In the past Contribution to the Yubikey Bio I wrote about a way how a user can log in "Passwordless" and without a PIN. In this article I would like to show the variant of a passwordless deployment using the inexpensive "Yubico Security Key" (~25$) for logging into Microsoft 365/Azure AD. For the initial login, I send the new user a "Temporary Access Pass" (TAP).
Table of Contents
Requirements
Activation of the Security Key and Temporary Access Pass
The use of the Security Key and also the Temporary Access Pass is activated in the "Authentication methods".
We can do that in Azure AD under Security> Authentication methods do:
In the options of the Temporary Access Pass we can determine the duration of the validity. I choose between one and four hours for this, as it is usually clear when a user has to log in for the first time. The start of the validity can be selected when creating.
Conditional Access Policy
In order to ensure that the user or users cannot suddenly log in with a password, we have to set up a conditional access policy. Unfortunately, there is currently no way to completely deactivate the password login in Azure AD. This option is already available for private Microsoft accounts.
- We create the guideline under portal.azure.com> Conditional Access:
- I create the policy in such a way that it only applies to users who are also "Passwordless". For this I created the group "USR-Passwordless".
- All cloud apps are usually included and "Require multi-factor authentication" is activated in the "Access controls". MFA also includes security keys.
Create user
We can create the user either via the Microsoft 365 Admin Center, the Azure AD or in a hybrid scenario with Azure AD Connect via Active Directory. From the IT point of view, the user is created with a TAP (Temporary Access Pass). Unfortunately, there is currently no way to create a user without a password. So we just choose a very long one (maximum 256 characters).
Thanks to the TAP, the user himself never has to enter this and also does not have to know. The user only needs to configure the security key when he logs in for the first time. Since the login on a PC with the TAP does not work, I solve this in such a way that the user is instructed on the first day to log in to the shared PC with the guest account and set up the security key from there. Once this has been configured, he can log off and from then on log on to any company-owned PC using the security key. This without entering his user name and password. Only the key and PIN or fingerprint is required.
create user
- Under I am creating an ordinary user:
- Password random, very complex and up to 256 characters long.
- Group membership, at least the conditional access group "USR-Passwordless"
Create a Temporary Access Pass (TAP)
Once the user has been created and licensed, I create a TAP in the user under Authentication methods> Add authentication method. In this example, this is valid for one hour from Monday 8:00 a.m. The user must register the security key here. The period of validity must of course match the implementation process of the company / department in order to avoid complications or queries.
- After creation, the TAP is displayed and can be handed over to the end user, for example in the form of a sealed envelope.
Configure security key (by user)
On the first working day, the user has to access a company PC via a guest account https://aka.ms/mysecurityinfo navigate.
To simplify the process, you can also create a desktop shortcut via Intune or GPO.
- The new user logs on with the TAP via the URL
- After logging in, on the security info page, one of the security keys is added as a new authentication method.
- If the PC does not have an NFC reader, we select "USB device" and confirm the second window with "Next".
- Now the Windows security level opens to read and configure the key.
- The first two fields are notes and can be confirmed.
- The user is asked to protect the key with a PIN. The user must enter the PIN for future logins via the security key.
- Finally, the key only needs to be given a name. A combination of description and date has proven itself here.
That's it, from now on the user can log on to the company's computers just like in the browser without a password.
Limitations
- When using a one-time temporary access pass to register a passwordless method such as FIDO2 or logging in by phone, the user must complete the registration within 10 minutes of logging in with the one-time temporary access pass. This limitation does not apply to a temporary TAP that can be used multiple times.
- The TAP does not work for users who have security defaults or self-service password reset (SSPR) active.
- A TAP cannot work with the Network Policy Server (NPS) extension and Active Directory Federation Services (AD FS) adapter, or while using Windows Setup / Out-of-Box-Experience (OOBE), Autopilot, or for deployment used by Windows Hello for Business.
- If Seamless SSO is enabled in the tenant, users are prompted for a password. The TAP can be selected below the password field.
findings
Once the process for Passwordless Deployment for the Security Key and Microsoft 365 has been defined, it is not very complex or complicated. Because the TAP solves the first login very nicely. It would only be even better if the TAP could also be used for a login on a Windows device. The guest profile does not have to be used or activated.
However, once the security key has been set up, a user has greatly simplified the login.
A security key is unlikely to be used in an office. For example, I see the use much more in productions or practices with shared workplaces. But schools could also make use of the service. Because I often encounter the challenge that students have trouble entering or remembering passwords. A security key can be a relief, especially when the email address on Azure AD devices has to be entered for login.
EN
Pingback: Azure MFA: Return of the Hardware Token (OATH TOTP) | cloud