In a previous article on YubiKey Bio, I explored a method for users to sign in "Passwordless" without a PIN. This article delves into the variant of a passwordless deployment, utilizing the affordable "Yubico Security Key" (~$25) for Microsoft 365/Azure AD login. For the initial login, I provide the new user with a "Temporary Access Pass" (TAP).

Table of Contents

Prerequisites

Activate the Security Key and Temporary Access Pass

In "Authentication methods," enable the use of the Security Key and Temporary Access Pass in Azure AD under Security > Authentication methods.

Activation of Security Key and Temporary Access Pass
Activation of Security Key and Temporary Access Pass

In the Temporary Access Pass options, determine the validity duration. I opt for one to four hours, aligning with the usual timeframe for a user's first login. The start of validity can be chosen during creation.

Temporary Access Pass options
Temporary Access Pass options

Conditional Access Policy

To ensure users cannot suddenly resort to password login, set up a Conditional Access Policy. Unfortunately, Azure AD currently lacks the option to disable password login entirely. This feature is available for private Microsoft accounts.

  • Create the policy under portal.azure.com > Conditional Access:
Conditional Access Policy creation
Adding new Conditional Access Policy
  • Craft the policy to apply only to users practicing "Passwordless," using the "USR-Passwordless" group.
  • All cloud apps are generally included, with "Require multi-factor authentication" activated in Access controls. MFA encompasses Security Keys.
Conditional Access Policy - Group
Conditional Access Policy - Group
Conditional Access Policy - Multi-factor authentication
Conditional Access Policy - Multi-factor authentication

User Setup

Create the user either through the Microsoft 365 Admin Center, Azure AD, or in a hybrid scenario with Azure AD Connect via Active Directory. From the IT perspective, the user is established with a Temporary Access Pass (TAP). Currently, there's no option to create a user without a password, so a very long password (up to 256 characters) is chosen.

The user never needs to enter or know this password, only configuring the Security Key during their initial login. As the login doesn't work on a PC with TAP, users are instructed to sign in on the shared PC with the guest account on their first day and set up the Security Key from there. Once configured, they can log in with the Security Key on any company PC without entering a username or password—only the Key, PIN, or fingerprint is required.

Creating the User

  • Random, highly complex password up to 256 characters long.
  • Group membership, at least the Conditional Access group "USR-Passwordless."
  • Create a Temporary Access Pass (TAP).

Temporary Access Pass (TAP) erstellen

After creating the user and licensing, in Authentication methods > Add authentication method, create a TAP. In this example, the validity is from Monday 8:00 AM for one hour. During this time, the user must register the Security Key. The validity period should align with the company/department introduction process to avoid complications or queries.

  • After creation, the TAP is displayed and can be handed to the end user, for instance, in the form of a sealed envelope.

Configuring Security Key (by User)

On the first workday, the user, via the guest account, navigates to https://aka.ms/mysecurityinfo on a company PC. To simplify, a desktop shortcut can be created via Intune or GPO.

  • Through the URL, the new user signs in with the TAP.
  • After login, on the Security-Info page, a Security Key is added as a new authentication method.
  • If the PC lacks an NFC reader, we choose "USB device" and confirm the second window with "Next."
  • Now, the Windows Security level opens to read and configure the Key.
  • The first two fields are instructions and can be confirmed.
  • The user is prompted to secure the Key with a PIN. This PIN must be entered for future logins via the Security Key.
  • Finally, the Key just needs a name. A combination of description and date has proven effective.

From now on, the user can log in passwordlessly on company computers, just like in the browser, using the Security Key.

Limitations

  • When using a one-time temporary access pass to register a passwordless method like FIDO2 or phone sign-in, the user must complete the registration within 10 minutes after logging in with the one-time temporary access pass. This limitation doesn't apply to a temporary access pass that can be used multiple times.
  • For users with Security Defaults or Self-Service Password Reset (SSPR) active, the TAP doesn't work.
  • A TAP cannot be used with the Network Policy Server (NPS) extension and the Active Directory Federation Services (AD FS) adapter or during the use of Windows Setup/Out-of-Box-Experience (OOBE), Autopilot, or Windows Hello for Business deployment.
  • If Seamless SSO is active in the tenant, users are prompted to enter a password. However, the TAP can be selected below the password field.

Notes from the field

Once the process for passwordless deployment with the Security Key and Microsoft 365 is defined, it's not overly complex. The TAP makes the initial login straightforward. It would be even better if the TAP could be used for login on a Windows device, eliminating the need for the guest profile.

Once the Security Key is set up, user login is greatly simplified. The use of a Security Key is likely in offices, especially in productions or shared workplaces. Schools could also benefit, addressing the challenge of students struggling with password input or memorization, particularly when using Azure AD devices where the email address must be entered for login. A Security Key can offer relief in such scenarios.

Leave a Reply

Your email address will not be published. Required fields are marked *

Florian Salzmann
Senior Workplace Consultant @UMB AG

Stay in the Loop with My Monthly Newsletter!