a local gesture like biometric or PIN. Note that your biometric or PIN never leaves the device. At the same time the private key is stored, the public key is sent to Azure AD and registered with your user account.

When you later sign in, Azure AD provides a nonce to your FIDO2 device. Your FIDO2 device then uses the private key to sign the nonce. The signed nonce and metadata is sent back to Azure AD, where it is verified using the public key.

Is FIDO2 supported to access on-premises resources ?

Yes, this is the FIDO2 Hybrid mode which is in public preview. See the announcement.

For organizations not using Azure AD, does Active Directory support FIDO2?

No, Active Directory does not support FIDO2 authentication.

What will happen if a user loses a FIDO2 security key?

The impact of the loss of a single FIDO2 security key can be greatly reduced when multiple password alternatives are available for the user. The recommended best practice is to multiply FIDO2 security keys and passwords alternatives on user account.

Microsoft requires users to set up more than one verification method like the Microsoft Authenticator App, so users have a backup option in the event of the lose a FIDO2 security key.

Which password-less alternatives are supported in Azure AD?

Azure AD supports the following alternatives to passwords like the Microsoft Authenticator App, Windows Hello and FIDO2 security keys.

What is the Microsoft Authenticator App?

The Microsoft Authenticator app, launched in April 2017, helps users prove their identity without typing a password. The Microsoft Authenticator app is freely available for Android , iOS and Apple Watch.

Similar to the principle of FIDO2 authentication, the Microsoft Authenticator app uses key-based authentication to enable a user credential that is tied to a device and uses a biometric or PIN verification.

Can I use my FIDO2 security key without a PIN or biometric verification?

No, Azure AD requires user validation to register a FIDO2 security key or to authenticate. A user gesture (PIN or biometric) verified by the FIDO2 security key is required when interacting with Azure AD.

Can I use my security key for two-factor authentication in Azure AD?

No, Azure AD only supports FIDO2 password-less authentication and does not support FIDO U2F.

Does Microsoft Azure AD support the FIDO Alliance UAF and U2F specifications?

FIDO U2F and UAF are not supported in Azure AD. At the time of the writing (March 2020) the support of FIDO2 password-less authentication in Azure Active Directory is a preview feature.

In the event of a loss or theft of my FIDO2 security key, is it possible to block the use of the key remotely?

Yes, it is possible for an end-user to revoke a FIDO2 security key through the Azure AD portal.

How to set up a security key as a verification method in Azure AD ?

Please follow the steps described in the section "register your security key". The organization need to configure and allow first for the organization or selected group of users to use this option for verification.

FIDO2 Security Keys on Windows 10

How can I enable passwordless security key sign in to Windows 10 devices? 

Sign-in to Windows 10 with a FIDO2 security key can be enabled via multiple methods like Active Directory GPO, Microsoft Intune or a provisioning package using the Windows Configuration Designer App. To learn more, please refer to this step-by-step documentation.

Can a user sign-in to different Windows 10 devices with the same FIDO2 security key?

Yes, if the devices are Azure AD joined or hybrid Azure AD joined to the same tenant. This scenario requires Windows 10 version 1809 or higher. The first time the user signs in with a FIDO2 security key, an Internet connection is required. After that, it is possible to sign-in with cached credentials and offline mode is working.

Does FIDO2 sign-in on Windows 10 work in offline mode?

The first time the user signs in with a FIDO2 security key on a new Windows 10 device, an Internet connection is required. After that, it is possible to sign-in with a FIDO2 security key even in offline mode.

What is a Microsoft-compatible FIDO2 security key?

To be considered Microsoft-compatible, a security key must implement the following features and extensions from the FIDO2 CTAP protocol to allow sign-in in Windows 10 even without internet connectivity.

• Resident keys: this feature enables the security key to be portable, your credentials are stored on the security key.
• Client PIN: this feature enables you to protect your credentials with a second factor.
• HMAC-secret: this extension ensures you can sign-in to your device when it's off-line or in airplane mode.
• Multiple accounts per relying party: this feature ensures you can use the same security key across multiple services like Azure Active Directory (AAD) or Microsoft Account (MSA).

How can I safely remove my FIDO2 security Key?

The FIDO2 security key is not identify as a mass storage device to your PC, and does not need to be ejected when removed.

How to change my PIN on my security key?

On Windows 10 you can manage a security key via “Sign-in options” from the Windows Settings app. You can modify an existent security key PIN (starting with Windows 10 v1903) or reset your security key and create a new security key PIN.

How to reset my security key?

Resetting your security key deletes everything from the key, meaning that all data and credentials will be cleared, allowing you to start over.

If you want to proceed, please follow the steps described in the section “reset your security key” presents on the Microsoft website.

Do security keys also work for organizations that use RDP ?

No, at the time of the writing FIDO2 is not supported in this scenario. You need to use certificate authentication to connect through RDP.