Skip to content
Yubikey BIO Azure AD
Home » YubiKey Bio - Go Passwordless! - Microsoft 365

YubiKey Bio - Go Passwordless! -Microsoft 365

With a FIDO2 key, such as the YubiKey Bio, passwordless authentication can be implemented on Microsoft 365/Azure AD and also on Windows devices. As a result, an organization can take a step towards "passwordless", especially for production employees.

With its YubiKeys, the company yubico offers various options for pursuing the approach of a password-free environment. Authentication with a smart card, a PIN or a biometric factor counts as "passwordless". The YubiKeys with the FIDO2 standard can be used in many different applications, including in the Microsoft 365/Azure universe.

You can find a nice (marketing) summary on Passwordless login with YubiKey (yubico.com). Overview of all supported applications for MFA and / or Passwordless: Works with YubiKey catalog | Yubico

The new YubiKey Bio Series finally combines the well-known smart card function with a fingerprint. This means that a PIN is no longer required when logging in via YubiKey.

I was able to test the key for a while and am satisfied with how little I need my keyboard for my general work. The same applies to third-party devices.

Table of Contents

Demo video

YouTube video player

Requirements

in the tenant to use a YubiKey

In Azure AD, only the authentication method FIDO2 Security Key has to be activated for a specific group or for all users.

To do this, we navigate to in the portal Authentication methods - Microsoft Azure:

Azure AD Security Settings - Authentication methods - Microsoft 365
Enable FIDO2 Security Key

ℹ️ If activated for the first time, the option for user enrollment is immediately available.

Windows, local for login

We can distribute the following policy locally on the Windows computers via OMA-Uri in order to activate the login with a smart card.

OMA Uri for Windows Login - Passwordless
Settingvalue
NameUseSecurityKeyForSignin
Descriptionnot absolutely necessary
OMA-Uri./Device/Vendor/MSFT/PassportForWork/SecurityKey/UseSecurityKeyForSignin
Data typeInteger
Value1

User enrollment

Set up YubiKey Bio

Provided the user has already configured a password and MFA, he can configure the stick as follows:

  • Configure the security key in the Windows settings under Sign-in options
    • It is best to plug in the stick from the beginning.
  • Provided the stick is recognized, it has to be tapped once on the fingerprint sensor and a PIN can be set.
  • If the PIN is set, the finger or fingers can be scanned.
  • The fingerprint function is activated by setting the PIN.

ℹ️ yubico itself offers a nice video, which can be very helpful for users: https://youtu.be/Fp96iTxk0RU

If the option is not available, it can be made more active as described in the previous article: Windows Hello | scloud

Use YubiKey for Azure AD (including Windows Hello for Business login)

  • The YubiKey Bio (or other models) can be set up via MFA (https://aka.ms/setupmfa) to be added.
    If MFA is active, the second factor must be confirmed again.
  • Then "USB device" can be selected and the local Windows context menu opens.
    We can all confirm the Windows Security information displayed.
  • After the instructions, the key only needs to be confirmed with your own finger (code for YubiKeys without scanner).

Login with YubiKey (user view)

Login via portal.office.com

The login via browser is very easy and intuitive, neither a username nor a password is required. All you have to do is connect the YubiKey Bio, choose the security key authentication and press the fingerprint.

Login to a Windows PC (AAD Joined)

Most of the time, the key is recognized directly, if this is not the case, the "FIDO security key" option must be selected in the login options.

findings

The key is very reliable and easy to use. To be honest, I had to force myself to use it as the only login method for a week. The main reason for this is that I have configured Windows Hello for Business on my device and use MFA via Authenticator for online logins. But with the little experiment I can confirm the reliability.

For a user who either doesn't have a smartphone, works on a shared device or often changes location, I definitely see the solution with a YubiKey BIO (FIDO2) as very practical and sure. The fingerprint in particular offers a very convenient and secure authentication method. Thanks to the fingerprint, no employee should be able to forget their PIN 😉.

1 thought on “YubiKey Bio - Go Passwordless! - Microsoft 365”

  1. Why am I only able to configure my Yubikey with Azure MFA with both the PIN and the fingerprint?

    I am not able to enroll my Yubikey without first entering a PIN. Then, once configured, any MFA challenges, both the PIN and the fingerprint are required.

Leave a Reply

Your email address will not be published. Required fields are marked *

de_CH DE
de_CH DE
en_US EN
Exit mobile version