We all know passwords are bad. Microsoft’s leading answer to this is Windows Hello – or Windows Hello for Business. Using a PIN or biometrics (fingerprint reader or facial recognition) is trying to move towards a passwordless world. We’ve still got a long way to go, but we’re off to a solid start with viable alternatives.
FIDO2 Security Keys support true passwordless login, and supported devices can be used for both consumer Office 365, and Azure AD. eWBM makes these keys, and by the claim on their website are “world’s first and currently only FIDO2 Level 2 certified security keys”. They offered to send these out to Microsoft MVPs free of charge, so I took the opportunity to accept one, test it and write about my experience.
The eWBM key isn’t very large – on the smaller side of your standard USB flash drive. It’s designed to be plugged in (and comes in both USB-C and USB type A flavours) and then verified with a touch on the fingerprint reader.
To set up a key on Azure AD, it’s a matter of adding it as a sign in method, just like you would with other methods such as SMS or the Authenticator app. eWBM have a quick video on how to do this:
Once set up, using the key is pretty simple too. If you’re logging onto a site using your Azure AD account, instead of entering a password, you choose the ‘Sign in with a security key’ option, plug in and scan your fingerprint on the key, and you’re on.
If you’re wondering why you don’t even need to type the password, where you would with an SMS code – that’s because you’ve got two different authentication methods already built into the USB. Your unique fingerprint, and the unique USB key. Your fingerprint is tied to just that key, it won’t work anywhere else unless you configure another device separately. Combine that with needing to know which username those are tied to makes it a secure combination.
The example above and what I’ve also tested, is a web login. There’s also a PC login option, but that’s currently in beta and you’ll need to be running a insider’s build of Windows 10 to try it.
I can see this working as an actual ‘password replacement’ solution because it provides less of an inconvenience than first logging in with a password, then using something else (SMS/Email/Code/Authenticator App). Instead it’s a single thing to do – plug in your USB key and put your fingerprint on it. The process of doing this is very quick, with the added benefit of being able to do it from any computer – web based sign ins will work from any PC.
A USB-C variant is also available and on it’s way to me, so you can pick from those two standards as to which is more fitting for your requirements.
eWBM sell the keys on their website and there should be more key makers on the way.
I’ve now received the USB-C version of the eWBM Goldengate Security Key – G320, pictured below against the G310.
6 thoughts on “Passwordless Sign-In with FIDO2 Security Key and Microsoft”
Bad design with those exposed USB leads, vulnerable to Electrostatic discharge (ESD)…
What are you basing this claim on? It’s pretty standard for these sort of devices to have ESD protection https://www.electroschematics.com/esd-protection-for-usb/
If I’m not mistaken, that relies on ground being made first, which basically happens first when a USB stick connector has a metal surround, and is being plugged in, which this one is lacking.
In any case, I would want mine to be protected by a metal guard.
Same principle of a wall outlet plug, ground is the first thing that touches, then come the leads.
I shall ask eWBM for a response :) Not an area I know much about.
The middle two leads of the USB are slightly retracted, one of the outer ones is involved with making ground and will touch first, securing ground when inserted. However, on your key chain it’s a different thing altogether, and I wonder if the ESD chips protects against that. Curious about their reply.
It is true this is a common design feature with many FIDO keys, and I haven’t heard of issues from users.