Passwordless journey with FIDO2 – Part 3 – Engine troubles

For earlier posts, please find them here:

• Passwordless journey with FIDO2 – Part 1 – Getting started with Security keys
• Passwordless journey with FIDO2 – Part 2 – Usage experiences

So it’s been a few months since the last post, and I can tell that more and more people are starting their own journeys into a Passwordless future (which is awesome!).

But for the Microsoft Enterprise there is still a few miles to the finish line…

The main problem is that so many of us are still running Hybrid AADJ which is not going to change any time soon – but the threat landscape is changing at a faster pace than I think most would have thought only five years ago.

So FIDO 2 and similar Passwordless solutions are a much needed security boost, that many organisations are eager to get implemented.

On a side note: I have heard of this other “little” road-block from several companies that have been implementing MFA but then all of a sudden…

Their workers refuse to let the company use their personal smartphone as the second-factor in MFA!

Leaving them to either buy them a work phone, or come up with another solution, which could very well be FIDO2 if they can trust it to work well in a production environment.

As mentioned at Ignite 2019, Microsoft has a solution ready for Hybrid AADJ, which at time of writing is in private preview – eWBM has a post on it here: https://www.ewbm.com/blog/preview-of-fido2-security-keys-for-hybrid-azure-ad-joined-environments/ which I suggest you look at if you are as eager for this to go GA as I am.

On a technical note: I have hear rumors that it works using some twisted version of an RODC, which is interesting! And I cant wait to learn more about this in the (hopefully) near future…

Recent learnings

So since last article, I have received a bunch of new keys, and learned some things about why some of them don’t work out of the box with my Azure AD tenant.

If you recall, I had a lot of trouble with the Solokey in my previous post, and in the meantime I have learned that there are so many vendors coming out with new FIDO2 compliant security keys, that Microsoft is actually the ones holding up the line, as the vendors need to be on an approved list of keys, for Azure AD to accept the key during enrollment.

Now that’s not good news if you just got a good deal on 10000 FIDO2 keys from the “wrong” vendor!

Luckily Tim Steiner from OnlyKey.io was more than willing to get to the bottom of the issue with me, and figure out how to white list a FIDO2 compliant key for your own tenant.

Credits for these findings go out to Tim!

Adding unsupported FIDO2 keys to Azure AD

So if you want to add a specific unsupported vendors security key to your Azure AD (or restrict to a specific list), you can do so in Azure AD.

I won’t go into great detail on this as that’s not the real objective of this series, but I have made a screenshot to get you on the right path in your tests.

Now you might not know the AAGUID if your specific brand of FIDO2 key, but Tim also had a great solution for this.

It turns out you can make the key “wink”, and have it answer with it’s AAGUID among other things.

And if you are wondering what an AAGUID looks like, the one for the OnlyKey is:  79d699df01914b10b9035467e7ce8231

The tool to do the “wink” with, is called “Python-fido2” and can be found here: https://github.com/Yubico/python-fido2

Its used like this:

$ python examples/get_info.py

Which will give you an output similar to this:

If you want to get really technical about it, you can read more about “wink” in the official FIDO2 alliance documentation here: https://fidoalliance.org/specs/fido-v2.0-rd-20161004/fido-client-to-authenticator-protocol-v2.0-rd-20161004.html

If you don’t have a Linux or Mac available, you can follow this guide to get Python and PIP running on your Windows 10 device: https://matthewhorne.me/how-to-install-python-and-pip-on-windows-10/

I think this was super useful, and good to know when you are on a Passwordless journey!

New Keys since last article

I have been blessed with new keys during the last few months, and some where smooth sailings like with the eWBM and Yubico keys, others suffered under the issues I just mentioned above.

As in the past articles, I will list my overall impressions and experiences with the keys.

The keys are not listed in any particular order and I am not payed anything to mention them.

Ensurity ThinC-AUTH

This vendor I had never heard of before, but they do make quite a nice little bio-metric FIDO2 key for use in the enterprise, though the design is not as sleek as some of the others out there.

I was however surprised that the registration was without any troubles at all, and the key is fully supported by Microsoft.

The fingerprint reader seems just as fast as the eWBM key, but I am unable to count the milliseconds difference there might be.

Let’s have a look at the key:

It’s a level 1 certified key, and a bit on the bulky side, but it comes in the best packaging I have yet seen!

It’s stored in a tiny cardboard box enveloping they key. And upon opening the box, you see that it is a complete guide for the user to register the key with Windows 10 – nice touch!

There might however be a reason for the bulky design, because Ensurity offers bespoke design options for business customers, which I think could be useful.

Software wise they have a simple app for most popular operating systems, and compared to some of the others, its fast to install.

It seems to be HTML based and running a customized version of chromium (interresting…).

All in all – this key is ready for use in the enterprise and requires nothing extra from IT to manage, compared to other Azure AD compatible FIDO2 keys.

If you want to learn more about this key, visit: https://www.ensurity.com/Products/ThinC_AUTH

KEY-ID FIDO2+U2F and EzFinger 2

Key-ID make some really small FIDO2 devices! Both with biometrics and simple button versions.

Azure AD wise they don’t work right away, so you will need to get the AAGUID and add it to your tenant in order for them to work with Azure AD authentication.

But for Windows Hello on your laptop, it works out of the box, and pin registration is easy with both the Biometric and the push button version.

Let’s have a look at these tiny devices:

Now as you can see, they are tiny enough to leave in your device at all times, but I am not really a fan of that thought (kinda defeats the purpose).

Fingerprint reading was just as fast as the key from Ensurity and worked quite well from all angles.

Software wise you don’t really need to download anything to get these keys working in windows, but as with the other vendors, KEY-ID has a program to register your fingers with the key.

And this program is as small as the keys, less than 4MB and simply an exe file that the user can execute, which makes this the easiest to deploy from a sysadmin perspective!

It looks like the eWBM BioManager, but it’s a fraction of the size.

Besides the AAGUID not being supported in Azure AD, I found these keys easy to use and solid enough considering the tiny size.

If you are keen on learning more about their products go to https://www.key-id.com/fido-security-keys-overview/

OnlyKey

Now this key is something quite different than any other key I have seen out there!

It’s made by whitehat hackers and security experts, and like the Solokey, it’s open source.

With the latest firmware, OnlyKey is fully functional with Windows Hello and thanks to Tim Steiner, I learned that it could also function with Azure AD using the AAGUID in the FIDO2 allow list of my tenant.

Before I say anything else about this key, lets have a look at it, because it’s not like the other kids at school.

As you can tell, there are no similarities with this key and others I have told you guys about, besides it being a USB-A device.

Instead of bio-metrics as security, the OnlyKey relies on a 6 digit (minimum) pin for unlocking the key.
Afterwards you can use it to authenticate. This got me confused to begin with, but it makes sense security wise that the device protects it self from the OS this way.
After just 10 failed attempts at using the PIN, the device will wipe it self, leaving it purposeless.

It also means that it can hold up to 24 separate static accounts, that can be accessed bu using the numpad on the key.

It’s like a portable hardware based password manager!

The software for the key becomes a must have, since it allows you to manage all the features with ease – although a cool feature also allows you to configure it using notepad!

But in my honest opinion, this device is not the weapon of choice for your average user, as enrollment is more complicated than a regular FIDO2 key.

I do think that it is a perfect fit for sysadmins and geeks out there, as this key has a lot of options available now, and surely more to come in the future.

Read more about this awesome key here: https://onlykey.io/

And take a look at some great strategies for using a key like this: 
https://crp.to/wp-content/uploads/2017/09/Password_Security_Strategy_Example.pdf

Final words

It’s been 3 parts now, and I don’t know if there will be a part 4, since I am seeing a rise in the amounts of blog posts and articles on this subject, and I think there will be a plethora of information about going Passwordless within the next year!

So lets hope 2020 is the real breakthrough year for Passwordless in the enterprise using FIDO2!

Also, please remember that as an organisation, you should encourage your users to use the keys you provide them with – (with all the services they can!) both business and personal.

This makes sense, because it drives adoption and awareness of protecting the key – making sure they hold it as precious as their own house key.

And let them keep it!

Don’t make a fuss about tracking the keys and getting them back from the users – they should be considered expendable, otherwise no one will be using them for personal accounts.

That’s it for now, thanks for reading along!