With a FIDO2 key, such as the YubiKey Bio, passwordless authentication can be implemented on Microsoft 365/Azure AD and also on Windows devices. As a result, an organization can take a step towards "passwordless", especially for production employees.
With its YubiKeys, the company yubico offers various options for pursuing the approach of a password-free environment. Authentication with a smart card, a PIN or a biometric factor counts as "passwordless". The YubiKeys with the FIDO2 standard can be used in many different applications, including in the Microsoft 365/Azure universe.
You can find a nice (marketing) summary on Passwordless login with YubiKey (yubico.com). Overview of all supported applications for MFA and / or Passwordless: Works with YubiKey catalog | Yubico
The new YubiKey Bio Series finally combines the well-known smart card function with a fingerprint. This means that a PIN is no longer required when logging in via YubiKey.
I was able to test the key for a while and am satisfied with how little I need my keyboard for my general work. The same applies to third-party devices.
Table of Contents
- Demo video
- User enrollment
- Login with YubiKey (user view)
in the tenant to use a YubiKey
In Azure AD, only the authentication method FIDO2 Security Key has to be activated for a specific group or for all users.
To do this, we navigate to in the portal Authentication methods - Microsoft Azure:
ℹ️ If activated for the first time, the option for user enrollment is immediately available.
Windows, local for login
We can distribute the following policy locally on the Windows computers via OMA-Uri in order to activate the login with a smart card.
|Description||not absolutely necessary|
Set up YubiKey Bio
Provided the user has already configured a password and MFA, he can configure the stick as follows:
- Configure the security key in the Windows settings under Sign-in options
- It is best to plug in the stick from the beginning.
- Provided the stick is recognized, it has to be tapped once on the fingerprint sensor and a PIN can be set.
- If the PIN is set, the finger or fingers can be scanned.
- The fingerprint function is activated by setting the PIN.
ℹ️ yubico itself offers a nice video, which can be very helpful for users: https://youtu.be/Fp96iTxk0RU
If the option is not available, it can be made more active as described in the previous article: Windows Hello | scloud
Use YubiKey for Azure AD (including Windows Hello for Business login)
- The YubiKey Bio (or other models) can be set up via MFA (https://aka.ms/setupmfa) to be added.
If MFA is active, the second factor must be confirmed again.
- Then "USB device" can be selected and the local Windows context menu opens.
We can all confirm the Windows Security information displayed.
- After the instructions, the key only needs to be confirmed with your own finger (code for YubiKeys without scanner).
Login with YubiKey (user view)
Login via portal.office.com
The login via browser is very easy and intuitive, neither a username nor a password is required. All you have to do is connect the YubiKey Bio, choose the security key authentication and press the fingerprint.
Login to a Windows PC (AAD Joined)
Most of the time, the key is recognized directly, if this is not the case, the "FIDO security key" option must be selected in the login options.
The key is very reliable and easy to use. To be honest, I had to force myself to use it as the only login method for a week. The main reason for this is that I have configured Windows Hello for Business on my device and use MFA via Authenticator for online logins. But with the little experiment I can confirm the reliability.
For a user who either doesn't have a smartphone, works on a shared device or often changes location, I definitely see the solution with a YubiKey BIO (FIDO2) as very practical and sure. The fingerprint in particular offers a very convenient and secure authentication method. Thanks to the fingerprint, no employee should be able to forget their PIN 😉.
Why am I only able to configure my Yubikey with Azure MFA with both the PIN and the fingerprint?
I am not able to enroll my Yubikey without first entering a PIN. Then, once configured, any MFA challenges, both the PIN and the fingerprint are required.